421 Misdirected Request using HTTP/2 and SAN SSL

ssl amazon-web-services apache-2.4 https ubuntu-14.04
5,529

Solution 1

This was a real issue for me. But I found the answer here.

Multiple Hosts and Misdirected Requests

Many sites use the same TLS certificate for multiple virtual hosts. The certificate either has a wildcard name, such as '*.example.org' or carries several alternate names. Browsers using HTTP/2 will recognize that and reuse an already opened connection for such hosts.

While this is great for performance, it comes at a price: such vhosts need more care in their configuration. The problem is that you will have multiple requests for multiple hosts on the same TLS connection. And that makes renegotiation impossible, in face the HTTP/2 standard forbids it.

So, if you have several virtual hosts using the same certificate and want to use HTTP/2 for them, you need to make sure that all vhosts have exactly the same SSL configuration. You need the same protocol, ciphers and settings for client verification.

If you mix things, Apache httpd will detect it and return a special response code, 421 Misdirected Request, to the client.

I have 3 VirtualHosts sharing the same certificate. Both of them are configured using my "default" SSL setup. The last one had special configuration since I did not need the last one to be compatible with a lot of browsers so I used more modern ciphers and only the latest SSL Protocol. That particular "special" VirtualHost was getting the 421.

If I disable Protocol h2 http/1.1 that would fix the problem but I did not want to disable that.

After using the same configuration on all VirtualHost sharing the same certificate, the problem was fixed.

Solution 2

I encountered this problem today and was a bit puzzled at first, because I didnt use any different ciphers etc. so I could not understand what the "if you mix things" note from the answer above was really all about. Well, it turned out, that it isnt sufficient if SSLCertificateFile and SSLCertificateKeyFile has the same content and if the files are even identical copies from each other. Those configuration settings have to point to the very same file! I suspect this is, because it isnt the browser who actually sees a problem (as I initially thought to be the case) but rather Apache is already detecting that the configuration isnt the same and blocks any HTTP2 requests pre-emptively because it expects the browser's gonna have a problem if it really delivered the page (which probably might very well happen indeed). Apache is also writing a corresponding error to its log file ("Hostname www.example.com provided via SNI and hostname www2.example.com provided via HTTP have no compatible SSL setup"). This setup compatibility test seems to be rather simple and doesnt care about the fact that the certificate is in fact the same. It probably only notices the different filenames/paths and then balks.

Share:
5,529

Related videos on Youtube

jarvis
Author by

jarvis

Updated on September 18, 2022

Comments

  • jarvis
    jarvis over 1 year

    I'm running Apache 2.4.20 on Ubuntu and I have SSL configured. I have a SAN SSL Certificate and www.example.com and www2.example.com are sharing the same certificate.

    I'm getting a 421 Misdirected Request error when I include the following:

    Protocols h2 h2c http/1.1
H2Upgrade on
H2Direct
H2WindowSize 128000

    Websites run normally if I remove them.

    I'm getting the error if ON THE SAME BROWSER, www.example.com and www2.example.com are opened. If I go to www.example.com first then it will load properly. I get the error when I load a second site from that SAN SSL Certificate, like www2.example.com. It does not matter what site I go to first. It always responds with the 421 Misdirected Request on the second site.

    What is wrong with my use of the HTTP/2 directives? (They are in the VirtualHost by the way)

    Or is there an issue with HTTP/2 and SAN SSL implementations?

    And if it matters, both www.example.com and www2.example.com are on the same server hosted in AWS.

    Thanks.

    EDIT:

    I also tried the settings below with the same results.

    Protocols h2 http/1.1
H2Direct
H2WindowSize 128000

    In the SSL Config

    <IfModule mod_ssl.c>

    SSLRandomSeed startup builtin
    SSLRandomSeed startup file:/dev/urandom 512
    SSLRandomSeed connect builtin
    SSLRandomSeed connect file:/dev/urandom 512

    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl

    SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase

    SSLSessionCache     shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
    SSLSessionCacheTimeout  300

    SSLOpenSSLConfCmd DHParameters "/path/dhparams.pem"

    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

    SSLHonorCipherOrder on

    SSLCompression Off
    SSLSessionTickets Off

    SSLUseStapling On
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)

    SSLProtocol all -SSLv3

    SSLInsecureRenegotiation Off
    SSLStrictSNIVHostCheck Off

</IfModule>

    In the VirtualHost

    <IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerAdmin [email protected]
    ServerName www.example.com
    DocumentRoot /path/path

    Protocols h2 http/1.1
    H2Direct on
    H2WindowSize 128000

    SSLEngine on
    SSLCACertificateFile /path/cert.crt
    SSLCertificateFile /path/cert.crt
    SSLCertificateKeyFile /path/key.key

    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

    <Directory /path/path>
        AllowOverride None
        Require all granted
    </Directory>

 </VirtualHost>
</IfModule>
    • serverliving.com
      serverliving.com about 8 years
      Can you show us the SSL configuration part here?. You can also refer to this Doc. for SSL setup with HTTP/2 -> http2.github.io/http2-spec/#MisdirectedRequest
    • jarvis
      jarvis about 8 years
      @serverliving.com Edited the post and included the SSL config and the VirtualHost config.
    • Admin
      Admin about 8 years
      Please try without H2Direct and H2WindowSize.
    • serverliving.com
      serverliving.com about 8 years
      Also try adding www2.example.com as a ServerAlias
    • jarvis
      jarvis about 8 years
      @serverliving.com I can't add www2 as a ServerAlias since they have different DocumentRoots. Serving different sites here.
    • serverliving.com
      serverliving.com about 8 years
      Alright, You have to just make sure that your SSL configurations are same for both the virtual hosts using same SSL certificates. as per this Doc. httpd.apache.org/docs/2.4/mod/mod_http2.html#h2direct
    • jarvis
      jarvis about 8 years
      @Jason Problem solved with your suggestion. I only now have Protocols h2 http/1.1. Good to know what's with the other directives that caused the issue.
    • jarvis
      jarvis about 8 years
      @serverliving.com You gave me the link I needed but I didn't immediately see it... I had to dig for it. But you were right. I had different SSL configurations thus it resulted to 421. Thank you.
    • serverliving.com
      serverliving.com about 8 years
      @jarvis, Glad that it worked for you. :)
  • rsc
    rsc almost 3 years
    Yes, having exactly the same filename is very important.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

forwarding HTTPS from Godaddy to AWS
Cannot set up https on microsoft azure VM
Address already in use, could not bind to address [::]:443
ServerAlias without www not working on SSL virtualhost
Disable/remove Let's Encrypt?
Apache TLS (SSL) Performance
How to configure SSL through GoDaddy using AWS Certificate Manager?
421 Misdirected Request
How to troubleshoot "Secure Connection Failed" in Firefox appearing since the version 38?
502 proxy Error [error reading from remote server]