Http/2 is available, but not used. Please help!

When checking the cdn-cgi/trace, it states that protocol used is http=http/1.1
https://we-promote.it/cdn-cgi/trace

Although, with a server check using curl -v --http2 https://we-promote.it/, h2 is active with ALPN. What can be the problem?! Please help, i tried everything and still no results so far. :frowning:

  • ALPN, offering h2
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: none
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
  • ALPN, server accepted to use h2
  • Server certificate:
  •    subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=sni95453.Cloudflaressl.com
    
  •    start date: Aug 10 00:00:00 2017 GMT
    
  •    expire date: Feb 16 23:59:59 2018 GMT
    
  •    subjectAltName: we-promote.it matched
    
  •    issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO ECC Domain Validation Secure Server CA 2
    
  •    SSL certificate verify ok.
    
  • Using HTTP2, server supports multi-use

As well, the HTTP/2 Test - Verify HTTP/2 Support | KeyCDN Tools says that HTTP/2.0 is supported.
Thank you for your time and help!

Cool URL!

It looks like HTTP/2 to me:

fl=12f204
h=we-promote.it
ip=2600:6c50:427f:f845:90b7:dc73:b1ff:d835
ts=1502370064.126
visit_scheme=https
uag=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8
colo=LAX
spdy=h2
http=h2
loc=US

1 Like

I just tried both Chrome Canary and Firefox Developer Edition and they both showing HTTP/1.1 and SPDY off. The website is also served through LAX when the closest data center to my place is SIN. Meanwhile cURL result shows that HTTP/2 is on.

uag=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3178.0 Safari/537.36
colo=LAX
spdy=off
http=http/1.1
loc=ID

uag=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
colo=LAX
spdy=off
http=http/1.1
loc=ID

uag=curl/7.54.0
colo=LAX
spdy=h2
http=h2
loc=ID

Strange…

A user shouldn’t be able to turn SPDY off. While a free user shouldn’t be able to disable HTTP/2.

At this case, I can only advise you to contact Cloudflare Support.

You can reach them at https://support.cloudflare.com/requests/new

1 Like

Hmm, there may be an issue with the DE location. I didn’t check that.

fl=67f6
h=we-promote.it
ts=1502373075.555
visit_scheme=https
uag=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
colo=TXL
spdy=off
http=http/1.1
loc=DE

fl=20f70
h=we-promote.it
ts=1502373465.097
visit_scheme=https
uag=Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 OPR/45.0.2552.898
colo=AMS
spdy=h2
http=h2
loc=NL

Interesting. I will contact the support and verify this. Thank you very much for the help!

So, managed to get it fixed, thanks to support. So, if anyone is experiencing a similar problem, for me it was the antivirus to blame (totally surprising!). The Scan SSL module from Bitdefender was causing that and was downgrading the protocol, once turned off, h2 was active on that loc. First time i experience something like that, but disabling the Scan SSL module fixed it.

1 Like

Better not to disable the SCAN SSL, because everything is SSL these days and you remove an important protection. What you can do is add exceptions for the sites where you really need HTTP/2 support (your own to verify for example). You can add exceptions per IP address, per application, or per URL.

Hi

I was just checking this too. Turned off anti-virus web protection and you’re right - it changes from 1.1 to 2.

However - what does this actually mean? Does it mean that anyone with anti-virus will only ever get 1.1 version of HTTP i.e. no speed boost from the HTTP2 of the site?

Anyone with that particularly horrid AV implementation… apparently.

I don’t have any anti-virus on my main mac - only the laptop - but I get the same results - v1.1 on there. Seems odd. I got it to load v2 by using a private window. But that’s not how most people will be browsing.

Any ideas?