WebPageTest Error With HTTPS / HTTP2 Enabled Site

Symptoms

One situation I ran into when I migrated 1keydata.com to HTTPS with HTTP2 enabled was that I had an issue with the page load speed testing tools WebPageTest and GTMetrix. On both tools, https://www.1keydata.com/ failed to load, yet when I visit the site using a browser, the website loaded up fine. This is the first time I have seen a difference in behavior between these types of testing tools and a browser. Given the highly unusual nature of this difference, I decided to look into the issue further. Below is what the test result page on WebPageTest looked like:

WebPageTest Error Result Page

On the other hand, when I switch the user agent on WebPageTest to IE, the page test loaded fine. Also, it’s worth noting that the site itself renders fine in a browser. The only thing that appears strange was that sometimes at the beginning of a page load, I would see a screen showing up temporarily before the actual page loads on Chrome. In all cases, though, the web page proceeded to load correctly, so initially I didn’t think much of this issue. During the course of my investigation, though, I decided to look into this as it may be related to the issue I was seeing. Using a screen video capture software, I was able to capture what that temporary page looks like:

ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY Error Page

The error message that showed up was ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY.

Synopsis

It turned out that the issue was with the SSL Cipher Suite that was set up on the server. Below is part of the screenshot from the SSLTest result for https://www.1keydata.com/:

Notice the “Server negotiated HTTP/2 with blacklisted suite” message. The specific SSL Cipher Suite that was causing the issue was also listed: “TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.”

Resolution

What’s happening here is the Chrome (and Firefox) is hitting a blacklisted SSL Cipher Suite when it is trying to connect via HTTP2. This only happens if HTTP2 is configured for the website. The resolution is to set up the Apache server in a way so that an acceptable SSL Cipher Suite that is not on the blacklist is called by Chrome/Firefox *before* the blacklisted SSL Cipher Suite. As it turned out, the order you use when you list the SSLCipherSuite items is important.

The fix for Apache 2.4.18 on Ubuntu 14.06 LTS is as follows:

Open your site configuration file

vi /etc/apache2/sites-available/example.com.conf

 
and insert “ECDHE-RSA-AES128-GCM-SHA256:” right in front of your SSLCipherSuite directive:

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:[rest of your SSLCipherSuite list]

 
After this, restart your Apache server:

service apache2 restart

 
And now everything should be okay. Tests run on both WebPageTest and GTMetrix should complete without any problems. The temporary page with the ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY error message should no longer exist.

Reference: http://sparanoid.com/note/http2-and-ecdsa-cipher-suites/