I've been testing HTTP2 on Elwing which was recently upgraded to Debian Stretch.
Interesting reading: https://bagder.gitbooks.io/http2-explained/content/en/
Howto I followed: https://icing.github.io/mod_h2/howto.html
So the interesting thing is theTLS ciphers are restricted and if the server even propose one in the blacklist the connection will fail. So having strong ciphers is not enough, you must not have inappropriate ciphers. This said, our current list of ciphers are not deemed acceptable, so I resorted to this one:
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
I think one of the major problem is the PSK variants were not explicitely removed. I also removed old protocols as recommended:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
I decided not to activate h2c because we want to push for HTTPS, and it seems several browser vendors decided to not implement support for it anyway.
Elwing has HTTP2 activated server-wide with this simple line:
Protocols h2 http/1.1
At the moment all vhosts seem to work fine.
The http2-status handler to get more HTTP2-specific status does not work (404) while it is supposed to be in 2.4.19 (but loading and logs do not give any error).