Wednesday, July 22, 2015

H2O version 1.4.0 released with outstanding support for forward secrecy and load balancing (and the experimental mruby handler)

Today I am happy to announce the release of the H2O HTTP/2 server version 1.4.0.

There have been a few changes and bug fixes from version 1.3.1 (that showed big performance improvements over the older generations of HTTP servers without support for request prioritization), but the most prominent ones are the following.

Support for the PROXY protocol

The PROXY protocol is a de-facto standard protocol used by L4 load balancers (such as AWS Elastic Load Balancing) to notify the web servers running behind them the IP addresses of the clients. Support for the protocol is essential for running a web server behind such load balancer; without the support it is impossible to log the address of the client or to work against attacks.

In version 1.4.0, we have added support for the protocol which makes H2O a good choice for large scale and/or highly-available web sites running multiple HTTP servers behind a load balancer.

Support for cache-based and ticket-based TLS session resumption using Memcached (and forward secrecy)

The PROXY protocol is not the only thing that now makes H2O a good choice for such websites.

When running a HTTPS server cluster behind a L4 load balancer, it is desirable that the server supports session resumption using a shared datastore such as memcached.

TLS Session Resumption: Full-speed and Secure is a good read for those who are interested in what session resumption is; in short, it reduces the time spent for establishing a TLS connection to about half, and also reduces the CPU time to below 10%!

However, until now, front-end HTTP servers have been not good at supporting session resumption using a shared datastore.

Among the two resumption methods, Nginx does not support the more-widely-deployed cache-based session resumption using a shared datastore.

It should also be noted that most web servers are not good at supporting ticket-based resumption; they use 128-bit AES for storing master secrets (even in cases when a more complex ciphersuite is used), and also do not automatically roll-over the secrets (which botches forward-secrecy).

As pointed out by Tim Taubert, the sad state of the server-side TLS session resumption implementations has been the headache of administrators trying to setup secure websites. Forward Secrecy at Twitter is an example that shows how difficult it is to configure a website supporting forward-secrecy.

Being the primary developer of H2O, I believe that web servers should be easily configurable to be secure; so in version 1.4.0 we have implemented the following features:

  • cache-based session resumption using memcached
  • automatic rollover of master secret used for ticket-based resumption
  • synchronization of master secrets that rollover, using memcached
  • directive to configure the cipher used for encrypting tickets (with default being aes-256-cbc)

Table 1.Supported Methods of Session Resumption
Resumption Method
Session ResumptionSession Ticket
Apache (prefork)yesno forward-secrecy (AES-128)
Apache (worker)yesno forward-secrecy (AES-128)
Apache (event)not sharableno forward-secrecy (AES-128)
Nginxnot sharableno forward-secrecy (AES-128)
Varnish (hitch)needs recompileno
H2Oyesyes (AES-256)

And with H2O, they are easy to use! A simple configuration like below activates all the features. The H2O server cluster will share information of both cache-based and ticket-based session resumption using memcached, with complex cipher used for protecting master secrets that are automatically rolled over.

listen:
  port: 443
  ssl:
    key-file: /path/to/key-file
    certificate-file: /path/to/certificate-file
  proxy-protocol: ON
ssl-session-resumption:
  method: all
  memcached:
    host: address.of.memcached.server
    port: 11211

Please refer to the documentation for the details of the configuration directive.

Experimental mruby Handler

We are also proud to announce that we now have a scripting engine running within the H2O standalone server that can be used to customize the behavior, and that the programming language is Ruby.

Developed by Yukihiro Matz (the father of the Ruby programming language) and others, mruby is an implementation of the language for embedded use. Thanks to MATSUMOTO Ryosuke the language runtime can now be used to script how the HTTP requests should be handled within H2O.

The handler is still in very early stages and considered unstable (therefore it is not turned on by default, you would need to pass -DWITH_MRUBY=ON as an argument to CMake to build H2O with support for the mruby handler), but nevertheless it is already a great addition to the H2O HTTP server; such a scripting engine gives you great flexibility to customize the behavior of the server depending on the tiny aspects of a HTTP request, or to mitigate attacks.

Please refer to Ryosuke's weblog for more information (in Japanese). In addition to topics related to H2O, you can find excellent entries about how to use a scripting engine within web servers to work against cyber attacks.

Conclusion

All in all, we are happy to provide a new release of the H2O server to the public, that is secure and easy to use (with flexibility), once again raising the bar of what people should expect on a HTTP server to provide.

I hope you enjoy using the new release of H2O.

39 comments:

  1. They release a best version of H2O which is good for bug fixes. Here i also get detail knowledge of this version.
    Conference Application For iPhone

    ReplyDelete
  2. Thanks for your informative post on Java application development. This open source platform assists software developers to create stunning mobile application with ease. Further, they can make use of this platform at free of cost.
    Java Training in Chennai

    ReplyDelete
  3. Hibernate and spring are the frameworks of Java. A java developer should be well aware of these frameworks in order to master the technology and work efficeiently.
    spring training in chennai | hibernate training in chennai
    FITA Academy reviews

    ReplyDelete
  4. Java is the most robust secured and multi threaded programming language which is the reason why most the the developers go for java. A single java code can be used for various platforms.
    JAVA training in chennai | java training institutes in chennai | FITA Academy Chennai

    ReplyDelete
  5. Thanks for sharing such informative article on Loadrunner Automation testing tool. This load testing tool will provide most precise information about the quality of software. Loadrunner Training in Chennai | Loadrunner training institute in Chennai

    ReplyDelete
  6. I like the Valuable Information you provide in your articles. I'll bookmark your weblog and check again here frequently. I am quite sure I will learn many new stuff right here! Best of luck for the next!
    independent financial advisor

    ReplyDelete
  7. Thanks for sharing this information in here. As a fresher any one can also go for the below training programs.
    CCNA Training in Chennai

    ReplyDelete
  8. Testing now a days has become as importnant as developing of an application. With the help of testing, we can find out the potential bugs which would affect the application. Fixing this at a very early stage would help the application to run without any problem.
    Software testing training in Chennai | Software testing training institute in Chennai | Software testing courses in Chennai

    ReplyDelete
  9. Spring is an open source framework which is mainly used in java applications that can be deployed in standalone platform.
    spring training in chennai | spring course in chennai

    ReplyDelete
  10. I have read your blog its very attractive and impressive. I like it your blog.

    Java Training in Chennai Java Training in Chennai | Core Java Training in Chennai

    Online Java Training Online Java Training | Java EE Training Institute in Chennai

    ReplyDelete
  11. The blog you presented was very nice and interesting which helped me to get update on the recent technologies.
    Angularjs training in chennai | Angularjs course in Chennai

    ReplyDelete
  12. I'm glad to see this post. By the way, you may be interested in replica ray bans.

    ReplyDelete
  13. Thank you for sharing. I will definitely give this post to my helpdesk specialists https://jitbit.com/. Recently, we had a problem for a long time could not decide. This was the first issue behind year, when they solved the problem for so long. Good luck.

    ReplyDelete
  14. Matt Driscoll: Balancing urban and suburban needs at center of Pierce Transit’s future Sociology Assignment Help

    ReplyDelete
  15. Lunch Links: Tennessee Approves Tax Cut, IRS Was More Helpful This Year, Outstanding Women in Tax Buy English Literature Essays

    ReplyDelete
  16. My Arcus offer java training with 100% placement. Our java training course that includes fundamentals and advance java training program with high priority jobs. java j2ee training with placement having more exposure in most of the industry nowadays in depth manner of java

    java training in chennai

    ReplyDelete
  17. we are offering best guidewire online training in hyderabad with job support and high quality training facilities and well expert faculty .
    Guidewire training in hyderabad

    ReplyDelete
  18. Thanks for sharing this information and keep updating us. This is informatics and really useful to me.

    JAVA Training Institute in Delhi | Web Development Training Company in Delhi | Big Data Training In Delhi

    ReplyDelete
  19. This article provides the information about Java its key features and scope for java professionals. This information is really helpful me to know more about Java programming language. Java Training in Chennai | Java Training | Java Course in Chennai

    ReplyDelete
  20. The article you have shared here very good. This is really interesting information for me. Thanks for sharing!
    hotmail login |hotmail sign in |free hotmail login

    ReplyDelete
  21. Nice to see your blog again, it has been months for me. Well this article I've been waiting for so long. I need this article to complete my assignment in the college, and it has the same topic with your article. Thanks, for sharing.
    Product Upload Services

    ReplyDelete
  22. Software engineers are approaching development and enterprise design in an entirely new way, thanks to the cloud. In this expert handbook, explore how your peers are leveraging the cloud to streamline app lifecycle management, save money, and make production and security more efficient. thanks for sharing it
    dissertation Writing Service

    ReplyDelete
  23. Just a smile and the rain is gone Can hardly believe it, yeah. There's an angel standing next to me. Reaching for my heart Just a smile and there's no way back .Can hardly believe it, yeah But there's an angel calling me. Reaching for my heart I know that I'll be okay now. This time, it's real I lay my love on you It's all I wanna do Every time I breathe I feel brand new You open up my heart Show me all your love and walk right through As I lay my love on you.
    dumb ways to die
    fireboy and watergirl 4

    ReplyDelete
  24. This comment has been removed by the author.

    ReplyDelete
  25. If you are looking for spring hibernate training institute in chennai then candid training is the best place to learn.

    Candid gives you best in class spring hibernate training with high quality and post training support, We provide you free demo session and candid promises the permanent trainer throughout your session and focus on more practical.

    candid training institute


    ReplyDelete
  26. Your details are very informative. I am interested to learn AngularJS Training in Chennai or AngularJS course in Chennai Do you have angular related post means kindly share with me.

    ReplyDelete
  27. The article you have shared here very good. This is really interesting information for me. Thanks for sharing!
    hotmail.com login |hotmail log out |gmail login

    ReplyDelete