Hi, When "Require ssl" directive is used on a resource and resource is accessed using HTTP/2 protocol over SSL channel, the client is denied the access. When "SSLRequireSSL" directive is used in such configuration instead "Require ssl", the client can access the resource. "Require ssl" should not restrict the access to the resource when HTTP/2 over SSL is used. For example configuration with mod_ssl and mod_http2: Protocols h2 <Directory /var/www/html/require> require ssl </Directory> <Directory /var/www/html/sslrequire> sslrequiressl </Directory> When client opens https://server.example.org/require/index.html ==> /var/log/httpd/ssl_error_log <== [Fri Aug 24 19:25:22.500207 2018] [authz_core:error] [pid 632:tid 139848444245760] [client 127.0.0.1:42042] AH01630: client denied by server configuration: /var/www/html/require/index.html ==> /var/log/httpd/ssl_access_log <== 127.0.0.1 - - [24/Aug/2018:19:25:22 +0000] "GET /require/index.html HTTP/2.0" 403 227 ==> /var/log/httpd/ssl_request_log <== [24/Aug/2018:19:25:22 +0000] 127.0.0.1 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /require/index.html HTTP/2.0" 227 When client opens https://server.example.org/require/index.html ==> /var/log/httpd/ssl_access_log <== 127.0.0.1 - - [24/Aug/2018:19:26:53 +0000] "GET /sslrequire/index.html HTTP/2.0" 200 7 ==> /var/log/httpd/ssl_request_log <== [24/Aug/2018:19:26:53 +0000] 127.0.0.1 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /sslrequire/index.html HTTP/2.0" 7
Found the time to check this. You are correct. mod_ssl did, in this case, not check correctly on HTTP/2 connections. I fixes this in r1846111 and will propose this for backport to 2.4.x.
Backported to v2.4.38.