9.2.2 Cipher fallback and FF<->Jetty interop problem from Greg Wilkins on 2014-09-05 (ietf-http-wg@w3.org from July to September 2014)

From: Greg Wilkins <gregw@intalio.com>
Date: Fri, 5 Sep 2014 11:05:01 +1000
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAH_y2NF+sP9BmYuD4QbeHpwC_uj67itzaAFCnRVC6f--KDYOgg@mail.gmail.com>

Section 9.2.2 puts some requirements on TLS ciphers and I'm just wondering
how the fallback is meant to work.

I'm testing a recent build of FF with latest jetty server.

The connection is negotiated as  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, which
would be acceptable if the protocol was https, but because it is h2,  FF
fails the connection due to lack of AEAD.     This results in a connection
failure on the client, when it would have worked fine if http/1.1 was
accepted as the protocol instead.

So I'm just trying to get my head around how the fallback is meant to
happen?

Is it that in the ALPN accept of the connection, the server needs to
evaluate the offered protocols against the available ciphers and ignore the
protocols that don't have acceptable ciphers?     So in this case, our ALPN
code should have known that accepting h2-14 was not going to succeed
because the cipher was not acceptable (or there is not acceptable cipher...
I can't recall if the cipher is determined at that stage or not)?
Alternately, are we meant to modify the TLS cipher negotiation to notice if
ALPN h2 is being offered and thus not select an unacceptable cipher?

If the server does select an unacceptable cipher,  should the client just
fail? or should it retry either without h2 offered  or without unacceptable
ciphers?   I think it is unacceptable that FF and Jetty were unable to
communicate in this situation even though they had acceptable ciphers and
protocols in common.   One or the other or both needs better fallback and I
don't think section 9.2.2 gives enough guidance as to how that should be
done.

Also I'm a little bit concerned that many implementations might not have
sufficient control over their TLS layers to fully implement some
combinations.

Finally, it would be really good to know why http2 puts restrictions on TLS
above and beyond https?   Can that be described somewhere and has that been
checked so that it is future proof?

cheers






















-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.

Received on Friday, 5 September 2014 01:05:29 UTC