W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

From: Cory Benfield <cory@lukasa.co.uk>
Date: Wed, 17 Sep 2014 09:10:28 +0100
Message-ID: <CAH_hAJGY-_QGV4XbJ=Js-rWCc1RFnh2PMi6wpn4YXXCDA-YNfg@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Greg Wilkins <gregw@intalio.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 17 September 2014 08:52, Brian Smith <brian@briansmith.org> wrote:
> And, if you simply have your server enable the TLS_ECDHE_*_AES_*_GCM_*
> cipher suites (using the NIST P-256 curve), and prefer them ahead of
> all others, for both HTTP/1 and HTTP/2, you can entirely avoid doing
> even the stuff I mentioned above.

I think this is really the simplest approach. Prioritise ciphers that
are acceptable for use with h2 and have your server ignore the
client's priorities in favour of its own. If the client offers *any*
h2 ciphers you'll use them, otherwise you can assume that the client
can't do h2 (or at least can't according to the spec). In the HTTP/1.1
case all you've done is use strong ciphers for every connection that
supports them: I'm sure you'll get over it!
Received on Wednesday, 17 September 2014 08:10:57 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC