- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 17 Sep 2014 19:14:24 -0700
- To: Greg Wilkins <gregw@intalio.com>
- Cc: Brian Smith <brian@briansmith.org>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, HTTP Working Group <ietf-http-wg@w3.org>
On 17 September 2014 17:09, Greg Wilkins <gregw@intalio.com> wrote: > Consider clients and servers written in java, so they inherit their ciphers > from the JVM. At some stage in the future a GCM is replaced by XYZ and added > to the JVM, so it is part of the acceptable TLS ciphers, but the h2 clients > and servers implementations have adopted your advice to "By default, assume > that a cipher suite is not acceptable". So everybody is assuming that XYZ > is not h2 acceptable. You can't suddenly pull a cipher suite that people rely on. We rely on GCM. We require that implementations support it. Yes, there will be implementations that pick up XYZ, but also don't know that it's OK. That's expected behaviour sadly. Not all implementations will be able to examine the properties of the available cipher suites and use properties to determine if they are OK to use. > This is not a theoretical problem. I disagree, it's a hypothetical problem. > It is a real problem that I have > experienced as FF rolled out their AEAD restriction as rqeuired by 9.2.2 > before jetty had implemented the same restriction and while AEAD is not > available on java-7. I could implement the AEAD restriction in jetty now to > get connectivity with FF, but would lose connectivity with h2 clients > running java-7. I'm not sure that this is quite right. Unless the Java 7 code is singificantly different to the Java 8 code, you should have been able to influence suite selection so that a good suite (i.e., an acceptable one) was chosen.
Received on Thursday, 18 September 2014 02:14:57 UTC