W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

From: Stuart Douglas <stuart.w.douglas@gmail.com>
Date: Fri, 19 Sep 2014 16:31:51 +1000
Message-ID: <541BCDD7.1010100@gmail.com>
To: Willy Tarreau <w@1wt.eu>
CC: Cory Benfield <cory@lukasa.co.uk>, Greg Wilkins <gregw@intalio.com>, Martin Thomson <martin.thomson@gmail.com>, Brian Smith <brian@briansmith.org>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, HTTP Working Group <ietf-http-wg@w3.org>

>
> Just like Roy, I won't implement any such control and will leave it to
> the admin to configure the proper ciphers for this, because this is the
> correct thing to do.

For what it is worth I also won't be implementing this in 
Undertow/Wildfly, and leaving it up to the admin to control the allowed 
cyphers. If this unfortunate clause does make it into the final spec 
then I may introduce some kind of strict option that makes a best effort 
guess as to what protocols should be allowed (which on Java 7 will be zero).

Another thing I really don't like about this section that Greg has 
already alluded to is that is assumes that 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 will remain a strong and unbroken 
cypher for the life of the HTTP2 spec. If this spec has anywhere near 
the longevity of HTTP1 there is a non zero chance this will not be true.

Stuart

>
> Willy
>
Received on Friday, 19 September 2014 06:32:24 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC