W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 24 Sep 2014 06:43:37 -0700
Message-ID: <CABcZeBP2SN_kUqQjqZS=bg6ab7SgjtLr-_8rHEXDkMDjwoGGTA@mail.gmail.com>
To: Michael Sweet <msweet@apple.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Simone Bordet <simone.bordet@gmail.com>, Roland Zink <roland@zinks.de>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Sep 24, 2014 at 6:22 AM, Michael Sweet <msweet@apple.com> wrote:

> Martin,
>
> HTTP implementations that use the OS supplied TLS libraries don't have the
> same close integration that a browser using its own TLS library has. CUPS
> works with three different TLS libraries [1] (used to be four, but we
> dropped OpenSSL support) and all of them have vastly different interfaces
> and capabilities from the standpoint of cipher suite selection and
> classification. None of them directly allow selection based on the kind of
> classification that is specified in 9.2.2 and it isn't clear to me yet
> whether I can even specify the kind of priority ordering that is being
> touted as a solution for interop problems.
>

FWIW, you cannot provide a priority ordering for NSS.

-Ekr


> The reason is that these general purpose TLS libraries are themselves
> enforcing best practices and site policy with their defaults, and
> discourage developers from straying unless they are experts and know what
> they are doing. 9.2.2 is forcing HTTP developers to act as TLS experts...
>
> [1] For CUPS 2.0 we support GNU TLS, SecureTransport (OSX), and SSPI
> (Windows).
>
> Sent from my iPad
>
> > On Sep 24, 2014, at 2:14 AM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
> >
> >> On 24 September 2014 02:08, Simone Bordet <simone.bordet@gmail.com>
> wrote:
> >> Old h2 clients that are dynamically linked to a new TLS implementation
> >> will have X but not know that is acceptable.
> >
> > Implementations shouldn't be enabling cipher suites that they don't
> understand.
> >
>
Received on Wednesday, 24 September 2014 13:44:46 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC