- From: Yoav Nir <ynir.ietf@gmail.com>
- Date: Thu, 6 Nov 2014 19:12:52 +0200
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Hi, Roy > On Nov 6, 2014, at 2:37 AM, Roy T. Fielding <fielding@gbiv.com> wrote: > > More to the point, they do implement HTTP, and the chartered goal of > this working group is to produce a protocol that they will be willing > to adopt as a replacement for HTTP/1. If you want to change the name > of the protocol to TLS+, feel free to do so and ignore the existing > implementations. > > I know Apache httpd won't be implementing 9.2.2 because the HTTP-aware > code doesn't even get involved in connection activity until after the > first HTTP message is received. Furthermore, there is no way of > knowing if an external device is securing the connection. > When we do have an implementation of HTTP/2, it won't be limited to > TLS for the same reason HTTP/1 isn't limited to TCP. Does this mean that Apache won’t be enforcing the TLS requirements at all? IOW, if the configuration string for OpenSSL allows TLS_RSA_EXPORT_WITH_RC4_40_MD5 negotiated over SSLv3, httpd will be fine with this cipher and version? I’m not criticizing, just asking. Yoav
Received on Thursday, 6 November 2014 17:13:22 UTC