W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: h2 ciphers

From: Ilari Liusvaara <ilariliusvaara@welho.com>
Date: Fri, 16 Oct 2015 16:02:42 +0300
To: Stefan Eissing <stefan.eissing@greenbytes.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20151016130242.GA20506@LK-Perkele-V2.elisa-laajakaista.fi>
On Fri, Oct 16, 2015 at 12:35:51PM +0200, Stefan Eissing wrote:
> In the documentation at https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility the "modern" compatibility specification includes the following ciphers:
> 
> ECDHE-RSA-AES128-SHA
> ECDHE-RSA-AES128-SHA256
> ECDHE-ECDSA-AES128-SHA
> ECDHE-ECDSA-AES128-SHA256
> 
> ECDHE-RSA-AES256-SHA
> ECDHE-RSA-AES256-SHA384
> ECDHE-ECDSA-AES256-SHA
> ECDHE-ECDSA-AES256-SHA384
> 
> DHE-RSA-AES128-SHA
> DHE-RSA-AES128-SHA256
> DHE-RSA-AES256-SHA
> DHE-RSA-AES256-SHA256
> DHE-DSS-AES256-SHA
> DHE-DSS-AES128-SHA256
> 
> but RFC 7540 includes TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ECDHE-RSA-AES128-SHA) and all those others as a MAY for INADEQUATE_SECURITY.
> 
> Now, assuming I got the cipher names correct, what am I to check for? Shall I be liberal in what I accept - again?

AFAIK, that list is for HTTP/1.1. HTTP/2 has list of ciphers that
are not to be used.


And it is also unnecressarily wide. Just about everything that supports
"modern" in sense Mozilla TLS guide uses it supports:

- TLS 1.2
- ECDHE
- RSA and ECDSA
- At least one of AES-128-GCM, AES-256-GCM, AES-256-CBC.


(The AES-256-CBC cipher is for Apple products, as those only recently
gained GCM support).

Priorize AEAD ciphers over AES-256-CBC and ciphersuite selection for
h2 should go properly.


-Ilari
Received on Friday, 16 October 2015 13:03:09 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:39 UTC