W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: alpn + ciphers

From: Ilari Liusvaara <ilariliusvaara@welho.com>
Date: Fri, 16 Oct 2015 16:05:00 +0300
To: Stefan Eissing <stefan.eissing@greenbytes.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20151016130500.GB20506@LK-Perkele-V2.elisa-laajakaista.fi>
On Fri, Oct 16, 2015 at 01:28:27PM +0200, Stefan Eissing wrote:
> 
> During ALPN callbacks by popular SSL libs such as openssl, the cipher has/may not have been selected. This is a potential interworking problem when h2 is proposed, only to have the connection shutdown with INADEQUATE_SECURITY afterwards.
> 
> I am not sure what is the best way to address this. Limiting the cipher list to only highest grade is often not an option for a server. Any advice appreciated.

If you don't want to limit ciphers (but if you need to be PCI DSS
compliant, you can limit it a lot, the only non-h2 ciphers you
need is ECDHE-{RSA,ECDSA}-AES256-CBC (for Apple products).

And you can also priorize the H2 ciphers over the rest, which
should make the handshake go properly.


-Ilari
Received on Friday, 16 October 2015 13:05:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:39 UTC