W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

http/2 and TLS security

From: Francisco Moraes <francisco.moraes@gmail.com>
Date: Tue, 3 Nov 2015 09:59:20 -0500
To: ietf-http-wg@w3.org
Message-ID: <5638CBC8.5060807@gmail.com>

I have a few questions from a server perspective when implementing http/2:

1. if http/2 is selected to be supported, TLS 1.2 is required, but that 
doesn't mean that the server cannot negotiate TLS 1.x with clients that 
are not talking h2. It would be a client error to negotiate TLS 1.1 for 
example if it wants to talk h2. Should the server close the connection 
is for some reason TLS 1.1 or 1.0 was negotiated for http/2?

2. Appendix A of RFC 7540 lists a lot of ciphers that are black listed 
but the wording says the server MAY treat the negotiation of the ciphers 
with TLS 1.2 as a connection error. This doesn't imply that I should 
disallow those ciphers in my server configuration, but I have seen some 
of those ciphers cause an error on the client side (browser). What's the 
best practice here? Print a warning if those ciphers are used? Fail? 
Failing every single one of those ciphers leaves a very limited list of 
ciphers to be used.

Received on Tuesday, 3 November 2015 14:59:54 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC