W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: http/2 and TLS security

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Thu, 5 Nov 2015 10:16:15 +0900
Message-ID: <CAOdDvNpHNgnR6kud0RwdOGGs=zaLTtPQZvpm2TZtWuj47BrRPg@mail.gmail.com>
To: Francisco Moraes <francisco.moraes@gmail.com>
Cc: Patrick McManus <pmcmanus@mozilla.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Nov 4, 2015 at 11:18 PM, Francisco Moraes <
francisco.moraes@gmail.com> wrote:

> But during the ALPN callback, as far as I can tell, OpenSSL still has not
> selected a cipher nor protocol,

so nss required a little work to make the equivalent of SSL_get_version()
work during the alpn callback. Is this something that should be pursued in
the openssl bug tracker? (Have you double checked that?) Its more of an
open source implementation thing than a working group item..

in practice the client shouldn't be offering h2 if it isn't also offering
1.2 so this shouldn't come up as long as you're configured to
unconditionally prefer 1.2.. weird behavior should be limited to clients
that made non sensical offers.
Received on Thursday, 5 November 2015 01:16:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC