W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: How to handle HTTP/2 negotiation failure WRT TLS

From: Brian Smith <brian@briansmith.org>
Date: Thu, 30 Jan 2014 11:31:09 -0800
Message-ID: <CAFewVt5B5kxniaTjTZ38Vebsx9C0gHdu+aoqVVD+C7CXq-jVZw@mail.gmail.com>
To: William Chan (陈智昌) <willchan@chromium.org>
Cc: Michael Sweet <msweet@apple.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Jan 30, 2014 at 9:41 AM, William Chan (陈智昌)
<willchan@chromium.org> wrote:
> I guess I'm advocating that a server must not select http/2 in alpn until
> it's sure it supports the base TLS profile. And if the server fails to do so
> correctly, the client hard fails. I do not believe we have backwards
> compatibility issues since the h2 token is new. Clients only have an
> opportunity to tighten requirements when introducing new alpn tokens. Any
> attempt to do so with existing tokens will probably require fallback and
> introduce a potential downgrade attack.

I agree with you. I think it would be good if we implemented this
hard-fail behavior before the next interop meeting. Then we will
really find out if/how the TLS requirements are problematic.

FWIW, this is now Mozilla bug 965922:

Received on Thursday, 30 January 2014 19:31:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:23 UTC