Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem from Greg Wilkins on 2014-09-05 (ietf-http-wg@w3.org from July to September 2014)

From: Greg Wilkins <gregw@intalio.com>
Date: Fri, 5 Sep 2014 20:56:53 +1000
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAH_y2NEo1YaBNs5AF0rEZre4_ey=4=CmTpnVG=Q8RkC5bHrYOg@mail.gmail.com>

Note that RFC7301 says:

   This document describes a Transport Layer Security (TLS) extension
   for application-layer protocol negotiation within the TLS handshake

If 9.2.2. is to stand, then I believe that we need a new version of ALPN
specification
(or errata or similar) that says something like:

   This document describes a Transport Layer Security (TLS) extension
   for negotiation of application-layer protocol and TLS cipher suite
   combinations within the TLS handshake

Otherwise, when ALPN is natively supported in the JVM8, there is nothing
stopping
them implementing it as we did according to RFC7301 and producing an
extension that
only negotiates protocol and thus cannot support what 9.2.2 requires.

It would also still be good to get an answer of why we need 9.2.2 ?
If the ciphers are inadequate for h2, then why aren't they inadequate for
http/1, spdy and
other protocols the ALPN might list?

-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.

Received on Friday, 5 September 2014 10:57:21 UTC