Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

On 17 September 2014 08:52, Brian Smith <> wrote:
> And, if you simply have your server enable the TLS_ECDHE_*_AES_*_GCM_*
> cipher suites (using the NIST P-256 curve), and prefer them ahead of
> all others, for both HTTP/1 and HTTP/2, you can entirely avoid doing
> even the stuff I mentioned above.

I think this is really the simplest approach. Prioritise ciphers that
are acceptable for use with h2 and have your server ignore the
client's priorities in favour of its own. If the client offers *any*
h2 ciphers you'll use them, otherwise you can assume that the client
can't do h2 (or at least can't according to the spec). In the HTTP/1.1
case all you've done is use strong ciphers for every connection that
supports them: I'm sure you'll get over it!

Received on Wednesday, 17 September 2014 08:10:57 UTC