Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

On Sep 18, 2014, at 10:41 AM, Roy T. Fielding <> wrote:

> I still don't believe that any of these requirements belong in h2,
> and I won't implement them even if they end up in the RFC.  It is
> not the HTTP server's responsibility to second-guess the configuration
> regarding the security properties of the underlying connections.
> We have no idea what hardware or gateways might be doing to secure those
> connections.  We don't even know what TLS library is being used,
> since all we see is an API into someone else's code.
> TLS requirements belong in the TLS code.

I agree. Although, I am sympathetic to the desire to establish conventions and sanity, but to me these things seem to apply to HTTP/1.1 just as much as HTTP/2. I am also sympathetic to clients that prefer to just work even in the face of poor security. So why not just display a warning when *anything* using TLS happens to pick a weak cipher. That will be just as motivating and far less error prone.

Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat

Received on Thursday, 18 September 2014 18:11:09 UTC