Re: null ciphers in 9.2.2 from Greg Wilkins on 2014-10-06 (ietf-http-wg@w3.org from October to December 2014)

From: Greg Wilkins <gregw@intalio.com>
Date: Tue, 7 Oct 2014 07:55:25 +1100
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAH_y2NEHe8cJpEJppBjhFo8_oKPOewE_90CDT13dmXiycoh3Og@mail.gmail.com>

Nicholas,

I was not implying that FF has done anything wrong and it is good to know
that there is a configuration to turn off 9.2.2 checking.

But my point remains. if 9.2.2 is configurable, then a server cannot know
on what basis a cipher is offered - is it a h1 fallback cipher or a
configured weak cipher.  If the server guesses wrong communication failure
results even though the pair might have protocol/cipher choices that are
acceptable.

The argument made when the fragile handshake was pointed out was that 9.2.2
could never ever be implemented differently and thus would not be subject
to configuration.   So when I point out that null ciphers/weak/unusual
ciphers might have niche use-cases, it can't be argued that acceptable
ciphers are indeed configurable.

regards



-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.

Received on Monday, 6 October 2014 20:55:53 UTC