- From: Eric Rescorla <ekr@rtfm.com>
- Date: Tue, 7 Oct 2014 00:06:34 -0400
- To: Greg Wilkins <gregw@intalio.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CABcZeBPzs9MghABAGgAM-zYC2n7Jgw07BudVO+FpzbmS_z=7ag@mail.gmail.com>
On Mon, Oct 6, 2014 at 4:55 PM, Greg Wilkins <gregw@intalio.com> wrote: > Nicholas, > > I was not implying that FF has done anything wrong and it is good to know > that there is a configuration to turn off 9.2.2 checking. > > But my point remains. if 9.2.2 is configurable, then a server cannot know > on what basis a cipher is offered - is it a h1 fallback cipher or a > configured weak cipher. If the server guesses wrong communication failure > results even though the pair might have protocol/cipher choices that are > acceptable. > I don't understand this argument. The server doesn't have to guess, it just complies with with 9.2.2 and things should work regardless of whether the client is configured to accept non-AEAD ciphers for h2 or not. More generally, clients and servers routinely have hidden switches to override specification requirements for testing purposes: to take a non-HTTP example, the getUserMedia() specification explicitly requires the user to be prompted before granting camera and microphone access, but Firefox has a pref in about:config to let you override that. When you flip that preference, Firefox becomes nonconformant. There are reasons to do that for testing, but if you do it, you're on your own. I don't see the situation here as being any different. -Ekr
Received on Tuesday, 7 October 2014 04:07:42 UTC