- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 12 Nov 2014 21:31:09 -1000
- To: Eric Rescorla <ekr@rtfm.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Nov 12, 2014, at 5:38 PM, Eric Rescorla wrote: > I think we may be talking past each other. A server that behaves this way will > simply appear as broken to every user of every client which behaves > as I indicated above. I suspect that may not be what they wanted. I am well aware of what you are stating. It is simply wrong. Such a client has a bug because it requested a secure session using what it considers an insecure cipher. If the client sends an h2 request on that connection, I simply don't care how badly they break when they get an h2 response. The h2 server isn't going to do anything about it because it has no control over the chosen ciphers. The client is fully capable of interop in that case. If it chooses not to try again with a good cipher, then it has failed its own user. ....Roy
Received on Thursday, 13 November 2014 07:31:26 UTC