- From: Ilari Liusvaara <ilariliusvaara@welho.com>
- Date: Fri, 16 Oct 2015 16:05:00 +0300
- To: Stefan Eissing <stefan.eissing@greenbytes.de>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Oct 16, 2015 at 01:28:27PM +0200, Stefan Eissing wrote:
>
> During ALPN callbacks by popular SSL libs such as openssl, the cipher has/may not have been selected. This is a potential interworking problem when h2 is proposed, only to have the connection shutdown with INADEQUATE_SECURITY afterwards.
>
> I am not sure what is the best way to address this. Limiting the cipher list to only highest grade is often not an option for a server. Any advice appreciated.
If you don't want to limit ciphers (but if you need to be PCI DSS
compliant, you can limit it a lot, the only non-h2 ciphers you
need is ECDHE-{RSA,ECDSA}-AES256-CBC (for Apple products).
And you can also priorize the H2 ciphers over the rest, which
should make the handshake go properly.
-Ilari
Received on Friday, 16 October 2015 13:05:28 UTC