Re: http/2 and TLS security

Hi Francisco

On Tue, Nov 3, 2015 at 11:59 PM, Francisco Moraes <
francisco.moraes@gmail.com> wrote:

> Hi,
>
> I have a few questions from a server perspective when implementing http/2:
>
> 1. if http/2 is selected to be supported, TLS 1.2 is required, but that
> doesn't mean that the server cannot negotiate TLS 1.x with clients that are
> not talking h2. It would be a client error to negotiate TLS 1.1 for example
> if it wants to talk h2. Should the server close the connection is for some
> reason TLS 1.1 or 1.0 was negotiated for http/2?
>
>
The server makes the final choice of both application layer protocol and
tls version (subject to intersection with what the client offers). If it
cannot select >= 1.2 then it must not select h2. Doing so would be a 7540
violation and some clients are likely to generate INADEQUATE_SECURITY.
(Firefox will.) Falling back to h1 would be fine assuming some version of
tls is negotiated.


> 2. Appendix A of RFC 7540 lists a lot of ciphers that are black listed but
> the wording says the server MAY treat the negotiation of the ciphers with
> TLS 1.2 as a connection error. This doesn't imply that I should disallow
> those ciphers in my server configuration, but I have seen some of those
> ciphers cause an error on the client side (browser). What's the best
> practice here? Print a warning if those ciphers are used? Fail? Failing
> every single one of those ciphers leaves a very limited list of ciphers to
> be used.
>

Restricting the cipher list to the set of best practices is definitely the
point. If you have a h2 only server then you can just disable them - just
making them lowest priority generally does the trick in a server that needs
backwards compat with older h1 clients.