Re: http/2 and TLS security from Martin Thomson on 2015-11-05 (ietf-http-wg@w3.org from October to December 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 5 Nov 2015 11:10:29 +0900
To: Patrick McManus <pmcmanus@mozilla.com>
Cc: Francisco Moraes <francisco.moraes@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnXw3bGo+kN7PV5ngxB=aSzbveBHj6WFWtNAx6M2uj4B7Q@mail.gmail.com>

On 5 November 2015 at 10:16, Patrick McManus <pmcmanus@mozilla.com> wrote:
> On Wed, Nov 4, 2015 at 11:18 PM, Francisco Moraes
> <francisco.moraes@gmail.com> wrote:
>>
>> But during the ALPN callback, as far as I can tell, OpenSSL still has not
>> selected a cipher nor protocol,
>
>
> so nss required a little work to make the equivalent of SSL_get_version()
> work during the alpn callback. Is this something that should be pursued in
> the openssl bug tracker? (Have you double checked that?) Its more of an open
> source implementation thing than a working group item..

Actually, the OpenSSL situation could be easier.  You could scrub the
ClientHello for acceptable cipher suites in the ALPN callback. If that
results in no suites left, then you could disable h2 and reset the
cipher suite stuff.

Received on Thursday, 5 November 2015 02:11:01 UTC