Re: alpn + ciphers
Stefan Eissing <stefan.eissing@greenbytes.de> Fri, 16 October 2015 13:26 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D14041A1B30 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 16 Oct 2015 06:26:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tu6v4Wwnv4yP for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 16 Oct 2015 06:26:39 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90F9A1A1B07 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 16 Oct 2015 06:26:39 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Zn4zV-00013X-2D for ietf-http-wg-dist@listhub.w3.org; Fri, 16 Oct 2015 13:24:13 +0000
Resent-Date: Fri, 16 Oct 2015 13:24:13 +0000
Resent-Message-Id: <E1Zn4zV-00013X-2D@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <stefan.eissing@greenbytes.de>) id 1Zn4zR-00012q-Ml for ietf-http-wg@listhub.w3.org; Fri, 16 Oct 2015 13:24:09 +0000
Received: from mail.greenbytes.de ([217.91.35.233]) by maggie.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <stefan.eissing@greenbytes.de>) id 1Zn4zP-0007zT-KC for ietf-http-wg@w3.org; Fri, 16 Oct 2015 13:24:09 +0000
Received: from [192.168.1.48] (unknown [87.78.174.25]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.greenbytes.de (Postfix) with ESMTPSA id 12B6115A035F; Fri, 16 Oct 2015 15:23:45 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3094\))
From: Stefan Eissing <stefan.eissing@greenbytes.de>
In-Reply-To: <20151016130500.GB20506@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Fri, 16 Oct 2015 15:23:44 +0200
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2051F7C9-9067-46E6-ACBD-8FC335F25B2A@greenbytes.de>
References: <78A44AE4-168D-4129-AF94-38FB66286711@greenbytes.de> <20151016130500.GB20506@LK-Perkele-V2.elisa-laajakaista.fi>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
X-Mailer: Apple Mail (2.3094)
Received-SPF: pass client-ip=217.91.35.233; envelope-from=stefan.eissing@greenbytes.de; helo=mail.greenbytes.de
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: AWL=-2.151, BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1Zn4zP-0007zT-KC 439b71d988fabd1076f57c7660b0bcda
X-Original-To: ietf-http-wg@w3.org
Subject: Re: alpn + ciphers
Archived-At: <http://www.w3.org/mid/2051F7C9-9067-46E6-ACBD-8FC335F25B2A@greenbytes.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30370
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
It seems you say: "There is a way to configure this.", which I totally believe you. But I am not setting up new servers. I add HTTP/2 functionality to a server that is around for 20 years. That upgrade will arrive in existing configurations and my code, ideally, should act sanely in as many of them as it can. This seems a problem in implementation the way things are right now, because the requirements of RFC 7540 cannot be verified at ALPN time. Which maybe is what it is. I am just trying to find out if I overlooked something here. //Stefan > Am 16.10.2015 um 15:05 schrieb Ilari Liusvaara <ilariliusvaara@welho.com>: > > On Fri, Oct 16, 2015 at 01:28:27PM +0200, Stefan Eissing wrote: >> >> During ALPN callbacks by popular SSL libs such as openssl, the cipher has/may not have been selected. This is a potential interworking problem when h2 is proposed, only to have the connection shutdown with INADEQUATE_SECURITY afterwards. >> >> I am not sure what is the best way to address this. Limiting the cipher list to only highest grade is often not an option for a server. Any advice appreciated. > > If you don't want to limit ciphers (but if you need to be PCI DSS > compliant, you can limit it a lot, the only non-h2 ciphers you > need is ECDHE-{RSA,ECDSA}-AES256-CBC (for Apple products). > > And you can also priorize the H2 ciphers over the rest, which > should make the handshake go properly. > > > -Ilari >
- alpn + ciphers Stefan Eissing
- Re: alpn + ciphers Ilari Liusvaara
- Re: alpn + ciphers Stefan Eissing
- Re: alpn + ciphers Martin Thomson