Re: h2 ciphers

Stefan Eissing <> Fri, 16 October 2015 14:08 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A31AA1B2BD5 for <>; Fri, 16 Oct 2015 07:08:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.112
X-Spam-Status: No, score=-5.112 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_24=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_34=0.6, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id USZCloD4E4vS for <>; Fri, 16 Oct 2015 07:08:21 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3319F1A92EB for <>; Fri, 16 Oct 2015 07:08:20 -0700 (PDT)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1Zn5dJ-0008LF-GH for; Fri, 16 Oct 2015 14:05:21 +0000
Resent-Date: Fri, 16 Oct 2015 14:05:21 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1Zn5dG-0008Jr-5o for; Fri, 16 Oct 2015 14:05:18 +0000
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <>) id 1Zn5dE-0001Be-67 for; Fri, 16 Oct 2015 14:05:17 +0000
Received: from [] (unknown []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 7E03D15A0472; Fri, 16 Oct 2015 16:04:53 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3094\))
From: Stefan Eissing <>
In-Reply-To: <>
Date: Fri, 16 Oct 2015 16:04:52 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Julien Vehent <>
X-Mailer: Apple Mail (2.3094)
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-5.9
X-W3C-Hub-Spam-Report: AWL=-1.972, BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1Zn5dE-0001Be-67 f66b09043b47900e303eaf68bacb3260
Subject: Re: h2 ciphers
Archived-At: <>
X-Mailing-List: <> archive/latest/30373
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

> Am 16.10.2015 um 15:23 schrieb Julien Vehent <>:
> On 2015-10-16 09:08, Amos Jeffries wrote:
>> HTTP/2 was designed to be implemented from a clean-slate situation.
>> Everybody is building new code based on the same spec, so there is no
>> legacy behaviours to be tolerant about.
> (I'm the author of the Mozilla guidelines).

Thanks for that wiki!

> This is correct: the recommendation is for HTTP/1.1 where a significant amount of backward compatibility is required. The modern guidelines guarantee strong crypto on somewhat recent clients, but we can certainly do better for http/2.
> We'll probably revise the guidelines in the coming months. In the meantime, on a h2 endpoint, I would recommend limiting it to these ciphers:
> 0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)  Mac=AEAD
> 0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)  Mac=AEAD
> 0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)  Mac=AEAD
> 0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)  Mac=AEAD
> Note: we don't recommend ECDHE-RSA-CHACHA20-POLY1305 because it's not yet a standard and our mozilla servers don't implement it, but feel free to use it :)

Now, Apache httpd will most often not be a "clean slate" h2 endpoint, but having to serve old, intermediate and modern clients and, among those modern ones, some that announce 'h2' in ALPN. 

When this arrives in Apache, the code needs to decide if it answers h2 or http/1.1 in an ALPN callback from the TLS layer
- the TLS layer has not yet decided on a cipher
- the TLS layer has no concept of a h2 compatible cipher list, best case it is configured with a "modern" list and server-order preference.
- the client cipher list is, I believe, not visible (and even if it was, we could only guess what the TLS layer selects later)


Am I overlooking something?