Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem
Martin Thomson <martin.thomson@gmail.com> Thu, 18 September 2014 02:18 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 325261A6FEF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Sep 2014 19:18:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.654
X-Spam-Level:
X-Spam-Status: No, score=-8.654 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.652, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sTRm99Zz5x6K for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Sep 2014 19:18:39 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C24A91A6FEE for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 17 Sep 2014 19:18:39 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XURFh-00041x-Sz for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Sep 2014 02:15:21 +0000
Resent-Date: Thu, 18 Sep 2014 02:15:21 +0000
Resent-Message-Id: <E1XURFh-00041x-Sz@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1XURFE-000111-CA for ietf-http-wg@listhub.w3.org; Thu, 18 Sep 2014 02:14:57 +0000
Received: from mail-la0-f54.google.com ([209.85.215.54]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1XURFD-0002U1-El for ietf-http-wg@w3.org; Thu, 18 Sep 2014 02:14:52 +0000
Received: by mail-la0-f54.google.com with SMTP id ge10so247937lab.13 for <ietf-http-wg@w3.org>; Wed, 17 Sep 2014 19:14:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=uaZT8cZEeQ7eAYUJKyRvZC4CG8TTDApkYKEmnJZP/jE=; b=eSZMMX5GbvrpGgfrkeObfen3PWDJN5ynZ7b5G3FR0/74pGb+KFASwUO9B0sHCuSfy3 c4glNAwHGIkQHjYvIeoYUKx4SB+qu1ycGu8iGf+EsUZOXLJO+Zq8YoWWX0AdlfCii+u3 3FEa8NvvF885+qo560rE/iRCpQPb8I6AzzvqVMz5KvZwZ17JRRUUzHIm0xzFS842drPP 7RxvPpI9ORFzRvzITH4zHIQmIOG4zmSEPoQ/0oK0KjA/33rjHtqSibdi1y5up2B2le7E V7iH/yi4XHYA2KeaWM9RVH6GvYoocWLI/C5lzJf/K9FYJHRHGreMphSeLFBPcLfB7BCu 5cBw==
MIME-Version: 1.0
X-Received: by 10.152.1.137 with SMTP id 9mr1308770lam.85.1411006464679; Wed, 17 Sep 2014 19:14:24 -0700 (PDT)
Received: by 10.25.166.75 with HTTP; Wed, 17 Sep 2014 19:14:24 -0700 (PDT)
In-Reply-To: <CAH_y2NEhAEaPiUgi_vX6Oimw+Y-k3WrnL0gJZKPxQ8KZVuFVfw@mail.gmail.com>
References: <CAH_y2NF+sP9BmYuD4QbeHpwC_uj67itzaAFCnRVC6f--KDYOgg@mail.gmail.com> <CAOdDvNopynmwvwWLXvuC0q7skunFXcfRoVHe9s7BKcoCwaBgWQ@mail.gmail.com> <CAH_y2NGXz7e3ejqy_rD=39=yYp3+cS1Dm6c3yFEYZg6tsUp5VQ@mail.gmail.com> <CABkgnnWAdm1TLP2XCKNU-6RPACLfooQV73R7Gpoemv+9PNULCA@mail.gmail.com> <CAH_y2NFLjok-NRJtOw1vmSy68sf393iSOgA4K599q0BSBqbNgA@mail.gmail.com> <CABkgnnU-CMtv8KvYU9n+QoPBOBshtQv3RfLy2qw=qVNb2O-qGg@mail.gmail.com> <CAH_y2NHrbH5Objwhq9E89QexhQtND4uOdy8q7OEckTCU17WqKg@mail.gmail.com> <CAH_y2NErRd4rxinSzEH3-uTjdWVkZu9o6sSKSf47LxfPFTRONw@mail.gmail.com> <20140917073241.GA7665@LK-Perkele-VII> <CAFewVt4pxE+9NpzYuzMKGmEdrDXzk50mC99ZbrM6M-uEoKXrHA@mail.gmail.com> <CAH_y2NGYcDvPcxDvaTRBP3p4Pnb7gw39WUDY3bNVnOGQjBgciQ@mail.gmail.com> <CAFewVt7+UAJYfKAR6DRZi_mqdzSaYw6L-pT1qg=UyOaP1ojhTw@mail.gmail.com> <CAH_y2NEhAEaPiUgi_vX6Oimw+Y-k3WrnL0gJZKPxQ8KZVuFVfw@mail.gmail.com>
Date: Wed, 17 Sep 2014 19:14:24 -0700
Message-ID: <CABkgnnU6C+TzJzdeQZhwXucuPUrPh1yyp1cpRd9jSePMjAnONQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Greg Wilkins <gregw@intalio.com>
Cc: Brian Smith <brian@briansmith.org>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.215.54; envelope-from=martin.thomson@gmail.com; helo=mail-la0-f54.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.734, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1XURFD-0002U1-El 9af95f83f4a9135f0bd8d6b9f925ea47
X-Original-To: ietf-http-wg@w3.org
Subject: Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem
Archived-At: <http://www.w3.org/mid/CABkgnnU6C+TzJzdeQZhwXucuPUrPh1yyp1cpRd9jSePMjAnONQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/27115
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 17 September 2014 17:09, Greg Wilkins <gregw@intalio.com> wrote: > Consider clients and servers written in java, so they inherit their ciphers > from the JVM. At some stage in the future a GCM is replaced by XYZ and added > to the JVM, so it is part of the acceptable TLS ciphers, but the h2 clients > and servers implementations have adopted your advice to "By default, assume > that a cipher suite is not acceptable". So everybody is assuming that XYZ > is not h2 acceptable. You can't suddenly pull a cipher suite that people rely on. We rely on GCM. We require that implementations support it. Yes, there will be implementations that pick up XYZ, but also don't know that it's OK. That's expected behaviour sadly. Not all implementations will be able to examine the properties of the available cipher suites and use properties to determine if they are OK to use. > This is not a theoretical problem. I disagree, it's a hypothetical problem. > It is a real problem that I have > experienced as FF rolled out their AEAD restriction as rqeuired by 9.2.2 > before jetty had implemented the same restriction and while AEAD is not > available on java-7. I could implement the AEAD restriction in jetty now to > get connectivity with FF, but would lose connectivity with h2 clients > running java-7. I'm not sure that this is quite right. Unless the Java 7 code is singificantly different to the Java 8 code, you should have been able to influence suite selection so that a good suite (i.e., an acceptable one) was chosen.
- 9.2.2 Cipher fallback and FF<->Jetty interop prob… Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Simone Bordet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Patrick McManus
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Simone Bordet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Patrick McManus
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Patrick McManus
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Michael Sweet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Michael Sweet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Michael Sweet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Simone Bordet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Michael Sweet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- RE: 9.2.2 Cipher fallback and FF<->Jetty interop … Andrei Popov
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Brian Smith
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Michael Sweet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Michael Sweet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Brian Smith
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Amos Jeffries
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Ilari Liusvaara
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Brian Smith
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Cory Benfield
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Roland Zink
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Brian Smith
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Stuart Douglas
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Cory Benfield
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Roland Zink
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Patrick McManus
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Roy T. Fielding
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Simone Bordet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Simone Bordet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Roy T. Fielding
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Jason Greene
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Ilari Liusvaara
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Stuart Douglas
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Willy Tarreau
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Willy Tarreau
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Willy Tarreau
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Cory Benfield
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Stuart Douglas
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Amos Jeffries
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Cory Benfield
- RE: 9.2.2 Cipher fallback and FF<->Jetty interop … Andrei Popov
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Ilari Liusvaara
- RE: 9.2.2 Cipher fallback and FF<->Jetty interop … Andrei Popov
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Roy T. Fielding
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Jim Manico
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Jason Greene
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Jason Greene
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Jason Greene
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Simone Bordet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Mark Nottingham
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Jason Greene
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Patrick McManus
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Willy Tarreau
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Willy Tarreau
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Julian Reschke
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Roland Zink
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Michael Sweet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Simone Bordet
- RE: 9.2.2 Cipher fallback and FF<->Jetty interop … Andrei Popov
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Jason Greene
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Greg Wilkins
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Amos Jeffries
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Roland Zink
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Roland Zink
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Roland Zink
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Simone Bordet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Roland Zink
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Simone Bordet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Roland Zink
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Simone Bordet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Amos Jeffries
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Stuart Douglas
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Roland Zink
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Simone Bordet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Michael Sweet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Michael Sweet
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Eric Rescorla
- RE: 9.2.2 Cipher fallback and FF<->Jetty interop … Andrei Popov
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … Martin Thomson
- RE: 9.2.2 Cipher fallback and FF<->Jetty interop … Rob Trace
- Re: 9.2.2 Cipher fallback and FF<->Jetty interop … John Mattsson