Re: h2 ciphers
Amos Jeffries <squid3@treenet.co.nz> Fri, 16 October 2015 13:11 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CF501B2A94 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 16 Oct 2015 06:11:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YnVAu6cf6uZk for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 16 Oct 2015 06:11:48 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E7721B2A90 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 16 Oct 2015 06:11:48 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Zn4lH-0007xj-KU for ietf-http-wg-dist@listhub.w3.org; Fri, 16 Oct 2015 13:09:31 +0000
Resent-Date: Fri, 16 Oct 2015 13:09:31 +0000
Resent-Message-Id: <E1Zn4lH-0007xj-KU@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <squid3@treenet.co.nz>) id 1Zn4lF-0007x2-0i for ietf-http-wg@listhub.w3.org; Fri, 16 Oct 2015 13:09:29 +0000
Received: from 121-99-228-82.static.orcon.net.nz ([121.99.228.82] helo=treenet.co.nz) by maggie.w3.org with esmtp (Exim 4.80) (envelope-from <squid3@treenet.co.nz>) id 1Zn4lD-0007XC-0V for ietf-http-wg@w3.org; Fri, 16 Oct 2015 13:09:28 +0000
Received: from [192.168.20.251] (unknown [121.98.42.176]) by treenet.co.nz (Postfix) with ESMTP id CCBB9E6E9D for <ietf-http-wg@w3.org>; Sat, 17 Oct 2015 02:08:53 +1300 (NZDT)
To: ietf-http-wg@w3.org
References: <47048ED2-374F-4542-A4DC-C1F39AD26C0A@greenbytes.de>
From: Amos Jeffries <squid3@treenet.co.nz>
X-Enigmail-Draft-Status: N1110
Message-ID: <5620F6C1.9080200@treenet.co.nz>
Date: Sat, 17 Oct 2015 02:08:17 +1300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <47048ED2-374F-4542-A4DC-C1F39AD26C0A@greenbytes.de>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=121.99.228.82; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-4.8
X-W3C-Hub-Spam-Report: AWL=-0.186, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TVD_RCVD_IP=0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1Zn4lD-0007XC-0V 6bacf1c49a508404e7d04b2f43882b85
X-Original-To: ietf-http-wg@w3.org
Subject: Re: h2 ciphers
Archived-At: <http://www.w3.org/mid/5620F6C1.9080200@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30369
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 16/10/2015 11:35 p.m., Stefan Eissing wrote: > In the documentation at https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility the "modern" compatibility specification includes the following ciphers: > > ECDHE-RSA-AES128-SHA > ECDHE-RSA-AES128-SHA256 > ECDHE-ECDSA-AES128-SHA > ECDHE-ECDSA-AES128-SHA256 > > ECDHE-RSA-AES256-SHA > ECDHE-RSA-AES256-SHA384 > ECDHE-ECDSA-AES256-SHA > ECDHE-ECDSA-AES256-SHA384 > > DHE-RSA-AES128-SHA > DHE-RSA-AES128-SHA256 > DHE-RSA-AES256-SHA > DHE-RSA-AES256-SHA256 > DHE-DSS-AES256-SHA > DHE-DSS-AES128-SHA256 > > but RFC 7540 includes TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ECDHE-RSA-AES128-SHA) and all those others as a MAY for INADEQUATE_SECURITY. > > Now, assuming I got the cipher names correct, what am I to check for? Shall I be liberal in what I accept - again? The RFC is the specification. If a browser does not follow it that is a bug in their implementation (or maybe just their documentation), do not make matters worse by adding a bug to your code. HTTP/2 was designed to be implemented from a clean-slate situation. Everybody is building new code based on the same spec, so there is no legacy behaviours to be tolerant about. Methods of extending the protocol are also explicitly defined and explicitly negotiated when used to make feature support (or lack of it) a defined state within the protool itself. Amos
- h2 ciphers Stefan Eissing
- Re: h2 ciphers Ilari Liusvaara
- Re: h2 ciphers Amos Jeffries
- Re: h2 ciphers Julien Vehent
- Re: h2 ciphers Stefan Eissing
- Re: h2 ciphers Stefan Eissing
- Re: h2 ciphers Amos Jeffries