Draft: Cipher Suite Selection for HTTP/2 Negotiation over TLS 1.2
Egor Gudzenko <egor@egl.sh> Tue, 26 May 2026 10:52 UTC
Received: by mail2.ietf.org (Postfix) id 38AB1F51F207; Tue, 26 May 2026 03:52:07 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 358CFF51F205 for <ietfarch-httpbisa-archive-bis2Juki@mail2.ietf.org>; Tue, 26 May 2026 03:52:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779792727; bh=Wgh1lLavrXhclhppoCttOswr+aoOvReb6pkUwpOlg40=; h=Resent-From:Resent-Date:Date:To:From:Subject:Resent-Sender: List-Id:List-Help:List-Post:List-Unsubscribe; b=ocOciN+yDFBB4d0VrufCgQDgVWMM+HTC7kbAGv6KTYD3rDo3TOvfhUoZPZv0hClx+ OJLZX5C7CKlgDKOIU3QjvQc3Z0163JdTmAVV0mxdh5Q+oX5rfAUcyaa3F1zJ2waXC/ RU2Y/D+OOWfbbAiAo4vfO5v83fS3bfU0vUH3CVBc=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -5.399
X-Spam-Level:
X-Spam-Status: No, score=-5.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="k6tv7Db8"; dkim=pass (2048-bit key) header.d=w3.org header.b="NgO1+GVu"; dkim=pass (2048-bit key) header.d=w3.org header.b="k6tv7Db8"; dkim=pass (2048-bit key) header.d=w3.org header.b="ccVrTYPF"; dkim=pass (2048-bit key) header.d=egl.sh header.b="ZQ3iY577"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LTfE5QaeGEl1 for <ietfarch-httpbisa-archive-bis2Juki@mail2.ietf.org>; Tue, 26 May 2026 03:52:05 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 5184BF51F1F2 for <httpbisa-archive-bis2Juki@ietf.org>; Tue, 26 May 2026 03:52:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:MIME-Version:Message-ID:From:To:Date:Cc:Reply-To :In-Reply-To:References; bh=Wgh1lLavrXhclhppoCttOswr+aoOvReb6pkUwpOlg40=; b=k 6tv7Db89Uz40nPBg0nsH4fPPdQRvH4y2co1Iv6yZ5RyFIa2e5zUEfRSEyWR7UDhdDJwpgfWFaoaM/ C2HTrZIexwqDduiai5yDYmbeQVGWNg4PlvGovJCIA+ffKmT7FEpt2Y/7yOo0YfGyrzGjstBzD/Ri5 PNku9DD/wzqmDL5XIyyPzhZH0nZD22c8lLBEYqJEmC/VfPrBnt8wfxgKpMw2Ti5mTWsAVwTmzbo8s YWxEsvltUEZL0ECxCIInGjKIbbEdfCLRTCDOTaDbov8s/nnOFyGP/Vvmv88+usL8zNYpInk8UThrK PNBwFaIEeVbQajyWx7H35tSI76aLWnMUw==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1wRpN9-0089hV-3B for ietf-http-wg-dist@listhub.w3.org; Tue, 26 May 2026 10:50:55 +0000
Resent-Message-Id: <E1wRpN9-0089hV-3B@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <sysbot+mod@w3.org>) id 1wRpN8-0089gN-0A for ietf-http-wg@listhub.w3.internal; Tue, 26 May 2026 10:50:54 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:MIME-Version:Message-ID:From:To:Date:Cc:Reply-To :In-Reply-To:References; bh=Wgh1lLavrXhclhppoCttOswr+aoOvReb6pkUwpOlg40=; t=1779792654; x=1780656654; b=NgO1+GVuK6QF8jCEM4e2LSSQ3IoXpEHWPcmkkvujxNb3zQB Y2DNt7S99BEeU/Z2EE5Dpwc46jbdAeuoyGVIYSb8+m/yDbNHo4rUfVs2JksywRYI4kF2BrllD6uHs NNhysJDu/1FOTzElrU10EPdPOAs97Pk/hZx5MrwV989jK5YKoRgMeKAsB/dgIqxx18d0Fny519fks a32dSZT2E+srrqT5IGRkRvZJhJyW0sqt4nOw695Z2Fazh7DovnXFGFmE9TqUUYKbTbkl1Yr6Yhl3c +qph4DGpNO1tSx8Pl97gSeQrRfsTniAPCgNSAMXse+Dt/xF1eUaVRQGmMMRmEMTw==;
Received: from mab.w3.org ([2600:1f18:7d7a:2700:d091:4b25:8566:8113]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <sysbot+mod@w3.org>) id 1wRpN7-003EUE-38 for ietf-http-wg@w3.org; Tue, 26 May 2026 10:50:53 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:MIME-Version:Message-ID:From:To:Date:Cc:Reply-To :In-Reply-To:References; bh=Wgh1lLavrXhclhppoCttOswr+aoOvReb6pkUwpOlg40=; b=k 6tv7Db89Uz40nPBg0nsH4fPPdQRvH4y2co1Iv6yZ5RyFIa2e5zUEfRSEyWR7UDhdDJwpgfWFaoaM/ C2HTrZIexwqDduiai5yDYmbeQVGWNg4PlvGovJCIA+ffKmT7FEpt2Y/7yOo0YfGyrzGjstBzD/Ri5 PNku9DD/wzqmDL5XIyyPzhZH0nZD22c8lLBEYqJEmC/VfPrBnt8wfxgKpMw2Ti5mTWsAVwTmzbo8s YWxEsvltUEZL0ECxCIInGjKIbbEdfCLRTCDOTaDbov8s/nnOFyGP/Vvmv88+usL8zNYpInk8UThrK PNBwFaIEeVbQajyWx7H35tSI76aLWnMUw==;
Received: from www-data by mab.w3.org with local (Exim 4.96) (envelope-from <sysbot+mod@w3.org>) id 1wRpN7-0089gF-2u for ietf-http-wg@w3.org; Tue, 26 May 2026 10:50:53 +0000
Resent-From: List moderator <sysbot+mod@w3.org>
Resent-Date: Tue, 26 May 2026 10:50:53 +0000
Received: from ip-10-0-0-224.ec2.internal ([10.0.0.224] helo=puck.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <egor@egl.sh>) id 1wQmSn-002HuB-0A for ietf-http-wg@listhub.w3.internal; Sat, 23 May 2026 13:32:25 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:MIME-Version:Message-ID:Subject:From:To:Date:Cc:Reply-To :In-Reply-To:References; bh=Wgh1lLavrXhclhppoCttOswr+aoOvReb6pkUwpOlg40=; t=1779543145; x=1780407145; b=ccVrTYPFjCN5O210BKdl+q7qg6KEar6FGdj9CVbTv5CyAiq Qo2mBVZ02v0cW/bJyJzp6LJ1se7JE/HMLFRtNIXP2VS/wqw/B5oOIom7OWGjW3GlJS98P74c8hUtJ M3viNLw1mzpziEyz2tBj95jsGjarYw/ACsHAaMJg6RmhgTCAOsjlM27aElEMVrF2LlZbERi1LS9kT hFj6Wbqw7yeRPy/MBNqrRtqmPWwya25XPrSKByfxA4ywhIFiwftrd4xQVZBXDirXj6H6w48gPB1no EBmsL4qyiBxA90U4NiLsCerkCj5rJAOnXpbnKWK5J42hx8+NjP2Tt2SyDS2oCKcw==;
Received-SPF: pass (puck.w3.org: domain of egl.sh designates 185.70.43.98 as permitted sender) client-ip=185.70.43.98; envelope-from=egor@egl.sh; helo=mail-4398.protonmail.ch;
Received: from mail-4398.protonmail.ch ([185.70.43.98]) by puck.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <egor@egl.sh>) id 1wQmSl-0029vQ-1l for ietf-http-wg@w3.org; Sat, 23 May 2026 13:32:24 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=egl.sh; s=protonmail; t=1779543138; x=1779802338; bh=Wgh1lLavrXhclhppoCttOswr+aoOvReb6pkUwpOlg40=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=ZQ3iY5778CYGs1ip57EqECkPEhEpiSB7GqnP2yTiewsvYv1s9KLF2jQGU2/QFqjMT MUkhyx1cHLR9aeNrAXbruYx+myNlvZemzxDQJ6lCMF1975t8OVWxOrHiXnpo4r0gK6 lojLfUwD9lO2CErOJVlbyWIoMNdKNsYlEB5ZLIzjq2FT39yUPLwpoqVnIqdGZ+H7jO Ajj3X38PsWlR7MRJr7R7Co7K/EwaiQ+4mYvq/56SZfBvj25kY5o80ZVNV9FjTAS6iF FgHGUIC+TItFP1dKH1emTm8EHT+hMkjjhZHFuBDntD+/mfUxkSBn9uglDIvAfCq0MP Fqlx9lf16w7cg==
Date: Sat, 23 May 2026 13:32:13 +0000
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
From: Egor Gudzenko <egor@egl.sh>
Message-ID: <92faerTVr6Z9GZSZ9pkxvbXvohA2NKCN8Qqx2LDWnWRXFR5IvPzlJQasqJv_IOLKl6fzJPQXyCzqu9wW65_mec-2SBujyvNlstn7ibju3Xc=@egl.sh>
Feedback-ID: 199162094:user:proton
X-Pm-Message-ID: c4e7ac267a56fd21db2f7c1aa11c44ec35e4f833
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------ffdb0c2cce1688961b143cd3c627d3b8cec8d9648597665f35675d7052959b32"; charset="utf-8"
X-W3C-Hub-DKIM-Status: validation passed: (address=egor@egl.sh domain=egl.sh), signature is good
X-W3C-Hub-Spam-Status: No, score=-1.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=1
X-W3C-Scan-Sig: puck.w3.org 1wQmSl-0029vQ-1l 61993d3b79d263ca5c7ae7d3d98de471
X-caa-id: 4d97c02151
X-Original-To: ietf-http-wg@w3.org
Subject: Draft: Cipher Suite Selection for HTTP/2 Negotiation over TLS 1.2
Archived-At: <https://www.w3.org/mid/92faerTVr6Z9GZSZ9pkxvbXvohA2NKCN8Qqx2LDWnWRXFR5IvPzlJQasqJv_IOLKl6fzJPQXyCzqu9wW65_mec-2SBujyvNlstn7ibju3Xc=@egl.sh>
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/53863
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi, I've submitted an individual draft addressing the failure mode noted in Section 9.2.2 of RFC 9113, where HTTP/2 may be negotiated with a prohibited cipher suite. https://datatracker.ietf.org/doc/draft-gudzenko-httpbis-h2-cipher-selection/ The draft adds a single SHOULD-level procedure: when an h2-compatible cipher suite is available in the negotiation, the server should prefer it. It doesn't change anything normative, and the only subject of this draft is to fill a normative gap that are identified in Section 9.2.2 but not described how the server should behave in an ideal world. I filed it as Standards Track with updates: 9113, since the gap it closes is in normative text and a SHOULD-level addition doesn't fit BCP or Informational cleanly. That said, I'm genuinely uncertain whether this warrants a standalone update to 9113 or whether WG sees a better path. Any feedback welcome. With regards, Egor Gudzenko
- Draft: Cipher Suite Selection for HTTP/2 Negotiat… Egor Gudzenko
- Re: Draft: Cipher Suite Selection for HTTP/2 Nego… Martin Thomson