IETF Logo Mail Archive

Re: Discussion of 9.2.2

Willy Tarreau <w@1wt.eu> Sat, 27 September 2014 07:42 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69A451A1A5F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 27 Sep 2014 00:42:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.688
X-Spam-Level:
X-Spam-Status: No, score=-7.688 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vsInP-ptXR9G for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 27 Sep 2014 00:42:50 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A0271A1A46 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 27 Sep 2014 00:42:50 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XXmcA-00075V-B0 for ietf-http-wg-dist@listhub.w3.org; Sat, 27 Sep 2014 07:40:22 +0000
Resent-Date: Sat, 27 Sep 2014 07:40:22 +0000
Resent-Message-Id: <E1XXmcA-00075V-B0@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1XXmbn-0005Uo-El for ietf-http-wg@listhub.w3.org; Sat, 27 Sep 2014 07:39:59 +0000
Received: from 1wt.eu ([62.212.114.60]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1XXmbm-0004fE-M3 for ietf-http-wg@w3.org; Sat, 27 Sep 2014 07:39:59 +0000
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id s8R7dPSS004976; Sat, 27 Sep 2014 09:39:25 +0200
Date: Sat, 27 Sep 2014 09:39:25 +0200
From: Willy Tarreau <w@1wt.eu>
To: Michael Sweet <msweet@apple.com>
Cc: Eric Rescorla <ekr@rtfm.com>, Jason Greene <jason.greene@redhat.com>, Martin Thomson <martin.thomson@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20140927073925.GH26372@1wt.eu>
References: <F0D4BA2A-46B2-4F1A-8A23-1A319A3E5FC0@mnot.net> <CABkgnnWszVer8Y3qgmEQnxNKUhroUEeseC8JkBbGT2P6z3iZxQ@mail.gmail.com> <36736818-C125-4390-841B-94AD76A45EA0@apple.com> <67BE9032-4441-46DE-8929-A25E4FEF3CCF@redhat.com> <CABcZeBPUihY6-i7EEhWq35=RNA--ZHMqnjkJQnO+_OZkfwoPdQ@mail.gmail.com> <F8A9D418-9DA2-48E9-9CD8-45F86A3B2E30@apple.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <F8A9D418-9DA2-48E9-9CD8-45F86A3B2E30@apple.com>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-4.4
X-W3C-Hub-Spam-Report: AWL=-1.677, BAYES_00=-1.9, RP_MATCHES_RCVD=-0.862, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1XXmbm-0004fE-M3 321fcdcff284c775296099da7febfd63
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Discussion of 9.2.2
Archived-At: <http://www.w3.org/mid/20140927073925.GH26372@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/27291
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Fri, Sep 26, 2014 at 09:13:23AM -0700, Michael Sweet wrote:
> Eric,
> 
> If you have a multi-protocol client that opportunistically uses HTTP/2 (which
> will likely be the case for a very long time for any web browser at least),
> then you can't simply require TLS/1.2 or omit non-HTTP/2 cipher suites from
> negotiation because that will cause existing HTTP/1.1 (and SPDY) servers to
> stop working if they don't support the specific TLS/1.2 ciphers or cannot
> negotiate TLS/1.2 at all.

I'm suddenly wondering about something : why is it that we have to support
different ciphers for H1 and H2 despite transporting the exact same contents ?
If some ciphers are not acceptable for H2, that makes me think they are at
risk for H1 as well, so shouldn't we say that if an agent wants to support
H1 as a fallback to H2 during a handshake, then it should only support the
ciphers that are compatible with both, even if this means the handshake
might fail on some old H1 servers (hence they'll have to retry with H1 only
and more ciphers). That would also probably speed up H2 adoption and clean up
of older ciphers.

Just my two cents,
Willy

v2.46.0 | Report a Bug | By Email | System Status