Re: h2 ciphers
Julien Vehent <julien@linuxwall.info> Fri, 16 October 2015 13:26 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D43561A1B07 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 16 Oct 2015 06:26:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.313
X-Spam-Level:
X-Spam-Status: No, score=-3.313 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_24=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_34=0.6, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rYDGPGKhpDV3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 16 Oct 2015 06:26:39 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6A8A1A1B2A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 16 Oct 2015 06:26:39 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Zn4zl-00014z-Sk for ietf-http-wg-dist@listhub.w3.org; Fri, 16 Oct 2015 13:24:29 +0000
Resent-Date: Fri, 16 Oct 2015 13:24:29 +0000
Resent-Message-Id: <E1Zn4zl-00014z-Sk@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <julien@linuxwall.info>) id 1Zn4zj-00014I-By for ietf-http-wg@listhub.w3.org; Fri, 16 Oct 2015 13:24:27 +0000
Received: from khazad-dum.linuxwall.info ([62.210.76.92] helo=necto-backend1.necto.linuxwall.info) by lisa.w3.org with esmtp (Exim 4.80) (envelope-from <julien@linuxwall.info>) id 1Zn4zc-0003v5-23 for ietf-http-wg@w3.org; Fri, 16 Oct 2015 13:24:26 +0000
Received: from webmail.linuxwall.info (unknown [172.16.0.18]) (Authenticated sender: julien) by necto-backend1.necto.linuxwall.info (Postfix) with ESMTPA id 47DE3888FC2 for <ietf-http-wg@w3.org>; Fri, 16 Oct 2015 15:23:57 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=linuxwall.info; s=lnw-necto; t=1445001837; bh=7qwYqRaWOgVfAwPidi+Ah+M50VlTDIYrZjPtY1HsI8g=; h=Date:From:To:Subject:In-Reply-To:References:From; b=kIeqYYp3VciRGOF4QdapAw5Cx+2lYWSI4FoeEjWfB5asOVsxo9npa+Wo9PSwbIkFQ mHnlpEeBH3BDQ+lmUDBfq+BV9nHQ4p09Zy/I/w9fpvnW2QimH/ewcsveQ3UaJtGOzD /QfeU1HVSyj0nW/65iH0MeyDopz/nkL62XKN9Hks=
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Fri, 16 Oct 2015 09:23:57 -0400
From: Julien Vehent <julien@linuxwall.info>
To: ietf-http-wg@w3.org
In-Reply-To: <5620F6C1.9080200@treenet.co.nz>
References: <47048ED2-374F-4542-A4DC-C1F39AD26C0A@greenbytes.de> <5620F6C1.9080200@treenet.co.nz>
Message-ID: <081f0c00b022ce8c29f37d1c349c7706@webmail.linuxwall.info>
X-Sender: julien@linuxwall.info
User-Agent: Roundcube Webmail/1.1.2
Received-SPF: pass client-ip=62.210.76.92; envelope-from=julien@linuxwall.info; helo=necto-backend1.necto.linuxwall.info
X-W3C-Hub-Spam-Status: No, score=-2.1
X-W3C-Hub-Spam-Report: BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1Zn4zc-0003v5-23 fe649e45bf7732cb3c2da3b10e489872
X-Original-To: ietf-http-wg@w3.org
Subject: Re: h2 ciphers
Archived-At: <http://www.w3.org/mid/081f0c00b022ce8c29f37d1c349c7706@webmail.linuxwall.info>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30371
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 2015-10-16 09:08, Amos Jeffries wrote: > HTTP/2 was designed to be implemented from a clean-slate situation. > Everybody is building new code based on the same spec, so there is no > legacy behaviours to be tolerant about. (I'm the author of the Mozilla guidelines). This is correct: the recommendation is for HTTP/1.1 where a significant amount of backward compatibility is required. The modern guidelines guarantee strong crypto on somewhat recent clients, but we can certainly do better for http/2. We'll probably revise the guidelines in the coming months. In the meantime, on a h2 endpoint, I would recommend limiting it to these ciphers: $ openssl ciphers -V 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384' 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD 0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD 0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD Note: we don't recommend ECDHE-RSA-CHACHA20-POLY1305 because it's not yet a standard and our mozilla servers don't implement it, but feel free to use it :) - Julien
- h2 ciphers Stefan Eissing
- Re: h2 ciphers Ilari Liusvaara
- Re: h2 ciphers Amos Jeffries
- Re: h2 ciphers Julien Vehent
- Re: h2 ciphers Stefan Eissing
- Re: h2 ciphers Stefan Eissing
- Re: h2 ciphers Amos Jeffries