IETF Logo Mail Archive

Re: Discussion of 9.2.2

Jason Greene <jason.greene@redhat.com> Wed, 24 September 2014 17:08 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51F451A024F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 24 Sep 2014 10:08:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.688
X-Spam-Level:
X-Spam-Status: No, score=-7.688 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nNyH-qDMb7Om for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 24 Sep 2014 10:08:50 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FEF41A0251 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 24 Sep 2014 10:08:17 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XWq1E-0005Bq-JV for ietf-http-wg-dist@listhub.w3.org; Wed, 24 Sep 2014 17:06:20 +0000
Resent-Date: Wed, 24 Sep 2014 17:06:20 +0000
Resent-Message-Id: <E1XWq1E-0005Bq-JV@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <jason.greene@redhat.com>) id 1XWq0u-0005An-0a for ietf-http-wg@listhub.w3.org; Wed, 24 Sep 2014 17:06:00 +0000
Received: from mx1.redhat.com ([209.132.183.28]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <jason.greene@redhat.com>) id 1XWq0r-0003i1-B6 for ietf-http-wg@w3.org; Wed, 24 Sep 2014 17:05:59 +0000
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s8OH5Wel001408 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 24 Sep 2014 13:05:32 -0400
Received: from [10.10.57.209] (vpn-57-209.rdu2.redhat.com [10.10.57.209]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s8OH5UhD017157 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 24 Sep 2014 13:05:32 -0400
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Jason Greene <jason.greene@redhat.com>
In-Reply-To: <F0D4BA2A-46B2-4F1A-8A23-1A319A3E5FC0@mnot.net>
Date: Wed, 24 Sep 2014 12:05:29 -0500
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E66BF772-AB91-4BE4-826A-70571FE507DF@redhat.com>
References: <F0D4BA2A-46B2-4F1A-8A23-1A319A3E5FC0@mnot.net>
To: Mark Nottingham <mnot@mnot.net>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Received-SPF: pass client-ip=209.132.183.28; envelope-from=jason.greene@redhat.com; helo=mx1.redhat.com
X-W3C-Hub-Spam-Status: No, score=-7.2
X-W3C-Hub-Spam-Report: AWL=0.342, BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.684, SPF_HELO_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1XWq0r-0003i1-B6 74c36a10dba6a777bedaefa8a8d9aae6
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Discussion of 9.2.2
Archived-At: <http://www.w3.org/mid/E66BF772-AB91-4BE4-826A-70571FE507DF@redhat.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/27223
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Sep 24, 2014, at 6:17 AM, Mark Nottingham <mnot@mnot.net> wrote:

> We’re burning a lot of cycles on the TLS cipher suite requirements, and producing much heat but little light. Discussion seems to be looping, in part because people either aren’t reading the current spec language, or are drawing the wrong conclusions from it.
> 
> The actual requirements there are:
> 
> 1) HTTP/2 MUST only be used with cipher suites that have ephemeral key exchange [plus details].
> 2) HTTP MUST NOT be used with cipher suites that use stream or block ciphers.
> 3) Clients MAY advertise support of cipher suites that are prohibited by the above restrictions in order to allow for connection to servers that do not support HTTP/2.
> 

AIUI, in order to meet these requirements without impairing usage of future ciphers, all TLS implementations must be updated to provide an API which:

1. Allows an H2 stack to set a strong preference for ephemeral key exchange OR anything stronger, and AEAD or anything stronger. The TLS stack then needs to ensure that all weaker algorithms are still selectable (for H1/legacy compat), but are below the priority list of ephemeral and stronger, and below AEAD and anything stronger. This specification can not use explicit cipher names, only characteristics.
2. Provides a post negotiation introspection API that allows an H2 stack to validate, that if ALPN selected H2, that a weaker cipher was not chosen. This also needs to be characteristic based, in such a way that stronger future characteristics do not fail the test.

In reality it will take some time for TLS APIs to get there, in particular if they are associated with another standards body, so HTTP2 implementations that are not willing to wait will then have to resort to some of the hacks suggested in the other thread. This likely means a number of H2 implementation in the wild overriding the available ciphers with exhaustive and correctly ordered whitelist, and then post validating the selected cipher is on the h2 portion of the whitelist. Any mistake made here results in interop issues. When the TLS stack is updated to include future ciphers, the H2 stacks won’t select them since that would require a code update, which might not be available. This is yet another interop failure potential if a site employees the strictest cipher requirements, and starts requiring ciphers more recent than a peer’s h2 implementation supports, yet its TLS stack would have.

After the industry adopts TLS 1.3, or even uses TLS 1.2 stacks with recent ciphers, the machinery (including the APIs) created to do this social hack ceases to add any value, but it can still continue to cause problems. Before this event occurs the value is very limited, as these old ciphers are still pervasive, since other more prevalent protocols, notably h1, will continue to operate with them.

If 9.2.2 is not dropped, an H2 implementation without access to the above API, is likely best off going the route Roy is taking and simply ignoring the provision. Interop problems will of course crop up, but at least they will be momentary, detectable, and solvable with administrative action.

--
Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat

v2.46.0 | Report a Bug | By Email | System Status