IETF Logo Mail Archive

Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

Jason Greene <jason.greene@redhat.com> Thu, 18 September 2014 18:13 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4C001A068B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Sep 2014 11:13:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.554
X-Spam-Level:
X-Spam-Status: No, score=-8.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.652, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cT02SMDRFYzT for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 18 Sep 2014 11:13:41 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8EAB1A0651 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 18 Sep 2014 11:13:41 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XUgAz-0008Sh-40 for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Sep 2014 18:11:29 +0000
Resent-Date: Thu, 18 Sep 2014 18:11:29 +0000
Resent-Message-Id: <E1XUgAz-0008Sh-40@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <jason.greene@redhat.com>) id 1XUgAf-0008OF-FP for ietf-http-wg@listhub.w3.org; Thu, 18 Sep 2014 18:11:09 +0000
Received: from mx1.redhat.com ([209.132.183.28]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <jason.greene@redhat.com>) id 1XUgAd-0003GW-Vl for ietf-http-wg@w3.org; Thu, 18 Sep 2014 18:11:09 +0000
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s8IIAbi7012518 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 18 Sep 2014 14:10:41 -0400
Received: from [10.10.54.136] (vpn-54-136.rdu2.redhat.com [10.10.54.136]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s8IIAXVu009804 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 18 Sep 2014 14:10:35 -0400
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Jason Greene <jason.greene@redhat.com>
In-Reply-To: <C76D7E6B-06BA-4FF1-B0AF-804AC118A38E@gbiv.com>
Date: Thu, 18 Sep 2014 13:10:33 -0500
Cc: Greg Wilkins <gregw@intalio.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <41E9F731-AB44-45B0-BF02-67C39BD7E5AC@redhat.com>
References: <CAH_y2NF+sP9BmYuD4QbeHpwC_uj67itzaAFCnRVC6f--KDYOgg@mail.gmail.com> <CAOdDvNopynmwvwWLXvuC0q7skunFXcfRoVHe9s7BKcoCwaBgWQ@mail.gmail.com> <CAH_y2NGXz7e3ejqy_rD=39=yYp3+cS1Dm6c3yFEYZg6tsUp5VQ@mail.gmail.com> <CABkgnnWAdm1TLP2XCKNU-6RPACLfooQV73R7Gpoemv+9PNULCA@mail.gmail.com> <CAH_y2NFLjok-NRJtOw1vmSy68sf393iSOgA4K599q0BSBqbNgA@mail.gmail.com> <CABkgnnU-CMtv8KvYU9n+QoPBOBshtQv3RfLy2qw=qVNb2O-qGg@mail.gmail.com> <CAH_y2NHrbH5Objwhq9E89QexhQtND4uOdy8q7OEckTCU17WqKg@mail.gmail.com> <CAH_y2NErRd4rxinSzEH3-uTjdWVkZu9o6sSKSf47LxfPFTRONw@mail.gmail.com> <20140917073241.GA7665@LK-Perkele-VII> <CAFewVt4pxE+9NpzYuzMKGmEdrDXzk50mC99ZbrM6M-uEoKXrHA@mail.gmail.com> <CAH_y2NGYcDvPcxDvaTRBP3p4Pnb7gw39WUDY3bNVnOGQjBgciQ@mail.gmail.com> <CAFewVt7+UAJYfKAR6DRZi_mqdzSaYw6L-pT1qg=UyOaP1ojhTw@mail.gmail.com> <CAH_y2NEhAEaPiUgi_vX6Oimw+Y-k3WrnL0gJZKPxQ8KZVuFVfw@mail.gmail.com> <CABkgnnU6C+TzJzdeQZhwXucuPUrPh1yyp1cpRd9jSePMjAnONQ@mail.gmail.com> <CAH_y2NEHZbWLof=ZWEa2UdjBw1Bf+kQCHzPkrhc! S U80WaDibeA@mail.gmail.com> <C76D7E6B-06BA-4FF1-B0AF-804AC118A38E@gbiv.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
Received-SPF: pass client-ip=209.132.183.28; envelope-from=jason.greene@redhat.com; helo=mx1.redhat.com
X-W3C-Hub-Spam-Status: No, score=-7.2
X-W3C-Hub-Spam-Report: AWL=0.326, BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1XUgAd-0003GW-Vl f6ce309cb8b1100b144de88d0b3c71f6
X-Original-To: ietf-http-wg@w3.org
Subject: Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem
Archived-At: <http://www.w3.org/mid/41E9F731-AB44-45B0-BF02-67C39BD7E5AC@redhat.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/27127
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Sep 18, 2014, at 10:41 AM, Roy T. Fielding <fielding@gbiv.com> wrote:

> I still don't believe that any of these requirements belong in h2,
> and I won't implement them even if they end up in the RFC.  It is
> not the HTTP server's responsibility to second-guess the configuration
> regarding the security properties of the underlying connections.
> We have no idea what hardware or gateways might be doing to secure those
> connections.  We don't even know what TLS library is being used,
> since all we see is an API into someone else's code.
> 
> TLS requirements belong in the TLS code.

I agree. Although, I am sympathetic to the desire to establish conventions and sanity, but to me these things seem to apply to HTTP/1.1 just as much as HTTP/2. I am also sympathetic to clients that prefer to just work even in the face of poor security. So why not just display a warning when *anything* using TLS happens to pick a weak cipher. That will be just as motivating and far less error prone.

--
Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat

v2.39.1 | Report a Bug | By Email | System Status