Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict HTTP/2 connections to AEAD ciphers only #959

Closed
codefromthecrypt opened this issue Jun 23, 2014 · 6 comments
Closed

Restrict HTTP/2 connections to AEAD ciphers only #959

codefromthecrypt opened this issue Jun 23, 2014 · 6 comments
Labels
enhancement Feature not a bug
Milestone
2.3

Comments

@codefromthecrypt
Copy link

HTTP/2 Draft 13 restricts TLS cipher suites, and requires support of [TLS-ECDHE] with P256 [FIPS186].

http://tools.ietf.org/html/draft-ietf-httpbis-http2-14#section-9.2.2

implementations of HTTP/2 that use
   TLS 1.2 MUST support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
   [TLS-ECDHE] with P256 [FIPS186].
@codefromthecrypt codefromthecrypt mentioned this issue Jul 2, 2014
Closed
@swankjesse swankjesse added this to the 2.1 milestone Sep 28, 2014
@codefromthecrypt
Copy link
Author

The requirement is in flux. Summary so far seems either TLS 1.2 where !isBlock() && !isStream() or TLS 1.3

Let's hold off until next draft (15) before addressing this.

@swankjesse
Copy link
Member

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 isn't available on any currently-shipping Android device. It is available in the upcoming Android 5.0, however. This is bad news for HTTP/2 on Android KitKat, for example.

@swankjesse
Copy link
Member

Punting to 2.2.

@swankjesse swankjesse modified the milestones: 2.2, 2.1 Oct 13, 2014
@swankjesse swankjesse modified the milestones: 2.3, 2.2 Nov 5, 2014
@swankjesse
Copy link
Member

I'm not going to take further action here. We offer HTTP/2-capable ciphers, and HTTP/2 incapable ciphers. If the server incorrectly negotiates a non-HTTP/2 cipher suite and the HTTP/2 protocol, we'll do HTTP/2. This isn't perfect, but it's simple.

@swankjesse
Copy link
Member

(alternately we'd need to kill the socket and renegotiate TLS, disabling ALPN. I don't think it's worth the effort).

@codefromthecrypt
Copy link
Author

codefromthecrypt commented Mar 9, 2015 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Feature not a bug
Projects
None yet
Milestone
2.3
Development

No branches or pull requests
2 participants
@codefromthecrypt @swankjesse