Yes, I proposed something along those lines at the http workshop this summer. Needs some more pushing, it seems.
There is one thing that I understood to be implied by all this: that h2 is not negotiated when the security is too weak. Which, the more I think and implemented about it, does not make sense. But I asked for input from the wg, see what they say... Back to our little world: I find the definitions on the mozilla wiki helpful. They might not be perfect (yet), but it is better to start defining security parameter sets than staring at SSL configuration strings and figuring out if they all together do what you want. As we have seen, security is highly in flux, thanks to some smart guys with unlimited funding, and placing recommended mod_ssl configurations on a web site will do nothing for the millions of servers out there. I think can do better and offer a config file to users of httpd that defines security policies and - gets updated every release - is downloadable by itself, copy it into your installation and reload So, admins would add SecurityPolicy modern to their config files and every httpd update would bring that to the lastest and greatest specification. Of course, there is potential for breakage here. But maybe one prefers that to being insecure with not updated clients... //Stefan > Am 16.10.2015 um 13:36 schrieb Graham Leggett <[email protected]>: > > On 16 Oct 2015, at 12:56 PM, Stefan Eissing <[email protected]> > wrote: > >> I am not blacklisting ciphers for the whole server. I try to define >> the security settings required for HTTP/2 as defined in the standard - >> as a configurable directive. >> >> There is no problem with denying HTTP/2 support for an IE8. > > I am wondering whether the cipher blacklist shouldn’t be a configurable list > with a default set of RFC compliant values in the default config file, > perhaps with shortcuts like naming a blacklist after an RFC. > > Fitting this in with the existing infrastructure this could be as simple as > extending the SSLCipherSuite directive to support this: > > SSLCipherSuite -RFC7540 > > Maybe this is actually an openssl problem rather than an httpd problem, it > could be that openssl needs to be taught how to blacklist RFC7540 as a group. > > Regards, > Graham > — >
