Am 17.10.2015 um 11:18 schrieb Kaspar Brand:
Another - quite radical - approach would consist of using a whitelist,
which consists of a single cipher suite only: given that section 9.2 of
RFC 7540 states
"Implementations of HTTP/2 MUST use TLS version 1.2"
and section 9.2.2 further says
On 16.10.2015 12:45, Stefan Eissing wrote:
> If the blacklist in RFC 7540 proves to be totally bogus, I'd favor
> ditching it in our server checks.
Sharing Yann's surprise about this huge blacklist... I'm also wondering
if this won't become a Sisyphean task, in the end (will the httpwg
regularly
Yes, I think whatever improvements we make, they need to be open for admin
overrides. OTOH the majority of the deployments will want to have sth like
modern/intermediate/old and get whatever that exactly means delivered by us as
regular updates in releases (or via their distros).
Especially
On Wed, Oct 14, 2015 at 2:10 PM, wrote:
> Author: icing
> Date: Wed Oct 14 12:10:11 2015
> New Revision: 1708593
>
> URL: http://svn.apache.org/viewvc?rev=1708593=rev
> Log:
> mod_http2: new directive H2Compliance on/off, checking TLS protocol and
> cipher against RFC7540
>
[]
I am not blacklisting ciphers for the whole server. I try to define
the security settings required for HTTP/2 as defined in the standard -
as a configurable directive.
There is no problem with denying HTTP/2 support for an IE8.
//Stefan
> Am 16.10.2015 um 12:53 schrieb Chris
The blacklist does look too radical to me as well. My server was
configured with some in that list.
Also it can place a server admin in a tough position e.g. what if they
want to support IE8, or maybe android2 which doesn thave tls 1.2
stuff, but also support h2, they would be forced to choose
Hi Yann,
I am not a cipher expert enough to know why the list in RFC 7540 was compiled
this way... :(
But indeed, there is a good sized overlap. And that does not make sense. I have
sent a mail to the httpwg mailing list, asking for enlightment.
If the blacklist in RFC 7540 proves to be
On Fri, Oct 16, 2015 at 1:38 PM, Yann Ylavic wrote:
>
> Actually I tried some brute bash script (attached) to show what
> remains compared to "openssl ciphers ALL", and the result is:
>
> * libressl/install/2.2.1/bin/openssl:
> - ECDHE-ECDSA-CHACHA20-POLY1305
> -
On 16 Oct 2015, at 12:56 PM, Stefan Eissing
wrote:
> I am not blacklisting ciphers for the whole server. I try to define
> the security settings required for HTTP/2 as defined in the standard -
> as a configurable directive.
>
> There is no problem with denying
Yes, I proposed something along those lines at the http workshop this summer.
Needs some more pushing, it seems.
There is one thing that I understood to be implied by all this: that h2 is not
negotiated when the security is too weak. Which, the more I think and
implemented about it, does not
On Fri, Oct 16, 2015 at 12:21 PM, Yann Ylavic wrote:
>
> And maybe more importantly, what remains currently?
Actually I tried some brute bash script (attached) to show what
remains compared to "openssl ciphers ALL", and the result is:
* libressl/install/2.2.1/bin/openssl:
On Fri, Oct 16, 2015 at 1:38 PM, Yann Ylavic wrote:
>
> Actually I tried some brute bash script (attached)
Really attached now...
http2_vs_openssl.sh
Description: Bourne shell script
On Fri, Oct 16, 2015 at 2:33 PM, Yann Ylavic wrote:
> On Fri, Oct 16, 2015 at 1:38 PM, Yann Ylavic wrote:
>>
>> Actually I tried some brute bash script (attached) to show what
>> remains compared to "openssl ciphers ALL", and the result is:
>>
>> *
interesting that chrome is happily using h2 on my domain that I
activated for h2 earlier and I have a couple of banned ciphers in
mod_ssl.
On 16 October 2015 at 13:33, Yann Ylavic wrote:
> On Fri, Oct 16, 2015 at 1:38 PM, Yann Ylavic wrote:
>>
>>
On Fri, Oct 16, 2015 at 9:28 AM, Chris wrote:
> interesting that chrome is happily using h2 on my domain that I
> activated for h2 earlier and I have a couple of banned ciphers in
> mod_ssl.
unbanned ones listed earlier, or no SSLHonorCipherOrder?
sslhonorcipherorder is definitely set.
I will check again to see if is in the unbanned ones.
On 16 October 2015 at 14:37, Eric Covener wrote:
> On Fri, Oct 16, 2015 at 9:28 AM, Chris wrote:
>> interesting that chrome is happily using h2 on my domain that
here is ciphers as listed by ssllabs scanning a site on the server.
(in the order set)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq.
3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq.
3072 bits RSA) FS 128
here is my cipher list used in mod_ssl
SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDH+AES128:ECDHE-RSA-AES256-GCM-SHA384:ECDH+AES256:ECDH+3DES:CHACHA20+POLY1305:DHE-RSA-AES128-SHA:RSA+3DES:!aNULL:!MD5
note tho poly1305 doesnt work so ignore that one.
On 16 October 2015 at 14:37, Eric Covener
Some of them are not banned, so I don't see why Chrome should complain.
Is the selected cipher a banned one?
On Fri, Oct 16, 2015 at 4:29 PM, Chris wrote:
> here is my cipher list used in mod_ssl
>
> SSLCipherSuite
>
Yes, the browser won't see the whole list, only the selected one.
On Fri, Oct 16, 2015 at 4:33 PM, Chris wrote:
> ahh so only one needs to be unbanned for it to work?
>
> the selected cipher isnt banned no.
>
> On 16 October 2015 at 15:32, Yann Ylavic
ahh so only one needs to be unbanned for it to work?
the selected cipher isnt banned no.
On 16 October 2015 at 15:32, Yann Ylavic wrote:
> Some of them are not banned, so I don't see why Chrome should complain.
> Is the selected cipher a banned one?
>
> On Fri, Oct 16,
good to know thanks :)
Thats why I was told off for suggesting supporting ie8 and http2 at
the same time was not possible then :)
On 16 October 2015 at 15:35, Yann Ylavic wrote:
> Yes, the browser won't see the whole list, only the selected one.
>
> On Fri, Oct 16, 2015 at
22 matches
Mail list logo