Return-Path: 
 <dev-return-84340-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-dev-archive@www.apache.org
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 8BD6C18B09
	for <apmail-httpd-dev-archive@www.apache.org>;
 Sat, 17 Oct 2015 09:18:51 +0000 (UTC)
Received: (qmail 69565 invoked by uid 500); 17 Oct 2015 09:18:51 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 69491 invoked by uid 500); 17 Oct 2015 09:18:51 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 69480 invoked by uid 99); 17 Oct 2015 09:18:51 -0000
Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 17 Oct 2015 09:18:51 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org)
 with ESMTP id 875E61A0A32
	for <dev@httpd.apache.org>; Sat, 17 Oct 2015 09:18:50 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.11
X-Spam-Level: 
X-Spam-Status: No, score=-0.11 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	T_RP_MATCHES_RCVD=-0.01] autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=velox.ch header.b=q9RFShSJ;
	dkim=pass (2048-bit key) header.d=velox.ch header.b=duIFBj2V
Received: from mx1-us-west.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new,
 port 10024)
	with ESMTP id nu_LWt4lqmB6 for <dev@httpd.apache.org>;
	Sat, 17 Oct 2015 09:18:45 +0000 (UTC)
Received: from fornix.velox.ch (fornix.velox.ch [85.25.46.13])
	by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with
 ESMTPS id 394922118F
	for <dev@httpd.apache.org>; Sat, 17 Oct 2015 09:18:45 +0000 (UTC)
Received: from cortex.velox.ch (77-57-164-164.dclient.hispeed.ch
 [77.57.164.164])
	(authenticated bits=0)
	by fornix.velox.ch (8.14.9/8.14.9/2.2) with ESMTP id t9H9IXWM010609
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
	for <dev@httpd.apache.org>; Sat, 17 Oct 2015 11:18:33 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch;
	s=fornix-727e; t=1445073514;
	bh=jY09IrkQZruBMaEwyzxcdv/dqY/gqR3KISXi4b0a+DU=;
	h=Subject:To:References:From:Date:In-Reply-To;
	b=q9RFShSJwNghF5w5hEBr5ZNnZH8j6znjH3gb/CKHQoomCu60tH1VwOBvEX+bshk8o
	 0F4MgHK8LnZ1pDwkkcXZziyOJaYG3MbRD3Irgl4mpLeuhQpUc4Qz79NuXUPDSdQnwA
	 yq57OZIfX8hhLF7WFLq5DjkqdcSxk5hbCHux/euXOpRxwsMe9IkdSJciXcTpZ28RvF
	 YMEbmS1DA8lHt58d7ziGPW5M4auzd4OuOOZUj6REWjke6z9Q9W2yDEblRKNh6oM30+
	 4dF1GoxTTUsph3iZ6kJzRDDPs0H+j6R1L8frbbAKeSPZxsswY0GFG1x4UHs6kvJCFp
	 zerIQQy5zUdUw==
Subject: Re: H2 compatible ciphers
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch;
	s=cortex-8a58; t=1445073512;
	bh=jY09IrkQZruBMaEwyzxcdv/dqY/gqR3KISXi4b0a+DU=;
	h=Subject:To:References:From:Date:In-Reply-To;
	b=duIFBj2Vl3zqRdnkgAeC6oyaGhtWOObHrLKl7UlvhZDiTnicuzPvBuvCPLQ5lkMAe
	 NaOTP4slLZG6WqPCNS57cnLzdcfutykbmCaRiUvftG9ViNv98PFOkzOKPjAEP0AsTF
	 jk0zuRiq3ONJu4IfWudMyHEfEpUN+WMkW4NzVlq/mK1+yrLI/x/uCXsxQHElccJyJj
	 FYOKbEF2PwT3QEWNImC4y4Cx1vMFmEmJzwzJlhzzm3invqSEDXW7AEB5f4vEOMZN6h
	 Z5LufzcYunq/2SOs2GNiGPTZrB0/PPAHlNC4ZraZT9ngTo+eodPxBzz5Xxxs8kY428
	 id2qxLoUTDgYw==
To: dev@httpd.apache.org
References: 
 <CAKQ1sVNx3g2PjkxG6z2LwqA6CuJeVv2L6SryVsMWp2SydoKFjQ@mail.gmail.com>
 <7785D0B9-E1C7-483E-B468-CBDFA99156BB@greenbytes.de>
From: Kaspar Brand <httpd-dev.2014@velox.ch>
Message-ID: <5622126A.7040601@velox.ch>
Date: Sat, 17 Oct 2015 11:18:34 +0200
MIME-Version: 1.0
In-Reply-To: <7785D0B9-E1C7-483E-B468-CBDFA99156BB@greenbytes.de>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

On 16.10.2015 12:45, Stefan Eissing wrote:
> If the blacklist in RFC 7540 proves to be totally bogus, I'd favor
> ditching it in our server checks.

Sharing Yann's surprise about this huge blacklist... I'm also wondering
if this won't become a Sisyphean task, in the end (will the httpwg
regularly amend that list, BTW, or how do they intend to prevent
"unwanted" cipher suites from being used with HTTP/2?).

Another - quite radical - approach would consist of using a whitelist,
which consists of a single cipher suite only: given that section 9.2 of
RFC 7540 states

"Implementations of HTTP/2 MUST use TLS version 1.2"

and section 9.2.2 further says

"deployments of HTTP/2 that use TLS 1.2 MUST support
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [TLS-ECDHE] with the P-256
elliptic curve [FIPS186]"

then "H2Compliance on" would only have to make sure that this exact
suite is negotiated. (What this MTI cipher suite also means, IINM, is
that you can't run an RFC 7540 h2 compliant server with an ECDSA key
only, actually... not sure if that was really an intended effect of this
requirement.)

Kaspar