HTTP/2 cipher suite blacklisting

[Ryan Schmitt <rs...@apache.org>]

According to RFC 7540, an HTTP/2 implementation may treat the negotiation
of a weak cipher suite (i.e. most cipher suites that have ever existed) as
a connection error. I'm skeptical of the way the client is currently
interpreting this part of the RFC: it is preemptively removing all of the
blacklisted cipher suites before the connection has even been negotiated.
Since most endpoints don't actually support HTTP/2, this mainly just makes
it harder to connect to HTTP/1.1 endpoints without setting `FORCE_HTTP_1`.
I'd like to remove the current filtering logic and replace it with logic
that validates the negotiated cipher suite *after* h2 has actually been
negotiated. Any objections?

Re: HTTP/2 cipher suite blacklisting

[Oleg Kalnichevski <ol...@apache.org>]

On Thu, 2019-09-26 at 13:36 -0700, Ryan Schmitt wrote:
> According to RFC 7540, an HTTP/2 implementation may treat the
> negotiation
> of a weak cipher suite (i.e. most cipher suites that have ever
> existed) as
> a connection error. I'm skeptical of the way the client is currently
> interpreting this part of the RFC: it is preemptively removing all of
> the
> blacklisted cipher suites before the connection has even been
> negotiated.
> Since most endpoints don't actually support HTTP/2, this mainly just
> makes
> it harder to connect to HTTP/1.1 endpoints without setting
> `FORCE_HTTP_1`.
> I'd like to remove the current filtering logic and replace it with
> logic
> that validates the negotiated cipher suite *after* h2 has actually
> been
> negotiated. Any objections?

None from me. 

We just need to make sure that the classic client behave consistently
with the async one.

Oleg


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org