TLS ALPN Proposal v5

Simone Bordet sbordet at
Fri Sep 25 11:42:49 UTC 2015


On Fri, Sep 25, 2015 at 11:47 AM, Xuelei Fan < at> wrote:
> Here is the question to answer, which preference should be respected
> firstly between cipher suite and application protocol?  If application
> protocol are preferred at first, of course, application preference
> should be respected at first; otherwise, cipher suite preference should
> be respected at first.

The answer to this question has been decided when the algorithm has
been chosen to be:

for each cipher
  for each application protocol

All the rest being equal, ciphers dominate application protocol selection.

Are you suggesting to change this to:

for each application protocol
  for each cipher


It's in the hands of the role that configures application protocols
and ciphers to decide whether it's more important to prefer a protocol
or a cipher.

Put it in a different way:

If the role prefers application protocols, it has to sort the ciphers
to influence that.
If the role prefers ciphers, it has to sort the ciphers.

No matter what, it has to sort the ciphers.

> Therefore, personally, I think application may want a handy tool to sort
> the cipher suite for the strength for general purpose, but not for
> application protocol.

Because HTTP/2 would probably be popular given the success of its
predecessor, it would be handy to have a HTTP/2 comparator to
influence the selection of the HTTP/2 protocol.

Nothing forbids to offer a comparator by cipher strength too.

Simone Bordet
Developer advice, training, services and support
from the Jetty & CometD experts.

More information about the security-dev mailing list