TLS ALPN Proposal v5
Simone Bordet
simone.bordet at gmail.com
Fri Sep 25 12:19:28 UTC 2015
Hi,
On Fri, Sep 25, 2015 at 1:54 PM, <ecki at zusammenkunft.net> wrote:
> Hello,
>
> Just want to mention that with explicite http/https URLs users and applications are somewhat used to select the application protocol first.
Well, kind of :)
Some time ago, and still now, if you put "https" in a URL, you are
actually talking SPDY over TLS.
> In fact if I have a H2 client I would expect it to try H2 first (especially given the fact that no weak ciphers could be negotiated anyway). So basically cipher order would select if you want strong but fast or very strong but slower crypto for H2. You could only mess that up by prefering blacklisted ciphers. But even then the serrver can still pick H2 and skip all blacklisted preferences, right?
>
No.
Currently, the server is given a cipher and based on that cipher has
to choose the application protocol.
It cannot choose the cipher based on the application protocol.
--
Simone Bordet
http://bordet.blogspot.com
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless. Victoria Livschitz
More information about the security-dev
mailing list