Re: [jetty-dev] State of HTTP/2 in 9.3.0-SNAPSHOT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-dev] State of HTTP/2 in 9.3.0-SNAPSHOT

From: Simone Bordet <sbordet@xxxxxxxxxxx>
Date: Tue, 7 Apr 2015 23:08:22 +0200
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>

Hi,

On Fri, Apr 3, 2015 at 12:17 AM, Eirik Bjørsnøs <eirbjo@xxxxxxxxx> wrote:
> While testing the SNI support implemented for #430951 [1] in my proxy
> server, I noticed that Chrome would no longer connect using HTTP/2.
>
> Debugging showed that HTTP2ServerConnectionFactory.isAcceptable returned false.
>
> Analysis led to these four questions:
>
> First, I noticed that "TLSv1.2" is in the list of blacklisted
> protocols, so isBlackListProtocol returns true. Spec says
> "Implementations of HTTP/2 MUST use TLS [TLS12] version 1.2 or higher
> for HTTP/2 over TLS." [2]
>
> Question #1: Is this a bug? Should TLSv1.2 really be on the protocol black list?

Section 9.2 of the HTTP/2 specification underwent a number of changes
to reflect a number of critiques, so it has been historically a pain
to keep a Java implementation compliant because of the number of
things that section 9.2 requires that Java does not implement. Bear
with us :)

Greg has the last answer on this, but I think TLS 1.2 shoud be on the
black list.
A perfectly compliant TLS 1.2 server (or client) will not meet section
9.2 requirements.
TLS 1.2 alone is not going to cut it, and that's why it's black listed.

> Second, I noticed that the cipher negotiated with Chrome was on the
> cipher black list. I added that to the list of excluded ciphers in
> SslContextFactory. That only lead to another cipher being negotiated,
> which was also black listed. I ended up setting
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as the only included cipher,
> since that was mentioned in the spec as not on the black list. With
> this change, HTTP/2 worked again.

Yuck that Chrome offered a non-blacklisted cipher, but also understand
that Chrome negotiates h2-14, which is when all this blacklisting
requirements were not in the specification, afair.
We did not make the cipher selection be dependent on the draft
version, but we still offer h2-14 (which is what browsers offer) so
that's a bit of misalignment here: we have ciphers and blacklisting
for h2-17 (which we offer), but we also offer older drafts with the
-17 section 9.2 requirements.
Eventually there will be only h2. Bear with us again :)

> Question #2: What is the recommended list of included / excluded
> ciphers for use with HTTP/2? Should all black listed ciphers be
> excluded, or is it easier (and more secure?) to use a white list by
> only including known working ciphers?

As far as I remember, white lists won't work.
A legit client on a legit whitelisted cipher may not be able to speak
with a legit server with a legit whitelisted cipher (their cipher
intersection may be empty).
That's why the specification ended up with a blacklist.

> Third, HTTP2ServerConnectionFactory.isAcceptable currently returns
> true if the TLS protocol is not black listed, if the cipher is not
> black listed, or if both the TLS protocol and ciphers are not black
> listed. (It only returns false if both are black listed)
>
> Question #3: Does this logic make sense? Shouldn't this method return
> true iff neither the protocol or cipher is black listed? In other
> words, shouldn't the || be an && instead?

I think the || is correct.
Nobody deploys TLS 1.3 yet (surely not the JDK).
So we have to live with TLS 1.2. However, bare bones TLS 1.2 does not
cut it, so we need the extra check on the ciphers.
Eventually we'll see how TLS 1.3 will be implemented in the JDK. If it
will still offer blacklisted ciphers, then we will have to tune that
expression to make it more precise.
For now, I think that's about as precise as we can get with the JDK
TLS implementation.

What would be your suggestion ? To make TLS 1.2 ok && require the right cipher ?
Greg, what do you think ?

> Fourth: The black listing in HTTP seems to be added in h2-16 [3], yet
> the black list in Jetty is in effect also for Chrome supporting only
> h2-14.
>
> Question #4: Should Jetty enforce the cipher black list for h2-14 clients?

See above. A bit of a shortcut on our side, waiting for browsers to update.

-- 
Simone Bordet
----
http://cometd.org
http://webtide.com
http://intalio.com
Developer advice, training, services and support
from the Jetty & CometD experts.
Intalio, the modern way to build business applications.

Follow-Ups:
- Re: [jetty-dev] State of HTTP/2 in 9.3.0-SNAPSHOT
  - From: Greg Wilkins

References:
- [jetty-dev] State of HTTP/2 in 9.3.0-SNAPSHOT
  - From: Eirik Bjørsnøs

Prev by Date: Re: [jetty-dev] State of HTTP/2 in 9.3.0-SNAPSHOT
Next by Date: Re: [jetty-dev] State of HTTP/2 in 9.3.0-SNAPSHOT
Previous by thread: Re: [jetty-dev] State of HTTP/2 in 9.3.0-SNAPSHOT
Next by thread: Re: [jetty-dev] State of HTTP/2 in 9.3.0-SNAPSHOT
Index(es):
- Date
- Thread

Breadcrumbs