Closed
Bug 965922
Opened 11 years ago
Closed 11 years ago
Enforce the base TLS profile defined in the HTTP/2 spec for HTTP/2 connections
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
DUPLICATE
of bug 965869
People
(Reporter: briansmith, Assigned: briansmith)
Details
The draft HTTP/2 spec adds some requirements on the minimum TLS features to support: http://http2.github.io/http2-spec/index.html#TLSUsage
* Ephemeral key exchange must be used.
* DHE keys must be at least 2048 bits.
* TLS 1.2 or later must be negotiated.
* No RC4. (The spec should be reworded on this topic.)
We should terminate the connection if the server negotiates HTTP/2 and the base TLS profile is not used. I believe that the draft HTTP/2 base TLS profile is close to being a subset of our current False Start criteria, so we may want to refactor the false start criteria code to do this.
We already have code in place to enforce this - see Http2Session::ConfirmTLSProfile. The current iteration (of course) only supports the requirements for draft9, and updates for this will come as part of the draft10 implementation.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•