Closed Bug 965922 Opened 11 years ago Closed 11 years ago

Enforce the base TLS profile defined in the HTTP/2 spec for HTTP/2 connections

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 965869

People

(Reporter: briansmith, Assigned: briansmith)

Details

The draft HTTP/2 spec adds some requirements on the minimum TLS features to support: http://http2.github.io/http2-spec/index.html#TLSUsage * Ephemeral key exchange must be used. * DHE keys must be at least 2048 bits. * TLS 1.2 or later must be negotiated. * No RC4. (The spec should be reworded on this topic.) We should terminate the connection if the server negotiates HTTP/2 and the base TLS profile is not used. I believe that the draft HTTP/2 base TLS profile is close to being a subset of our current False Start criteria, so we may want to refactor the false start criteria code to do this.
We already have code in place to enforce this - see Http2Session::ConfirmTLSProfile. The current iteration (of course) only supports the requirements for draft9, and updates for this will come as part of the draft10 implementation.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.