* For example, HTTP/2 specifies a mandatory-to-implement suite (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); if the software implementing HTTP/2 followed the RFC, everything would just work. For example, they could refuse to run with invalid configuration, forcing the issue. Whether connections start failing, or the application refuses to run using an updated application protocol, the end result is the same: the admin disables the updated protocol.
* Or they could simply add the MIT suite to the end of the configuration if not already there. In many organizations, TLS configuration changes require approval, interop testing and performance testing. Whereas disabling the updated application protocol is quick and easy. * Every single HTTP/2 connection uses TLS 1.2+ with AEAD and PFS. Rather, a subset of AEAD/PFS TLS 1.2 connections also offer HTTP/2. Cheers, Andrei
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta