[undertow-dev] Flag to relax HTTP/2 cipher validation
Carter Kozak
ckozak at apache.org
Mon Dec 3 12:11:01 EST 2018
Would you be amenable to adding a feature flag disabling http/2 cipher
validation? I realize this runs counter to the specification, however
I'd like to decouple usage of http2 features from the notoriously slow
aes gcm cipher suites on java 8.
This could be broken into two components:
- Disabling the alpn cipher blackist. The blacklist is suggested, but
not required[1]
- Disabling the requirement for TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
which is listed as required (for tlsv1.2)
I can understand strong reservations against relaxing this validation,
but given the existence of flags to disable other types of validation
I figured it would be worthwhile to inquire.
Thanks,
-Carter
1. https://tools.ietf.org/html/rfc7540#section-9.2.2
More information about the undertow-dev
mailing list