You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
RFC 9113 imposes a number of conditions on TLS settings:
Section 9.2: mandates TLS 1.2 or above (can be done with ssl_minimum_version)
Section 9.2.1/9.2.2: mandates one specific TLS 1.2 cipher suite (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) with a specific ECDH curve (though I think the curve choice is specific to servers) and forbids others. http://python-hyper.org/projects/h2/en/stable/negotiating-http2.html lists all allowed cipher suites in practice, but it references RFC 7540 and it's possible allowed cipher suites have changed between the two RFCs.
Section 9.2.1: Renegotiation must be disabled (using ssl.OP_NO_RENEGOTIATION), meaning at some point a connection will become unusable, at which point we will have to discard it.
Section 9.2.1/10.6: forbids the use of TLS compression (ssl.OP_NO_COMPRESSION must be set)
Section 9.2.3: HTTP/2 clients MUST treat a TLS post-handshake CertificateRequest message as a connection error (Section 5.4.1) of type PROTOCOL_ERROR. Maybe hyper-h2 does this for us? We probably still want to enable post-handshake authentication in case the server is HTTP/1.1.
Most of these will have to be encoded in create_urllib3_context, which will need an HTTP/2 mode. It has to be part of the public API to allow users to tweak the context further if they want to, for example to handle a non-conformant server. HTTP2Connection will thus need to accept an ssl_context parameter at this point.
The text was updated successfully, but these errors were encountered:
RFC 9113 imposes a number of conditions on TLS settings:
ssl_minimum_version
)ssl.OP_NO_RENEGOTIATION
), meaning at some point a connection will become unusable, at which point we will have to discard it.ssl.OP_NO_COMPRESSION
must be set)Most of these will have to be encoded in
create_urllib3_context
, which will need an HTTP/2 mode. It has to be part of the public API to allow users to tweak the context further if they want to, for example to handle a non-conformant server.HTTP2Connection
will thus need to accept anssl_context
parameter at this point.The text was updated successfully, but these errors were encountered: