AnsweredAssumed Answered

Obtaining 100% on the cipher strength seems difficult with HTTP/2

Question asked by Roland Bogosi on Sep 28, 2015
Latest reply on Mar 27, 2017 by Rob Moss

Hello,

 

With the new nginx version came the support for HTTP/2, and as an experiment, I tried reaching 100/100/100/100 on the test on a dev server. I was able to do so with the following:

 

ssl_protocols TLSv1.2;
ssl_ciphers ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH;

 

The only issue seems to be, that all ciphers that reach 100 on the test are rejected by Chrome with the error "ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY" when the next negotiated protocol is HTTP/2. Further research revealed that the HTTP/2 specification has a list of blacklisted ciphers: Hypertext Transfer Protocol Version 2 (HTTP/2)

 

While I don't have any issues running the recommended cipher list for nginx with HTTP/2, that only gets a score of 90 for the cipher strength.

 

For the sake of the experiment, is there a cipher that's not on the HTTP/2 blacklist and scores 100?

 

Thanks in advance.

Outcomes