<div dir="ltr"><div>Hi,</div><div><br></div><div>If you use the recommendation for nginx and configure the ciphers to AES256+EECDH:AES256+EDH with HTTP2 enabled your Chrome users will get: ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY</div><div><br></div><div>There'a an issue thread here which is closed with WontFix: <a href="https://code.google.com/p/chromium/issues/detail?id=545757">https://code.google.com/p/chromium/issues/detail?id=545757</a></div><div><br></div><div>You could add ECDHE-RSA-AES128-GCM-SHA256 to your cipherlist to satisfy an HTTP2 MUST requirement:</div><div><br></div><div>"To avoid this problem causing TLS handshake failures, deployments of HTTP/2 that use TLS 1.2 MUST support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [TLS-ECDHE] with the P-256 elliptic curve [FIPS186]."</div><div><br></div><div>Best regards,</div><div>Maciej Soltysiak</div><div><br></div><div>DNSCrypt Poland</div><div><a href="https://dnscrypt.pl/">https://dnscrypt.pl/</a></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 3, 2016 at 8:10 AM, A. Schulze <span dir="ltr"><<a href="mailto:sca@andreasschulze.de" target="_blank">sca@andreasschulze.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
MAAWG, the Messaging, Malware and Mobile Anti-Abuse Working Group, just published a<br>
Recommendations for Using Forward Secrecy:<br>
<a href="https://www.m3aawg.org/sites/default/files/m3aawg-forward-secrecy-recommendations-2016-01.pdf" target="_blank" rel="noreferrer">https://www.m3aawg.org/sites/default/files/m3aawg-forward-secrecy-recommendations-2016-01.pdf</a><br>
<br>
As our company is a MAAWG member I could give feedback to the authors if necessary.<br>
<br>
Andreas<br>
<br>
_______________________________________________<br>
Ach mailing list<br>
<a href="mailto:Ach@lists.cert.at" target="_blank">Ach@lists.cert.at</a><br>
<a href="http://lists.cert.at/cgi-bin/mailman/listinfo/ach" target="_blank" rel="noreferrer">http://lists.cert.at/cgi-bin/mailman/listinfo/ach</a><br>
</blockquote></div><br></div>