AnsweredAssumed Answered

Obtaining 100% on the cipher strength seems difficult with HTTP/2

Question asked by Roland Bogosi on Sep 28, 2015
Latest reply on Mar 27, 2017 by Rob Moss



With the new nginx version came the support for HTTP/2, and as an experiment, I tried reaching 100/100/100/100 on the test on a dev server. I was able to do so with the following:


ssl_protocols TLSv1.2;


The only issue seems to be, that all ciphers that reach 100 on the test are rejected by Chrome with the error "ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY" when the next negotiated protocol is HTTP/2. Further research revealed that the HTTP/2 specification has a list of blacklisted ciphers: Hypertext Transfer Protocol Version 2 (HTTP/2)


While I don't have any issues running the recommended cipher list for nginx with HTTP/2, that only gets a score of 90 for the cipher strength.


For the sake of the experiment, is there a cipher that's not on the HTTP/2 blacklist and scores 100?


Thanks in advance.