TLS ALPN Proposal

Simone Bordet simone.bordet at gmail.com
Mon May 25 11:34:50 UTC 2015


Hi,

On Mon, May 25, 2015 at 12:08 PM, Michael McMahon
<michael.x.mcmahon at oracle.com> wrote:
> Hi Brad,
>
> A couple of initial comments/questions.
>
> 1) Certificate selection is one feature envisaged by ALPN. ie a client or a
> server
>     ought to be able to choose a different certificate depending on the
> application name
>     that gets negotiated. Is that possible with this API?

Interesting.

I can definitely see choosing the ALPN protocol based on the SNI name
sent by the client.
For example, a server able to speak http/1.1 and h2 receiving a
request for http1.domain.com wants to force http/1.1.
This would be possible, IIUC, using
sslEngine.getHandshakeSession().getRequestedServerNames() in the
ApplicationProtocolSelector implementation.

I see less common choosing the certificate given the application
protocol, but I understand it's mentioned in RFC 7301.

ALPN definitely needs the cipher to be negotiated to support HTTP/2,
so I hope it's not a chicken-egg problem.

-- 
Simone Bordet
http://bordet.blogspot.com
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz


More information about the security-dev mailing list