Re: TLS ALPN Proposal v5

Fri, 25 Sep 2015 05:48:07 -0700 

On 09/25/2015 07:29 AM, Simone Bordet wrote:

Hi,

On Fri, Sep 25, 2015 at 2:15 PM, David M. Lloyd <david.ll...@redhat.com> wrote:

...why does sorting even matter?  Why should selection not be implemented
100% in user code, based on both the cipher suites list and application
protocol, rendering this whole discussion pointless?  It's clearly a complex
enough process (which is highly protocol-specific) that it seems to me quite
unlikely that the JDK can possibly implement this in a way that will work
for all use cases.


Bradford can certainly provide more context here, but the "tuple
selection" approach would have required a (large) rewrite of the
current mechanism, and it was discarded because of resource
constraints.


In fact, why not just use the SSLExplorer approach and be done with this
already?


You mean this ?
http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/samples/sni/SSLExplorer.java
Can you expand on how such approach would look like ? Seems overkill
to me, and all in the hands of application developers ?


Well, SNI already basically works this way, so it's not so great a stretch.
I imagine the client code simply specifying a list of protocols along with today's list of cipher suites. 

The user-space server side logic would go like this:

* Receive SSL ServerHello
* Examine the packet for ALPN and SNI information
* Read the list of cipher suites
* Evaluate
* Select an SSLContext based on protocol and/or server name
* Construct an SSLSocket or SSLEngine as appropriate
* Set a property on the SSLSocket/SSLEngine to indicate ALPN protocol name
* (optional) Change/sort the cipher suite list on the SSLSocket/SSLEngine as appropriate * Resume negotation by passing the ServerHello in to the SSLSocket/SSLEngine as initial data
It's not super elegant but it should work just as well as SNI works, and it would cover 100% of use cases since the user has complete flexibility to make a decision based on any combination of cipher suite selection, protocol name, and host name, even potentially with the option to pretend that ALPN wasn't recognized. 

--
- DML

Reply via email to