TLS extensions API, ALPN and HTTP 2.0

Simone Bordet simone.bordet at
Wed Sep 17 15:25:53 UTC 2014


On Wed, Sep 17, 2014 at 4:11 PM, Michael McMahon
<michael.x.mcmahon at> wrote:
> Okay, I see the point you are making. It's more a question of whether
> the constraints themselves are appropriate.

And convince the HTTP/2 editors :(

> I've another question. In the work you've done so far, did you allow
> for the possibility of separate certificates to be selected per ALPN
> instance?
> I'm guessing that if multiple applications are to be supported
> over one TCP port (client or server) then different certificates might be
> needed for each application. Or is that not a reasonable assumption?

If I understand you correctly, you are saying that you want a
connection with to *not* trigger ALPN, but a
connection with to trigger ALPN ?

We don't support this right now in Jetty, but the current ALPN API
probably does: at the moment of selecting the protocol, the
application can retrieve the SNI and decide what protocol to select.
See for example:
There you can call getSSLEngine(), which will be able to return a
number of information about the handshake (such as the cipher chosen).

Makes sense ?

Simone Bordet
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz

More information about the security-dev mailing list