TLS ALPN Proposal

Simone Bordet simone.bordet at
Mon May 25 11:34:50 UTC 2015


On Mon, May 25, 2015 at 12:08 PM, Michael McMahon
<michael.x.mcmahon at> wrote:
> Hi Brad,
> A couple of initial comments/questions.
> 1) Certificate selection is one feature envisaged by ALPN. ie a client or a
> server
>     ought to be able to choose a different certificate depending on the
> application name
>     that gets negotiated. Is that possible with this API?


I can definitely see choosing the ALPN protocol based on the SNI name
sent by the client.
For example, a server able to speak http/1.1 and h2 receiving a
request for wants to force http/1.1.
This would be possible, IIUC, using
sslEngine.getHandshakeSession().getRequestedServerNames() in the
ApplicationProtocolSelector implementation.

I see less common choosing the certificate given the application
protocol, but I understand it's mentioned in RFC 7301.

ALPN definitely needs the cipher to be negotiated to support HTTP/2,
so I hope it's not a chicken-egg problem.

Simone Bordet
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz

More information about the security-dev mailing list