TLS ALPN Proposal
Simone Bordet
simone.bordet at gmail.com
Mon May 25 11:34:50 UTC 2015
Hi,
On Mon, May 25, 2015 at 12:08 PM, Michael McMahon
<michael.x.mcmahon at oracle.com> wrote:
> Hi Brad,
>
> A couple of initial comments/questions.
>
> 1) Certificate selection is one feature envisaged by ALPN. ie a client or a
> server
> ought to be able to choose a different certificate depending on the
> application name
> that gets negotiated. Is that possible with this API?
Interesting.
I can definitely see choosing the ALPN protocol based on the SNI name
sent by the client.
For example, a server able to speak http/1.1 and h2 receiving a
request for http1.domain.com wants to force http/1.1.
This would be possible, IIUC, using
sslEngine.getHandshakeSession().getRequestedServerNames() in the
ApplicationProtocolSelector implementation.
I see less common choosing the certificate given the application
protocol, but I understand it's mentioned in RFC 7301.
ALPN definitely needs the cipher to be negotiated to support HTTP/2,
so I hope it's not a chicken-egg problem.
--
Simone Bordet
http://bordet.blogspot.com
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless. Victoria Livschitz
More information about the security-dev
mailing list