<div dir="ltr"><div><div><div><div>I have some basic TLS stuff running that seems OK, but I am not able to get ALPN working. I am using the binary version for linux (<a href="https://jdk9.java.net/download/">https://jdk9.java.net/download/</a>).<br><br></div>* Looking at wireshark, firefox sends in "Client Hello" with ALPN protocol h2,spdy/3.1,http/1.1<br></div>* The "Server Hello" has no mention of anything related to ALPN. Also the code prints null. So I think it is not working.<br></div><div>Here is a screen shot of wireshark: <a href="http://imgur.com/a/OX4kd">http://imgur.com/a/OX4kd</a><br> <br></div>Here is what I do in the code: <br>Is this how it should be done?<br><br>System.setProperty("jdk.tls.server.enableStatusRequestExtension", "true");<br>sslContext = SSLContext.getInstance("TLS");<br>sslContext.init(kmf.getKeyManagers(), null, null);<br>SSLServerSocket sslserversocket = null;<br> <br>SSLServerSocketFactory sslserversocketfactory = sslContext.getServerSocketFactory(); <br>sslserversocket = (SSLServerSocket)sslserversocketfactory.createServerSocket(443);<br> <br><br>sslserversocket.setUseClientMode(false);<br>sslserversocket.setWantClientAuth(false);<br>String [] protocols = {"TLSv1","TLSv1.1","TLSv1.2"};<br>sslserversocket.setEnabledProtocols(protocols);<br> <br>SSLParameters p = sslserversocket.getSSLParameters();<br>p.setApplicationProtocols(new String[] {"http/1.1"});<br>sslserversocket.setSSLParameters(p);<br> <br>String [] cipher = {"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"};<br>sslserversocket.setEnabledCipherSuites(cipher);<br> <br>SSLSocket sslsocket = (SSLSocket)sslserversocket.accept();<br>System.out.println(sslsocket.getHandshakeApplicationProtocol()); //prints null<br>System.out.println(sslsocket.getApplicationProtocol()); //prints null<br><br></div>Thanks,<br><div><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jun 7, 2016 at 1:52 AM, Bradford Wetmore <span dir="ltr"><<a href="mailto:bradford.wetmore@oracle.com" target="_blank">bradford.wetmore@oracle.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">JEP 244/ALPN, aka JDK-8144083/JDK-8051498 went into JDK 9 late last year.<br>
<br>
The API/design is at:<br>
<br>
<a href="https://bugs.openjdk.java.net/browse/JDK-8062848" rel="noreferrer" target="_blank">https://bugs.openjdk.java.net/browse/JDK-8062848</a><br>
<br>
In a nutshell, the client application sets the strings to send. The server application can parse the ClientHello if desired, and can do any SSLSocket/SSLEngine preconfiguration before starting the handshake. During handshaking, the server library code iterates its set values, and compares with what was received (i.e. server-preference) and chooses the first supported value.<br>
<br>
While the API could support either ALPN or NPN, OpenJDK only has ALPN support as NPN was on its way out at the time of the writing.<br>
<br>
Brad<div class=""><div class="h5"><br>
<br>
<br>
<br>
<br>
<br>
On 6/6/2016 3:10 PM, Jon Berg wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Hi,<br>
<br>
Given that you are acting as a server, it would be nice to be able to offer<br>
"http/1.1" as application.<br>
<br>
The purpose of this is to get chrome to do tls false start which require<br>
that the server "advertise" http/1.1 in ALPN or NPN. In the tls handshake.<br>
To do this it is just and integer and that string that has to be included<br>
in the handshake message at the right place...<br>
<br>
>From looking at the api it seems that this is not supported.<br>
And from reading <a href="http://openjdk.java.net/jeps/244" rel="noreferrer" target="_blank">http://openjdk.java.net/jeps/244</a> it sounds as it does<br>
not advertise anything, but for a server socket it is an intersection of<br>
what<br>
the client sends and what the server is capable of.<br>
<br>
Can you confirm that this is not supported in openjdk 9?<br>
<br>
Thanks,<br>
Jon Berg.<br>
</blockquote>
</div></div></blockquote></div><br></div></div></div>