<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 15 June 2016 at 21:31, David M. Lloyd <span dir="ltr"><<a href="mailto:david.lloyd@redhat.com" target="_blank">david.lloyd@redhat.com</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I am proposing 3 simple changes to be done:<br>
<br>
1) Introduce a TLSProtocolNames class that can convert from TLS<br>
protocol bytes to TLS protocol names.<br>
2) Introduce a TLSCipherSuiteNames class that can convert from TLS<br>
cipher suite bytes to TLS cipher suite names.<br>
3) Delay handshaker.started=true so that it would simpler and more<br>
precise for an application to handle ALPN.<br>
</blockquote>
<br></span>
I agree with 1 and 2, at least in concept if not in specifics, but I think 3 is a mistake: if you've committed to an SSL context then it's already too late to make some possibly important decisions, and SNI can play a factor here too. We can make this easier but I think that trying to do this all inside of the handshake process is going to cut off some important use cases.<div class="HOEnZb"><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br></blockquote></div></div></blockquote></div><div class="gmail_extra"><br></div><div class="gmail_extra">Note that with 3 :</div><div class="gmail_extra"><ul><li>Not all decisions have to be made late. Some logic will need to be executed before unwrapping hello, such as trimming the set of available ciphers to mutually acceptable ones.</li><li>You are still free to pick a protocol early - ie before hello unwrap if you can/want</li></ul></div><div class="gmail_extra">The process we are working towards in jetty is three phase: firstly we trim ciphers and protocol list; then we allow SslEngine to pick the specific cipher (using certificates and/or SNI); finally we want to pick the protocol based on the cipher AND the earlier work trimming ciphers/protocols.<br></div></div><div class="gmail_extra"><br></div><div class="gmail_extra">So definitely don't want to "do this all inside of the handshake process". Just want to ability to make the final protocol choice after the final cipher decision has been made in the hello unwrap. Again, this would be optional and you could do it all before if you don't want to support the edge cases where this is needed.</div><div class="gmail_extra"><br></div><div class="gmail_extra">cheers</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Greg Wilkins <<a href="mailto:gregw@webtide.com" target="_blank">gregw@webtide.com</a>> CTO <a href="http://webtide.com" target="_blank">http://webtide.com</a><br></div></div>
</div></div>