[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ALPN support for GnuTLS connections
From: |
Eric Marsden |
Subject: |
Re: ALPN support for GnuTLS connections |
Date: |
Sat, 12 Oct 2024 11:30:41 +0200 |
User-agent: |
Mozilla Thunderbird |
On 10/10/2024 15:54, Robert Pluim wrote:
Patch below. Works in my limited testing.
Excellent, I can confirm that this works with the PostgreSQL 17.0 use
case that I mentioned upthread, as well as with test servers from
OpenSSL and Rustls (see the attached test file).
Remaining questions in my mind:
(1) It would be useful for elisp code to be able to determine whether
Emacs has ALPN support. The elisp code will generally know that the
service it's connecting to requires ALPN, and it would be useful to be
able to inform the user that they should upgrade Emacs, instead of
getting a generic "connection failed" error. The C preprocessor test
HAVE_GNUTLS_ALPN_SET_PROTOCOLS isn't visible from elisp, nor is (I
think?) the binding to gnutls_alpn_set_protocols. This might also be
useful for other features such as the AEAD support. Perhaps a function
such as gnutls-feature-available-p(:alpn) ?
(2) The current behaviour of connection failing only depending on the
server's ALPN setting is I think less than ideal. If the server is not
configured to request ALPN, sending ALPN does not lead to failure. If
server is looking for ALPN and wants another protocol, the connection
fails. I think the default behaviour should be for the connection to
fail if one of the ALPN protocols requested by the client is not
selected: this seems to be more consistent and avoids a security attack
called ALPACA, https://alpaca-attack.com/. This just requires a change
to use GNUTLS_ALPN_MANDATORY (as well as updates to the documentation)
ret = gnutls_alpn_set_protocols (state, protocols, count,
GNUTLS_ALPN_MANDATORY);
In fact I see reading the ALPACA web page that TLS clients are
recommended to use the SNI extension to indicate the server name that
they wish to connect to, which gnutls.c is not currently doing. One
thing at a time!
(3) Perhaps you could add the attached tiny patch to the logging support
for gnutls.c (which is very verbose), so that an EAGAIN doesn't pollute
logs at level 1.
Thanks,
Eric
alpn.el
Description: Text Data
log-retry.diff
Description: Text Data
- Re: ALPN support for GnuTLS connections, Robert Pluim, 2024/10/07
- Re: ALPN support for GnuTLS connections, Robert Pluim, 2024/10/10
- Re: ALPN support for GnuTLS connections, Richard Stallman, 2024/10/14
- Re: ALPN support for GnuTLS connections, Eric Marsden, 2024/10/15
- Re: ALPN support for GnuTLS connections, Richard Stallman, 2024/10/22
- Re: ALPN support for GnuTLS connections, Eric Marsden, 2024/10/31