emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ALPN support for GnuTLS connections


From: Eric Marsden
Subject: Re: ALPN support for GnuTLS connections
Date: Sat, 12 Oct 2024 11:30:41 +0200
User-agent: Mozilla Thunderbird

On 10/10/2024 15:54, Robert Pluim wrote:
Patch below. Works in my limited testing.

Excellent, I can confirm that this works with the PostgreSQL 17.0 use case that I mentioned upthread, as well as with test servers from OpenSSL and Rustls (see the attached test file).

Remaining questions in my mind:

(1) It would be useful for elisp code to be able to determine whether Emacs has ALPN support. The elisp code will generally know that the service it's connecting to requires ALPN, and it would be useful to be able to inform the user that they should upgrade Emacs, instead of getting a generic "connection failed" error. The C preprocessor test HAVE_GNUTLS_ALPN_SET_PROTOCOLS  isn't visible from elisp, nor is (I think?) the binding to gnutls_alpn_set_protocols. This might also be useful for other features such as the AEAD support. Perhaps a function such as gnutls-feature-available-p(:alpn) ?

(2) The current behaviour of connection failing only depending on the server's ALPN setting is I think less than ideal. If the server is not configured to request ALPN, sending ALPN does not lead to failure. If server is looking for ALPN and wants another protocol, the connection fails. I think the default behaviour should be for the connection to fail if one of the ALPN protocols requested by the client is not selected: this seems to be more consistent and avoids a security attack called ALPACA, https://alpaca-attack.com/. This just requires a change to use GNUTLS_ALPN_MANDATORY (as well as updates to the documentation)

        ret = gnutls_alpn_set_protocols (state, protocols, count, GNUTLS_ALPN_MANDATORY);

In fact I see reading the ALPACA web page that TLS clients are recommended to use the SNI extension to indicate the server name that they wish to connect to, which gnutls.c is not currently doing. One thing at a time!

(3) Perhaps you could add the attached tiny patch to the logging support for gnutls.c (which is very verbose), so that an EAGAIN doesn't pollute logs at level 1.


Thanks,

Eric


Attachment: alpn.el
Description: Text Data

Attachment: log-retry.diff
Description: Text Data


reply via email to

[Prev in Thread] Current Thread [Next in Thread]