[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ALPN support for GnuTLS connections
From: |
Eric Marsden |
Subject: |
Re: ALPN support for GnuTLS connections |
Date: |
Tue, 15 Oct 2024 09:33:22 +0200 |
User-agent: |
Mozilla Thunderbird |
On 15/10/2024 05:02, Richard Stallman wrote:
Could you describe some specific situations in which ALPN would be
useful in Emacs? What Wikipedia says about ALPN is very abstract --
I'd like to get an idea of what concrete activities need ALPN
or would be improved by it.
ALPN makes it possible to serve different application-level protocols (e.g.
HTTP/1.1, HTTP/2, HTTP/3) from the same network endpoint, with the choice of
application-level protocol made at the TLS protocol level. This means that the
choice of application-level protocol is secure; it happens at the same protocol
level as the checking of digital certificates. It also improves performance when
establishing a network connection, because the negociation of application
protocol is made during the initial handshake, without requiring multiple back
and forth network messages.
Alternative historic methods for selecting an application-level protocol include
the STARTTLS “connection upgrade” mechanism used for SMTP and IMAP for example,
and the “Upgrade” HTTP header used for protocol upgrade. These either have
security problems (e.g. “STARTTLS stripping” to block connection upgrade) or
performance problems. RFC 9325 “Recommendations for Secure Use of Transport
Layer Security (TLS) and Datagram Transport Layer Security (DTLS)” states that
“TLS implementations (both client- and server-side) MUST support” ALPN.
In the particular example that motivated my interest in ALPN for Emacs, version
17 of the PostgreSQL database includes a new ALPN-based “direct TLS” connection
mode, as an alternative to its historical STARTTLS-like connection upgrade
mechanism. For a service provider who makes it possible to access PostgreSQL
over the internet, there are many benefits to the new ALPN-based mechanism, such
as allowing the use of commercial “TLS gateways” (that do no application-level
processing) as entrypoints to their network. I expect that over time, an
increasing proportion of internet services will require ALPN.
Eric