Re: ALPN support for GnuTLS connections

unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: Eric Marsden <eric.marsden@risk-engineering.org>
To: rms@gnu.org
Cc: emacs-devel@gnu.org
Subject: Re: ALPN support for GnuTLS connections
Date: Tue, 15 Oct 2024 09:33:22 +0200	[thread overview]
Message-ID: <2aa6b215-5e12-4641-9d4c-daf6a5d77817@risk-engineering.org> (raw)
In-Reply-To: <E1t0XpF-0001XZ-Q6@fencepost.gnu.org>

On 15/10/2024 05:02, Richard Stallman wrote:
> Could you describe some specific situations in which ALPN would be
> useful in Emacs?  What Wikipedia says about ALPN is very abstract --
> I'd like to get an idea of what concrete activities need ALPN
> or would be improved by it.

ALPN makes it possible to serve different application-level protocols (e.g.
HTTP/1.1, HTTP/2, HTTP/3) from the same network endpoint, with the choice of
application-level protocol made at the TLS protocol level. This means that the
choice of application-level protocol is secure; it happens at the same protocol
level as the checking of digital certificates. It also improves performance when
establishing a network connection, because the negociation of application
protocol is made during the initial handshake, without requiring multiple back
and forth network messages.

Alternative historic methods for selecting an application-level protocol include
the STARTTLS “connection upgrade” mechanism used for SMTP and IMAP for example,
and the “Upgrade” HTTP header used for protocol upgrade. These either have
security problems (e.g. “STARTTLS stripping” to block connection upgrade) or
performance problems. RFC 9325 “Recommendations for Secure Use of Transport
Layer Security (TLS) and Datagram Transport Layer Security (DTLS)” states that
“TLS implementations (both client- and server-side) MUST support” ALPN.

In the particular example that motivated my interest in ALPN for Emacs, version
17 of the PostgreSQL database includes a new ALPN-based “direct TLS” connection
mode, as an alternative to its historical STARTTLS-like connection upgrade
mechanism. For a service provider who makes it possible to access PostgreSQL
over the internet, there are many benefits to the new ALPN-based mechanism, such
as allowing the use of commercial “TLS gateways” (that do no application-level
processing) as entrypoints to their network. I expect that over time, an
increasing proportion of internet services will require ALPN.

Eric

next prev parent reply	other threads:[~2024-10-15  7:33 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-29  8:23 ALPN support for GnuTLS connections Eric Marsden
2024-09-30  9:21 ` Robert Pluim
2024-09-30 10:21   ` Eric Marsden
2024-09-30 13:13     ` Robert Pluim
2024-09-30 17:26       ` Eric Marsden
2024-10-07  8:22         ` Robert Pluim
2024-10-10 13:54           ` Robert Pluim
2024-10-10 16:23             ` Eli Zaretskii
2024-10-11  7:32               ` Robert Pluim
2024-10-12  9:30             ` Eric Marsden
2024-10-14  9:22               ` Robert Pluim
2024-10-15  7:06                 ` Eric Marsden
2024-10-18 12:37                   ` Robert Pluim
2024-10-15  3:02               ` Richard Stallman
2024-10-15  7:33                 ` Eric Marsden [this message]
2024-10-22  5:38                   ` Richard Stallman
2024-10-31 13:31                     ` Eric Marsden
2024-11-18  4:06                       ` Richard Stallman
2024-11-08 22:17                     ` Björn Bidar
     [not found]                     ` <87fro1jrq4.fsf@>
2024-11-11  5:12                       ` Richard Stallman
2024-11-11 17:15                         ` Björn Bidar
     [not found]                         ` <87y11pu1x4.fsf@>
2024-11-15  4:45                           ` Richard Stallman
2024-11-18 16:57                             ` Björn Bidar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2aa6b215-5e12-4641-9d4c-daf6a5d77817@risk-engineering.org \
    --to=eric.marsden@risk-engineering.org \
    --cc=emacs-devel@gnu.org \
    --cc=rms@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).