* ALPN support for GnuTLS connections
@ 2024-09-29 8:23 Eric Marsden
2024-09-30 9:21 ` Robert Pluim
0 siblings, 1 reply; 5+ messages in thread
From: Eric Marsden @ 2024-09-29 8:23 UTC (permalink / raw)
To: emacs-devel
Hello,
The GnuTLS support in Emacs does not seem to support the TLS extension
Application Layer Protocol Negotiation (ALPN). ALPN is no longer just useful for
faster TLS handshakes (in HTTP/2, for example); it is mandatory in certain uses
of TLS.
The GnuTLS library does support ALPN (since 2013, it seems). My understanding is
that definitions for the two functions described here would need to be added to
gnutls.c:
https://www.gnutls.org/manual/html_node/Application-Layer-Protocol-Negotiation-_0028ALPN_0029.html
Use case: the recent 17.0 release of PostgreSQL has added a "direct TLS"
connection mode which requires ALPN. Some hosted PostgreSQL providers only offer
direct TLS connections (I presume this allows them to use standard TLS
gateways). I would like to allow connections to these services using the pg-el
library (https://github.com/emarsden/pg-el), which implements the PostgreSQL
wire protocol.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ALPN support for GnuTLS connections
2024-09-29 8:23 ALPN support for GnuTLS connections Eric Marsden
@ 2024-09-30 9:21 ` Robert Pluim
2024-09-30 10:21 ` Eric Marsden
0 siblings, 1 reply; 5+ messages in thread
From: Robert Pluim @ 2024-09-30 9:21 UTC (permalink / raw)
To: Eric Marsden; +Cc: emacs-devel
>>>>> On Sun, 29 Sep 2024 10:23:17 +0200, Eric Marsden <eric.marsden@risk-engineering.org> said:
Eric> Hello,
Eric> The GnuTLS support in Emacs does not seem to support the TLS extension
Eric> Application Layer Protocol Negotiation (ALPN). ALPN is no longer just useful for
Eric> faster TLS handshakes (in HTTP/2, for example); it is mandatory in certain uses
Eric> of TLS.
Eric> The GnuTLS library does support ALPN (since 2013, it seems). My understanding is
Eric> that definitions for the two functions described here would need to be added to
Eric> gnutls.c:
Eric> https://www.gnutls.org/manual/html_node/Application-Layer-Protocol-Negotiation-_0028ALPN_0029.html
Why would we need the 'get' API? Did you want to be able to set the
GNUTLS_ALPN_MANDATORY flag and fail the connection?
For the 'set' I guess we could add a keyword parameter to
`gnutls-negotiate' and its callers, and pass that down to
`gnutls-boot-parameters'.
Robert
--
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: ALPN support for GnuTLS connections
2024-09-30 9:21 ` Robert Pluim
@ 2024-09-30 10:21 ` Eric Marsden
2024-09-30 13:13 ` Robert Pluim
0 siblings, 1 reply; 5+ messages in thread
From: Eric Marsden @ 2024-09-30 10:21 UTC (permalink / raw)
To: Robert Pluim; +Cc: emacs-devel
On 30/09/2024 11:21, Robert Pluim wrote:
> Why would we need the 'get' API? Did you want to be able to set the
> GNUTLS_ALPN_MANDATORY flag and fail the connection?
I don't think this is a critical requirement, but I see that some
software using GnuTLS offers the possibility to fail the connection
if the selected application protocol is not in the requested list
(for example, the "--alpn-fatal" commandline argument to gnutls-serv).
> For the 'set' I guess we could add a keyword parameter to
> `gnutls-negotiate' and its callers, and pass that down to
> `gnutls-boot-parameters'.
That sounds good to me. Something like :alpn-protocols that
accepts a list of strings, or a comma-separated string.
(I should add that I am not volunteering to implement this; I have
no confidence in my ability to write the constrained type of C
needed for the Emacs core.)
Eric
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ALPN support for GnuTLS connections
2024-09-30 10:21 ` Eric Marsden
@ 2024-09-30 13:13 ` Robert Pluim
2024-09-30 17:26 ` Eric Marsden
0 siblings, 1 reply; 5+ messages in thread
From: Robert Pluim @ 2024-09-30 13:13 UTC (permalink / raw)
To: Eric Marsden; +Cc: emacs-devel
>>>>> On Mon, 30 Sep 2024 12:21:30 +0200, Eric Marsden <eric.marsden@risk-engineering.org> said:
Eric> On 30/09/2024 11:21, Robert Pluim wrote:
>> Why would we need the 'get' API? Did you want to be able to set the
>> GNUTLS_ALPN_MANDATORY flag and fail the connection?
Eric> I don't think this is a critical requirement, but I see that some
Eric> software using GnuTLS offers the possibility to fail the connection
Eric> if the selected application protocol is not in the requested list
Eric> (for example, the "--alpn-fatal" commandline argument to gnutls-serv).
OK, weʼll leave it aside for now.
>> For the 'set' I guess we could add a keyword parameter to
>> `gnutls-negotiate' and its callers, and pass that down to
>> `gnutls-boot-parameters'.
Eric> That sounds good to me. Something like :alpn-protocols that
Eric> accepts a list of strings, or a comma-separated string.
Eric> (I should add that I am not volunteering to implement this; I have
Eric> no confidence in my ability to write the constrained type of C
Eric> needed for the Emacs core.)
Think of it as a learning experience :-)
The existing code in `gnutls-boot' already does very similar things
for other parameters. If I propose a patch, could you test it? I
should be able to have something by the end of the week.
Robert
--
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-09-30 17:26 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-29 8:23 ALPN support for GnuTLS connections Eric Marsden
2024-09-30 9:21 ` Robert Pluim
2024-09-30 10:21 ` Eric Marsden
2024-09-30 13:13 ` Robert Pluim
2024-09-30 17:26 ` Eric Marsden
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).