From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eric Marsden Newsgroups: gmane.emacs.devel Subject: Re: ALPN support for GnuTLS connections Date: Sat, 12 Oct 2024 11:30:41 +0200 Message-ID: References: <7f11f60c-37da-4123-ae5b-98c79a132bb1@risk-engineering.org> <87zfnp1oqa.fsf@gmail.com> <3b0509fe-5a30-4e2a-a9fa-c196d79c81d4@risk-engineering.org> <87ttdx1dzy.fsf@gmail.com> <874j5o1fwe.fsf@gmail.com> <877cagukpe.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------9towy1FiEm6AQHLIAdutz7t9" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="31395"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla Thunderbird Cc: emacs-devel@gnu.org To: Robert Pluim Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Oct 12 11:31:57 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1szYTd-0007zs-B9 for ged-emacs-devel@m.gmane-mx.org; Sat, 12 Oct 2024 11:31:57 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1szYSe-0000Vr-Uj; Sat, 12 Oct 2024 05:30:57 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1szYSX-0000VA-P6 for emacs-devel@gnu.org; Sat, 12 Oct 2024 05:30:55 -0400 Original-Received: from mail.risk-engineering.org ([2a01:4f8:c0c:a3f8::1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1szYSV-0008Je-5a for emacs-devel@gnu.org; Sat, 12 Oct 2024 05:30:49 -0400 DKIM-Signature: a=rsa-sha256; bh=140qG93WaABaE3rxqkh6St42jy0lSKmy0ThWA2blRUs=; c=relaxed/relaxed; d=risk-engineering.org; h=Subject:Subject:Sender:To:To:Cc:Cc:From:From:Date:Date:MIME-Version:MIME-Version:Content-Type:Content-Type:Content-Transfer-Encoding:Reply-To:In-Reply-To:In-Reply-To:Message-Id:Message-Id:References:References:Autocrypt:Openpgp; i=@risk-engineering.org; s=default; t=1728725454; v=1; x=1729157454; b=ohKMla+FsMJIt9qpIVihOZrlrpLTQflyTN1qni6jKnRC3ouWbrmd8OMFeJY9/xnw21SJxq1I Jn7xFRYjKhE2fxzvvv94JSP623+zEt/FU+9phJzit/D6V0TKauChEUtRojh4M9e7c552ENoXiwA 500Xb4MwkC99Y8octtnqMDP1DV0IfBbvnkl3vcuRnTtmh7rbwBoAtNZrt6ZVpKR4AHApqXvEfEO hFRDF93AG4hEDCWKS5uvEESFZ0HODtuuF5EJzQ+agevYlfL5bzZ2M1JAuZHAqOo8J5qiCkA4vjy JWBtuehHgTvk0paJYOZKtFBYlqzWP6Fv4Tstm6/zjmaBA== Original-Received: by mail.risk-engineering.org (envelope-sender ) with ESMTPS id ded29e4a; Sat, 12 Oct 2024 11:30:54 +0200 Content-Language: en-US In-Reply-To: <877cagukpe.fsf@gmail.com> Received-SPF: pass client-ip=2a01:4f8:c0c:a3f8::1; envelope-from=eric.marsden@risk-engineering.org; helo=mail.risk-engineering.org X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:324510 Archived-At: This is a multi-part message in MIME format. --------------9towy1FiEm6AQHLIAdutz7t9 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 10/10/2024 15:54, Robert Pluim wrote: > Patch below. Works in my limited testing. Excellent, I can confirm that this works with the PostgreSQL 17.0 use case that I mentioned upthread, as well as with test servers from OpenSSL and Rustls (see the attached test file). Remaining questions in my mind: (1) It would be useful for elisp code to be able to determine whether Emacs has ALPN support. The elisp code will generally know that the service it's connecting to requires ALPN, and it would be useful to be able to inform the user that they should upgrade Emacs, instead of getting a generic "connection failed" error. The C preprocessor test HAVE_GNUTLS_ALPN_SET_PROTOCOLS  isn't visible from elisp, nor is (I think?) the binding to gnutls_alpn_set_protocols. This might also be useful for other features such as the AEAD support. Perhaps a function such as gnutls-feature-available-p(:alpn) ? (2) The current behaviour of connection failing only depending on the server's ALPN setting is I think less than ideal. If the server is not configured to request ALPN, sending ALPN does not lead to failure. If server is looking for ALPN and wants another protocol, the connection fails. I think the default behaviour should be for the connection to fail if one of the ALPN protocols requested by the client is not selected: this seems to be more consistent and avoids a security attack called ALPACA, https://alpaca-attack.com/. This just requires a change to use GNUTLS_ALPN_MANDATORY (as well as updates to the documentation)         ret = gnutls_alpn_set_protocols (state, protocols, count, GNUTLS_ALPN_MANDATORY); In fact I see reading the ALPACA web page that TLS clients are recommended to use the SNI extension to indicate the server name that they wish to connect to, which gnutls.c is not currently doing. One thing at a time! (3) Perhaps you could add the attached tiny patch to the logging support for gnutls.c (which is very verbose), so that an EAGAIN doesn't pollute logs at level 1. Thanks, Eric --------------9towy1FiEm6AQHLIAdutz7t9 Content-Type: text/x-emacs-lisp; charset=UTF-8; name="alpn.el" Content-Disposition: attachment; filename="alpn.el" Content-Transfer-Encoding: base64 OzsgQUxQTiB0ZXN0aW5nIGZvciBFbWFjcyB2MzEgICAtKi0gbGV4aWNhbC1iaW5kaW5nOiB0 IC0qLQo7Owo7OyBBdXRob3I6IEVyaWMgTWFyc2RlbiA8ZXJpYy5tYXJzZGVuQHJpc2stZW5n aW5lZXJpbmcub3JnPgo7Owo7OyBQZXJoYXBzIGEgbGl0dGxlIGluY29uc2lzdGVudDogaWYg c2VydmVyIGlzIG5vdCBjb25maWd1cmVkIHRvIGNoZWNrIEFMUE4sIHNlbmRpbmcgQUxQTiBk b2VzIG5vdAo7OyBsZWFkIHRvIGZhaWx1cmUuIElmIHNlcnZlciBpcyBsb29raW5nIGZvciBB TFBOIGFuZCBjaG9vc2VzIGFub3RoZXIgb25lLCBjb25uZWN0aW9uIGZhaWxzLgoKKHJlcXVp cmUgJ2dudXRscykKCihkZWZ2YXIgYWxwbi1wb3J0IDg4ODEpCihkZWZ2YXIgYWxwbi1wcm90 b2NvbCAiZm9vYmxlcyIpCgoKKGRlZnVuIGFscG4tc2V0dXAtY2VydHMgKCkKICAobGV0KiAo KGNlcnRkaXIgKGV4cGFuZC1maWxlLW5hbWUgImNlcnRzIiB0ZW1wb3JhcnktZmlsZS1kaXJl Y3RvcnkpKQogICAgICAgICAoXyAobWFrZS1kaXJlY3RvcnkgY2VydGRpciB0KSkKICAgICAg ICAgKGRlZmF1bHQtZGlyZWN0b3J5IGNlcnRkaXIpKQogICAgKHNoZWxsLWNvbW1hbmQgKGNv bmNhdCAib3BlbnNzbCByZXEgLW5ldyAtbm9kZXMgLXRleHQgLW91dCByb290LmNzciAiCiAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiLWtleW91dCByb290LmtleSAtc3ViaiAn L0NOPWxvY2FsaG9zdCciKSkKICAgIChzZXQtZmlsZS1tb2RlcyAicm9vdC5rZXkiICNvNjAw KQogICAgKHNoZWxsLWNvbW1hbmQgKGNvbmNhdCAib3BlbnNzbCB4NTA5IC1yZXEgLWluIHJv b3QuY3NyIC10ZXh0IC1kYXlzIDQyICIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICItZXh0ZmlsZSAvZXRjL3NzbC9vcGVuc3NsLmNuZiAtZXh0ZW5zaW9ucyB2M19jYSAiCiAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiLXNpZ25rZXkgcm9vdC5rZXkgLW91dCBy b290LmNydCIpKQogICAgKHNoZWxsLWNvbW1hbmQgKGNvbmNhdCAib3BlbnNzbCByZXEgLW5l dyAtbm9kZXMgLXRleHQgLW91dCBzZXJ2ZXIuY3NyICIKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICIta2V5b3V0IHNlcnZlci5rZXkgLXN1YmogJy9DTj1sb2NhbGhvc3QnIikp CiAgICAoc2V0LWZpbGUtbW9kZXMgInNlcnZlci5rZXkiICNvNjAwKQogICAgKHNoZWxsLWNv bW1hbmQgKGNvbmNhdCAib3BlbnNzbCB4NTA5IC1yZXEgLWluIHNlcnZlci5jc3IgLXRleHQg LWRheXMgNDIgIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIi1DQSByb290LmNy dCAtQ0FrZXkgcm9vdC5rZXkgIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIi1D QWNyZWF0ZXNlcmlhbCAtb3V0IHNlcnZlci5jcnQiKSkKICAgIChzaGVsbC1jb21tYW5kIChj b25jYXQgIm9wZW5zc2wgcmVxIC1uZXcgLW5vZGVzIC1vdXQgY2xpZW50LmNzciAta2V5b3V0 IGNsaWVudC5rZXkgIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIi1zdWJqICcv Q049ZW1hY3MnIikpCiAgICAoc2hlbGwtY29tbWFuZCAoY29uY2F0ICJvcGVuc3NsIHg1MDkg LXJlcSAtZGF5cyA0MiAtaW4gY2xpZW50LmNzciAiCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAiLUNBIHJvb3QuY3J0IC1DQWtleSByb290LmtleSAiCiAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAiLUNBY3JlYXRlc2VyaWFsIC1vdXQgY2xpZW50LmNydCIpKQog ICAgY2VydGRpcikpCgooZGVmdW4gYWxwbi1zZXR1cC9vcGVuc3NsIChjZXJ0ZGlyKQogIChs ZXQqICgoY21kIChmb3JtYXQgIm9wZW5zc2wgc19zZXJ2ZXIgLXJldiAtcG9ydCAlZCAtY2Vy dCAlcyAta2V5ICVzIC1kZWJ1ZyAtYWxwbiAlcyIKICAgICAgICAgICAgICAgICAgICAgIGFs cG4tcG9ydAogICAgICAgICAgICAgICAgICAgICAgKGV4cGFuZC1maWxlLW5hbWUgInNlcnZl ci5jcnQiIGNlcnRkaXIpCiAgICAgICAgICAgICAgICAgICAgICAoZXhwYW5kLWZpbGUtbmFt ZSAic2VydmVyLmtleSIgY2VydGRpcikKICAgICAgICAgICAgICAgICAgICAgIGFscG4tcHJv dG9jb2wpKQogICAgICAgICAoYnVmIChnZXQtYnVmZmVyLWNyZWF0ZSAiKk9wZW5TU0wqIikp KQogICAgKHN0YXJ0LXByb2Nlc3Mtc2hlbGwtY29tbWFuZCAib3BlbnNzbCIgYnVmIGNtZCkp KQoKKGRlZnVuIGFscG4tc2V0dXAvcnVzdGxzIChjZXJ0ZGlyKQogIChsZXQqICgoY2FyZ28g KGV4cGFuZC1maWxlLW5hbWUgIi5jYXJnby9iaW4vY2FyZ28iIChnZXRlbnYgIkhPTUUiKSkp CiAgICAgICAgIChjbWQgKGZvcm1hdCAiJXMgcnVuIC0tYmluIHRsc3NlcnZlci1taW8gLS0g LS1wb3J0ICVkIC0tY2VydHMgJXMgLS1rZXkgJXMgLS1wcm90byAlcyBlY2hvIgogICAgICAg ICAgICAgICAgICAgICAgY2FyZ28KICAgICAgICAgICAgICAgICAgICAgIGFscG4tcG9ydAog ICAgICAgICAgICAgICAgICAgICAgKGV4cGFuZC1maWxlLW5hbWUgInNlcnZlci5jcnQiIGNl cnRkaXIpCiAgICAgICAgICAgICAgICAgICAgICAoZXhwYW5kLWZpbGUtbmFtZSAic2VydmVy LmtleSIgY2VydGRpcikKICAgICAgICAgICAgICAgICAgICAgIGFscG4tcHJvdG9jb2wpKQog ICAgICAgICAoYnVmIChnZXQtYnVmZmVyLWNyZWF0ZSAiKlJ1c3RscyoiKSkKICAgICAgICAg OzsgY2xvbmUgb2YgaHR0cHM6Ly9naXRodWIuY29tL3J1c3Rscy9ydXN0bHMuZ2l0CiAgICAg ICAgIChkZWZhdWx0LWRpcmVjdG9yeSAiL3RtcC9ydXN0bHMiKSkKICAgIChzdGFydC1wcm9j ZXNzLXNoZWxsLWNvbW1hbmQgInJ1c3RscyIgYnVmIGNtZCkpKQoKKGRlZnVuIGFscG4tZmV0 Y2ggKGNlcnRkaXIpCiAgKGxldCogKChidWYgKGdlbmVyYXRlLW5ldy1idWZmZXIgIiAqQUxQ TioiKSkKICAgICAgICAgKHByb2Nlc3MgKG9wZW4tbmV0d29yay1zdHJlYW0gImFscG4iIGJ1 ZiAibG9jYWxob3N0IiBhbHBuLXBvcnQpKQogICAgICAgICAoZ251dGxzLWxvZy1sZXZlbCAy KSkKICAgIChnbnV0bHMtbmVnb3RpYXRlIDpwcm9jZXNzIHByb2Nlc3MKICAgICAgICAgICAg ICAgICAgICAgIDpob3N0bmFtZSAibG9jYWxob3N0IgogICAgICAgICAgICAgICAgICAgICAg OmFscG4tcHJvdG9jb2xzIChsaXN0IGFscG4tcHJvdG9jb2wpCiAgICAgICAgICAgICAgICAg ICAgICA6dHJ1c3RmaWxlcyAobGlzdCAoZXhwYW5kLWZpbGUtbmFtZSAicm9vdC5jcnQiIGNl cnRkaXIpKSkKICAgIChwcm9jZXNzLXNlbmQtc3RyaW5nIHByb2Nlc3MgImJpenpsZXNcbiIp CiAgICAoYWNjZXB0LXByb2Nlc3Mtb3V0cHV0IHByb2Nlc3MgMC4xKQogICAgKHdpdGgtY3Vy cmVudC1idWZmZXIgYnVmIChidWZmZXItc3RyaW5nKSkpKQoKKGRlZnVuIGFscG4tdGVzdC1v cGVuc3NsICgpCiAgKGxldCAoKGNlcnRkaXIgKGFscG4tc2V0dXAtY2VydHMpKSkKICAgIChh bHBuLXNldHVwL29wZW5zc2wgY2VydGRpcikKICAgIChzbGVlcC1mb3IgMSkKICAgIChtZXNz YWdlICJBTFBOPiAlcyIgKGFscG4tZmV0Y2ggY2VydGRpcikpKSkKCihkZWZ1biBhbHBuLXRl c3QtcnVzdGxzICgpCiAgKGxldCAoKGNlcnRkaXIgKGFscG4tc2V0dXAtY2VydHMpKSkKICAg IChhbHBuLXNldHVwL3J1c3RscyBjZXJ0ZGlyKQogICAgKHNsZWVwLWZvciAxKQogICAgKG1l c3NhZ2UgIkFMUE4+ICVzIiAoYWxwbi1mZXRjaCBjZXJ0ZGlyKSkpKQoK --------------9towy1FiEm6AQHLIAdutz7t9 Content-Type: text/x-patch; charset=UTF-8; name="log-retry.diff" Content-Disposition: attachment; filename="log-retry.diff" Content-Transfer-Encoding: base64 ZGlmZiAtLWdpdCBhL3NyYy9nbnV0bHMuYyBiL3NyYy9nbnV0bHMuYwppbmRleCAzMzRkMWQ0 Li5lZGY2NjkxIDEwMDY0NAotLS0gYS9zcmMvZ251dGxzLmMKKysrIGIvc3JjL2dudXRscy5j CkBAIC04NTQsNyArODU0LDcgQEAgZW1hY3NfZ251dGxzX2hhbmRsZV9lcnJvciAoZ251dGxz X3Nlc3Npb25fdCBzZXNzaW9uLCBpbnQgZXJyKQogICAgICAgICAgICAgICAgICAgICAgICBt YXhfbG9nX2xldmVsLAogICAgICAgICAgICAgICAgICAgICAgICAicmV0cnk6IiwKICAgICAg ICAgICAgICAgICAgICAgICAgc3RyKTsKLQkgIEZBTExUSFJPVUdIOworCSAgYnJlYWs7CiAg ICAgICAgIGRlZmF1bHQ6CiAgICAgICAgICAgR05VVExTX0xPRzIgKDEsCiAgICAgICAgICAg ICAgICAgICAgICAgIG1heF9sb2dfbGV2ZWwsCg== --------------9towy1FiEm6AQHLIAdutz7t9--