ALPN support for GnuTLS connections

ALPN support for GnuTLS connections

[Eric Marsden]

Hello,

The GnuTLS support in Emacs does not seem to support the TLS extension
Application Layer Protocol Negotiation (ALPN). ALPN is no longer just useful for
faster TLS handshakes (in HTTP/2, for example); it is mandatory in certain uses
of TLS.

The GnuTLS library does support ALPN (since 2013, it seems). My understanding is
that definitions for the two functions described here would need to be added to
gnutls.c:

   https://www.gnutls.org/manual/html_node/Application-Layer-Protocol-Negotiation-_0028ALPN_0029.html


Use case: the recent 17.0 release of PostgreSQL has added a "direct TLS"
connection mode which requires ALPN. Some hosted PostgreSQL providers only offer
direct TLS connections (I presume this allows them to use standard TLS
gateways). I would like to allow connections to these services using the pg-el
library (https://github.com/emarsden/pg-el), which implements the PostgreSQL
wire protocol.

Re: ALPN support for GnuTLS connections

[Robert Pluim]

>>>>> On Sun, 29 Sep 2024 10:23:17 +0200, Eric Marsden <eric.marsden@risk-engineering.org> said:

    Eric> Hello,
    Eric> The GnuTLS support in Emacs does not seem to support the TLS extension
    Eric> Application Layer Protocol Negotiation (ALPN). ALPN is no longer just useful for
    Eric> faster TLS handshakes (in HTTP/2, for example); it is mandatory in certain uses
    Eric> of TLS.

    Eric> The GnuTLS library does support ALPN (since 2013, it seems). My understanding is
    Eric> that definitions for the two functions described here would need to be added to
    Eric> gnutls.c:

    Eric>   https://www.gnutls.org/manual/html_node/Application-Layer-Protocol-Negotiation-_0028ALPN_0029.html

Why would we need the 'get' API? Did you want to be able to set the
GNUTLS_ALPN_MANDATORY flag and fail the connection?

For the 'set' I guess we could add a keyword parameter to
`gnutls-negotiate' and its callers, and pass that down to
`gnutls-boot-parameters'.

Robert
-- 

Re: ALPN support for GnuTLS connections

[Eric Marsden]

On 30/09/2024 11:21, Robert Pluim wrote:
> Why would we need the 'get' API? Did you want to be able to set the
> GNUTLS_ALPN_MANDATORY flag and fail the connection?

I don't think this is a critical requirement, but I see that some
software using GnuTLS offers the possibility to fail the connection
if the selected application protocol is not in the requested list
(for example, the "--alpn-fatal" commandline argument to gnutls-serv).


> For the 'set' I guess we could add a keyword parameter to
> `gnutls-negotiate' and its callers, and pass that down to
> `gnutls-boot-parameters'.

That sounds good to me. Something like :alpn-protocols that
accepts a list of strings, or a comma-separated string.

(I should add that I am not volunteering to implement this; I have
no confidence in my ability to write the constrained type of C
needed for the Emacs core.)

Eric

Re: ALPN support for GnuTLS connections

[Robert Pluim]

>>>>> On Mon, 30 Sep 2024 12:21:30 +0200, Eric Marsden <eric.marsden@risk-engineering.org> said:

    Eric> On 30/09/2024 11:21, Robert Pluim wrote:
    >> Why would we need the 'get' API? Did you want to be able to set the
    >> GNUTLS_ALPN_MANDATORY flag and fail the connection?

    Eric> I don't think this is a critical requirement, but I see that some
    Eric> software using GnuTLS offers the possibility to fail the connection
    Eric> if the selected application protocol is not in the requested list
    Eric> (for example, the "--alpn-fatal" commandline argument to gnutls-serv).

OK, weʼll leave it aside for now.

    >> For the 'set' I guess we could add a keyword parameter to
    >> `gnutls-negotiate' and its callers, and pass that down to
    >> `gnutls-boot-parameters'.

    Eric> That sounds good to me. Something like :alpn-protocols that
    Eric> accepts a list of strings, or a comma-separated string.

    Eric> (I should add that I am not volunteering to implement this; I have
    Eric> no confidence in my ability to write the constrained type of C
    Eric> needed for the Emacs core.)

Think of it as a learning experience :-)

The existing code in `gnutls-boot' already does very similar things
for other parameters. If I propose a patch, could you test it? I
should be able to have something by the end of the week.

Robert
-- 

Re: ALPN support for GnuTLS connections

[Eric Marsden]

On 30/09/2024 15:13, Robert Pluim wrote:
> The existing code in `gnutls-boot' already does very similar things
> for other parameters. If I propose a patch, could you test it? I
> should be able to have something by the end of the week.

Sure, I would be glad to test a patch.

Eric