From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eric Marsden Newsgroups: gmane.emacs.devel Subject: Re: ALPN support for GnuTLS connections Date: Thu, 31 Oct 2024 14:31:22 +0100 Message-ID: References: <7f11f60c-37da-4123-ae5b-98c79a132bb1@risk-engineering.org> <87zfnp1oqa.fsf@gmail.com> <3b0509fe-5a30-4e2a-a9fa-c196d79c81d4@risk-engineering.org> <87ttdx1dzy.fsf@gmail.com> <874j5o1fwe.fsf@gmail.com> <877cagukpe.fsf@gmail.com> <2aa6b215-5e12-4641-9d4c-daf6a5d77817@risk-engineering.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="15392"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla Thunderbird Cc: rms@gnu.org To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Oct 31 14:32:05 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1t6VHR-0003rO-KR for ged-emacs-devel@m.gmane-mx.org; Thu, 31 Oct 2024 14:32:05 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t6VGt-0003xW-U9; Thu, 31 Oct 2024 09:31:32 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t6VGr-0003wx-No for emacs-devel@gnu.org; Thu, 31 Oct 2024 09:31:29 -0400 Original-Received: from mail.risk-engineering.org ([2a01:4f8:c0c:a3f8::1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1t6VGp-0007Ex-R8; Thu, 31 Oct 2024 09:31:29 -0400 DKIM-Signature: a=rsa-sha256; bh=c11WZBsV97c4mo5GHW+4EGNXBRtYpXfp0fw8ZcV9Hks=; c=relaxed/relaxed; d=risk-engineering.org; h=Subject:Subject:Sender:To:To:Cc:Cc:From:From:Date:Date:MIME-Version:MIME-Version:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Reply-To:In-Reply-To:In-Reply-To:Message-Id:Message-Id:References:References:Autocrypt:Openpgp; i=@risk-engineering.org; s=default; t=1730381503; v=1; x=1730813503; b=MSRluRY0bHQtQ+GvvcEkAIulVGNM0ExHlGFuFKTEEfOKEZGyyK+wfMRUw7JgqlapLf8hOd10 88gDhC1Nnv0VjJyP19uWp2BUlBhyy56ONKoNddsLobnV9mCQwsy4cmorTQOj5hrx2ZROCgK84sH rkbgb3ZttaDPJul//LWTZgCGqQ/fQIwj1M2CPBpQU3ygTssyP8X2dqk1X1GznLtTuX8ApTb4Sk1 OHWUDPqtYRv/CDpWCSZAoJUiTi/zS26B9i7l8nHg4jCpYv3YIJLwJPcS1W2YAAfF6UbRvXwIEI0 8DxNQMrQwBqfAu3lUlmjXjrmWodMc1uwXASjSrvJeGnsw== Original-Received: by mail.risk-engineering.org (envelope-sender ) with ESMTPS id 4971b2f3; Thu, 31 Oct 2024 14:31:43 +0100 Content-Language: en-US In-Reply-To: Received-SPF: pass client-ip=2a01:4f8:c0c:a3f8::1; envelope-from=eric.marsden@risk-engineering.org; helo=mail.risk-engineering.org X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:324971 Archived-At: On 22/10/2024 07:38, Richard Stallman wrote: > > For a service provider who makes it possible to access PostgreSQL > > over the internet, there are many benefits to the new ALPN-based mechanism, such > > as allowing the use of commercial “TLS gateways” (that do no application-level > > processing) as entrypoints to their network. I expect that over time, an > > increasing proportion of internet services will require ALPN. > > What is a TLS gateway, and what would a usage scenario look like? > Who would choose to use one -- would it be the server, or the client? > > In particular, if you are running your own server and you could set up > whatever network access methods you like, why would someone use a > "gateway" to talk with your server? And presuming a decision to do > that, why would someone want to use a "commercial" one? (This is a little tangential to the relevance of ALPN to Emacs when operating as a TLS client; the main argument in favour in my view is the RFC “shall implement” requirement for ALPN that I mentioned previously, and the fact that some application protocols require ALPN. I will try to answer your question as best I can, but I’m not an expert on this topic.) TLS gateways are more often called application gateways: a type of server used by service providers to dispatch requests originating from the outside network to a suitable backend server. They implement functionality such as load balancing and request filtering, and they often terminate TLS connections (this offloads expensive cryptographic processing from the backend servers, and centralizes the management of TLS certificates and access control rules). They are used by organizations that run large numbers of servers, as well as by small service providers who use “cloud"” computing, where some types of services and features are implemented by application gateways. My reason for mentioning this concerning Emacs’ ALPN support is that when Emacs establishes network connections as a client, the other end will often be a TLS-terminating application gateway. These gateways will, I believe, expand their use of ALPN in the future. Eric