classification
Title: ALPN support for TLS
Type: enhancement Stage: resolved
Components: Extension Modules Versions: Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: benjamin.peterson Nosy List: Arfrever, Dima.Tisnek, Lukasa, alex, benjamin.peterson, christian.heimes, giampaolo.rodola, haypo, janssen, jcea, mnot, ned.deily, pitrou, python-dev
Priority: normal Keywords: patch

Created on 2014-01-08 03:52 by mnot, last changed 2015-01-28 04:22 by ned.deily. This issue is now closed.

Files
File name Uploaded Description Edit
alpn.patch benjamin.peterson, 2015-01-23 20:32 review
alpn.patch benjamin.peterson, 2015-01-23 20:46 review
alpn.patch benjamin.peterson, 2015-01-23 21:07 review
Messages (15)
msg207660 - (view) Author: Mark Nottingham (mnot) Date: 2014-01-08 03:52
In #14204, support for NPN was added. Subsequently, NPN has been superseded by ALPN in the IETF, and support for it is coming in OpenSSL 1.0.2.

http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg
http://rt.openssl.org/Ticket/Display.html?id=3073
http://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=NEWS
msg223998 - (view) Author: Mark Nottingham (mnot) Date: 2014-07-25 20:38
HTTP/2 requires ALPN, BTW.
msg226479 - (view) Author: Cory Benfield (Lukasa) * Date: 2014-09-06 09:18
Updating to mention a concern with ALPN implementation. HTTP/2 requires that a cipher with AEAD be negotiated. However, it also allows for offering a wider range of cipher suites: if an AEAD cipher is not present, this will allow fallback to HTTP/1.1.

There's some interplay between ALPN and cipher selection here. We'll want to ensure that either ALPN negotiation can inform cipher selection or vice-versa, or writing a Python HTTP/2 server will get tricky fast.
msg234503 - (view) Author: Cory Benfield (Lukasa) * Date: 2015-01-22 17:12
Updating to note that OpenSSL 1.0.2 has been released[0], which makes this feature supportable.

[0]: https://mta.openssl.org/pipermail/openssl-announce/2015-January/000019.html
msg234523 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2015-01-22 22:57
Thanks. Now it needs someone to submit a patch.
msg234577 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2015-01-23 20:32
Here you are.
msg234578 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2015-01-23 20:33
Why is that "3.4.3"?
msg234579 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2015-01-23 20:36
On Fri, Jan 23, 2015, at 15:33, Antoine Pitrou wrote:
> 
> Antoine Pitrou added the comment:
> 
> Why is that "3.4.3"?

I wrote the patch on the 3.4 branch.
msg234580 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2015-01-23 20:36
Well, sure, but that means you plan to make it available in 3.4.3? Why is that?
msg234582 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2015-01-23 20:39
On Fri, Jan 23, 2015, at 15:36, Antoine Pitrou wrote:
> 
> Antoine Pitrou added the comment:
> 
> Well, sure, but that means you plan to make it available in 3.4.3? Why is
> that?

No, I'll apply it to 3.5.
msg234583 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2015-01-23 20:46
Here's the fixed 3.5 patch.
msg234584 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2015-01-23 21:07
update after review comments
msg234586 - (view) Author: Roundup Robot (python-dev) Date: 2015-01-23 21:43
New changeset be9fe0c66075 by Benjamin Peterson in branch 'default':
add support for ALPN (closes #20188)
https://hg.python.org/cpython/rev/be9fe0c66075

New changeset 7ce67d3f0908 by Benjamin Peterson in branch '2.7':
pep 466 backport of alpn (#20188)
https://hg.python.org/cpython/rev/7ce67d3f0908
msg234816 - (view) Author: STINNER Victor (haypo) * (Python committer) Date: 2015-01-27 10:16
_ssl cannot be compiled with LibreSSL anymore (on OpenBSD 5.5) because of ALPN: see issue #23329.
msg234872 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2015-01-28 04:22
_ssl.c cannot be compiled with pre-NPN versions of OpenSSL: see Issue23335.
History
Date User Action Args
2015-01-28 04:22:36ned.deilysetnosy: + ned.deily
messages: + msg234872
2015-01-27 10:16:13hayposetnosy: + haypo
messages: + msg234816
2015-01-25 17:22:01Arfreversetnosy: + Arfrever

versions: + Python 2.7
2015-01-23 21:43:03python-devsetstatus: open -> closed

nosy: + python-dev
messages: + msg234586

resolution: fixed
stage: commit review -> resolved
2015-01-23 21:33:58pitrousetassignee: benjamin.peterson
stage: patch review -> commit review
2015-01-23 21:07:56benjamin.petersonsetfiles: + alpn.patch

messages: + msg234584
2015-01-23 20:46:48benjamin.petersonsetfiles: + alpn.patch

messages: + msg234583
2015-01-23 20:39:47benjamin.petersonsetmessages: + msg234582
2015-01-23 20:36:57pitrousetmessages: + msg234580
2015-01-23 20:36:09benjamin.petersonsetmessages: + msg234579
2015-01-23 20:33:46pitrousetmessages: + msg234578
2015-01-23 20:32:08benjamin.petersonsetfiles: + alpn.patch

nosy: + benjamin.peterson
messages: + msg234577

keywords: + patch
stage: needs patch -> patch review
2015-01-22 22:57:28pitrousetmessages: + msg234523
stage: needs patch
2015-01-22 17:12:34Lukasasetmessages: + msg234503
2014-09-06 09:18:54Lukasasetmessages: + msg226479
2014-07-25 20:38:35mnotsetmessages: + msg223998
2014-06-05 23:14:29alexsetnosy: + alex
2014-06-05 09:36:52Dima.Tisneksetnosy: + Dima.Tisnek
2014-04-28 09:48:24Lukasasetnosy: + Lukasa
2014-01-08 20:33:44jceasetnosy: + jcea
2014-01-08 11:16:39pitrousetnosy: + janssen, pitrou, giampaolo.rodola, christian.heimes

versions: - Python 3.1, Python 2.7, Python 3.2, Python 3.3, Python 3.4
2014-01-08 03:52:59mnotcreate