Re: [TLS] Application-Layer Protocol Settings

David Benjamin <> Tue, 07 July 2020 19:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6E2E53A09B9 for <>; Tue, 7 Jul 2020 12:15:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.749
X-Spam-Status: No, score=-2.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 181GMaAXly8x for <>; Tue, 7 Jul 2020 12:15:00 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 686C73A0A3B for <>; Tue, 7 Jul 2020 12:14:59 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jst3G-00078T-5H for; Tue, 07 Jul 2020 19:14:46 +0000
Resent-Date: Tue, 07 Jul 2020 19:14:46 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jst3F-00077V-7l for; Tue, 07 Jul 2020 19:14:45 +0000
Received: from ([2607:f8b0:4864:20::644]) by with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <>) id 1jst3C-0001Wl-HG for; Tue, 07 Jul 2020 19:14:45 +0000
Received: by with SMTP id k4so2958175pld.12 for <>; Tue, 07 Jul 2020 12:14:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pEoX3OXK7ndDnHp20diuDcqRDQcv9rICLKjdjRj8CWY=; b=TFSSIICd4Qv96KPHos00q+37R5eoRvQzgxhr0jlAXypoobamtujek44zyK1bBaK7C+ Bz351D6KlD3spw5q3m7brRdUT+gmBXLQulZCFwNm/pkkrHhNxyU7SfrH7Ch4oDV80gKw NtwNtE+0WlVd41BROqmV63uPC5TK3me4OCmTE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pEoX3OXK7ndDnHp20diuDcqRDQcv9rICLKjdjRj8CWY=; b=p7RiI8FtgK2QcUmNfvmOX119mJUxNbtl+mMOvaMBMlVf1LoIyHOU10fuk0KqLViwwu daYvgDPZEOyn7fykIFaLZsw9gKoZfw26hR/v2J+V4RHKlyrriZUBqcq7WlzbnyQrhxes xxvhdmhCLogEcvWHi0NsMLUcAzONOlGV3Bk6/KIgDpSB7jkN95dfNelRAu39LdXZn0fX nFKQbDC3YwkFOaDA1oLOmFWDA+AWLe4LFc8inkFNmtVpYWq/opjgUQnZUfZapKBzU/Bb tehf5N2LnlZCESAztF71YpflBtOkw+kJbjpz2X/1Cwiof0zSMF8hsnDXVEvCiCkmOX6n gwgg==
X-Gm-Message-State: AOAM533Ersry5MIf1U2mA3jHq8JKwfkcioktiby7Ki6fCW8nxGPH4ryx 7mKBmgzzLxO0ysLl582xw02YLtLWhERsAIp22t9MLNO8wg==
X-Google-Smtp-Source: ABdhPJwXcAaC5J+EsZKHg2wjMCGiCoZHSFRkbW9FNGOq3sXexRxzeQq9rSiMAZGeIgU2SwV77WYwesmh+9ipu2Fdm/w=
X-Received: by 2002:a17:90a:a78b:: with SMTP id f11mr5554838pjq.42.1594149270807; Tue, 07 Jul 2020 12:14:30 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: David Benjamin <>
Date: Tue, 7 Jul 2020 15:14:14 -0400
Message-ID: <>
To: Ben Schwartz <>
Cc: Victor Vasiliev <>, "" <>, HTTP Working Group <>
Content-Type: multipart/alternative; boundary="00000000000001ad4b05a9decd49"
Received-SPF: pass client-ip=2607:f8b0:4864:20::644;;
X-W3C-Hub-Spam-Status: No, score=-11.3
X-W3C-Scan-Sig: 1jst3C-0001Wl-HG e7f0d5754edbbf6f88b4b08b1f0acdd3
Subject: Re: [TLS] Application-Layer Protocol Settings
Archived-At: <>
X-Mailing-List: <> archive/latest/37850
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

Hi Ben,

(I’ve covered many of these points in my reply to Martin, so you may want
to read that first.)

Any solution here involves a TLS change, even for servers which currently
send half-RTT settings. See my reply to Martin for why. The question then
is which is more complex. As a TLS implementor, ALPS would be a very
straightforward extension to implement, while the work involved to make
half-RTT SETTINGS work would be a mess.

Transparently sending a fixed buffer of half-RTT data was indeed something
we’d thought about and rejected. In some circumstances, it may cause
deadlocks with TCP
And we still need an indicator for the client to safely wait for it. I/O
patterns are part of the protocol.

It’s also not the case that non-uniform backends must disable 0-RTT. That
is what 0-RTT rejection logic is for. Non-uniform deployments may get less
0-RTT than a uniform deployment, but it won’t break things. This is already
the case (ALPN must match) and unavoidable with any predictive mechanism
like 0-RTT.

Finally, you’re right to think about the coupling between TLS and HTTP for
0-RTT, but I believe you have the conclusion backwards. The TLS stack must
be deeply aware of what is stored in the TLS session, so the server can
reject 0-RTT when the remembered values are incompatible with its current
configuration (see HTTP/3
Otherwise the client will act thinking the server supports some extension
when, in reality, it does not. (Perhaps the server had to roll the feature

The simpler that TLS/HTTP interaction, the looser the coupling we can
manage, and checking opaque bytes for equality is the simplest possible
option here. Tighter coupling could be aware that, e.g.,
SETTINGS_MAX_CONCURRENT_STREAMS = 500 is compatible with 1000 but not 100.
The draft starts with the simplest option, given settings don’t change
much. It’s already the case that configuration changes, like cipher
preferences, may reject 0-RTT. (Note settings which do change can still be
sent in application data. ALPS’s purpose is to solve the reliable
negotiation problem, and any changing setting won’t be reliable in 0-RTT
anyway. Moving them out of ALPS entirely seems fairly clean.)


On Mon, Jul 6, 2020 at 10:23 PM Ben Schwartz <bemasc=> wrote:

> Thanks for this draft.  I believe this is an important problem for HTTP
> extensibility, and I'm glad to see work on a solution.
> It occurs to me that this solution requires pretty tight integration
> between the TLS termination and the HTTP backend.  Some TLS load balancers
> already support ALPN, but they would have to be extended to support ALPS,
> and I would worry about the potential for skew between the TLS terminator's
> claimed settings and the backend's actual settings.
> The draft says
>    1.  While the server is technically capable of sending configuration
>        to the peer as soon as it sends its Finished message, most TLS
>        implementations do not allow any application data to be sent
>        until the Finished message is received from the client.
> Fixing this might require a change to some TLS implementations, but the
> change to implement ALPS also seems significant.
> The proposed 0-RTT interaction also seems like it would create a
> significant risk of skew when a load balancer is in use, if the backend
> settings can change..  Deployments that can't guarantee uniform backends
> would have to disable 0-RTT (an unfortunate sacrifice for a feature that
> saves 1 RTT!).
> For load balancers, or any other situation where TLS and HTTP are loosely
> coupled, sending SETTINGS at 0.5-RTT would seem like a much simpler
> solution.  I know the draft mentions a few cases where this doesn't work
> well, but perhaps there's a middle ground of some sort.  For example:
> * If supporting generic 0.5-RTT forwarding is hard, TLS server
> implementations could offer a configuration to send an arbitrary fixed
> buffer at 0.5-RTT (depending on ALPN).  No standards change is required.
> * The application protocol (here HTTP) could indicate what state is
> guaranteed to persist across session resumption.  Although the preserved
> state here (SETTINGS) is ~static, in general this could include dynamic
> session state too.  This would move the change to HTTP, instead of TLS.
> On Mon, Jul 6, 2020 at 3:13 PM Victor Vasiliev <vasilvv=
>> wrote:
>> Hello TLS and HTTP working groups,
>> (QUIC WG bcc'd as this has been discussed there before)
>> Currently, we use SETTINGS frames as an extensibility mechanism in HTTP/2
>> and HTTP/3.  The SETTINGS frame is sent at the very beginning of TLS
>> application data; this approach, while simple, has some drawbacks.  The
>> most notable one is that when SETTINGS are used to negotiate extensions,
>> there is an entire round-trip where the client can send requests, but
>> doesn't know yet about any server extensions, thus making any
>> extension-dependant requests take an extra RTT.
>> The proposed solution to this problem is to move HTTP SETTINGS frame into
>> the TLS handshake.  Here are some issues where this has been discussed
>> before:
>>    -
>>    <>
>>    -
>>    -
>> I wrote up a draft for the TLS extension that would solve this problem:
>> I also wrote up a draft that explains how to use that extension with
>> HTTP, and defines some settings (the ones discussed here
>> <>) that would not be
>> possible without it:
>> I would appreciate feedback on those drafts.
>> Thanks,
>>   Victor.
>> _______________________________________________
>> TLS mailing list
> _______________________________________________
> TLS mailing list