Re: HTTPS 2.0 without TLS extension?

Zhong Yu <zhong.j.yu@gmail.com> Mon, 22 July 2013 17:07 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C6D511E8156 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 22 Jul 2013 10:07:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Level:
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LItRWYzZsTes for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 22 Jul 2013 10:07:31 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 178A121F99F7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 22 Jul 2013 09:49:56 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1V1JHg-0007y9-4f for ietf-http-wg-dist@listhub.w3.org; Mon, 22 Jul 2013 16:48:28 +0000
Resent-Date: Mon, 22 Jul 2013 16:48:28 +0000
Resent-Message-Id: <E1V1JHg-0007y9-4f@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <zhong.j.yu@gmail.com>) id 1V1JHW-0007we-JK for ietf-http-wg@listhub.w3.org; Mon, 22 Jul 2013 16:48:18 +0000
Received: from mail-ob0-f181.google.com ([209.85.214.181]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <zhong.j.yu@gmail.com>) id 1V1JHS-00085N-C1 for ietf-http-wg@w3.org; Mon, 22 Jul 2013 16:48:18 +0000
Received: by mail-ob0-f181.google.com with SMTP id 16so8311579obc.40 for <ietf-http-wg@w3.org>; Mon, 22 Jul 2013 09:47:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=GwjspgJrXgjSe6RG6Hi0fAKRABFMK8Qu4+NEj9NKueU=; b=yksZWAU5o4O28spueE7XQ62Q0pfwHOU6oZNKvoufhmp0d8lagDpZIQ8oRzEr0at3KQ q5laEyykBA4DgPJY/7vQR30huSIgR2uzCa+zlb8GBUMysRJecnMiM3A8C218Xq6v7kdb 6umlIdlJlST1nSipkme4CeZTIQVuTT8QjMNCUky/BLFuCu8l+UGOU3RQV24EL66C3+1G gH8It5GpJSDwLo8GcFvcMJHGrfxT0KWbqmXT0a3AEK/5dAxR/xWeOnmIdqxIaIJ91Lbc GdbD0/gISaZGWgfkTSmWj2Qvjhg0PK+ZZPyuP6ixJzD/TxNg+oHYfIe2RusjbPLMt181 MofA==
MIME-Version: 1.0
X-Received: by 10.60.47.41 with SMTP id a9mr26724266oen.78.1374511668446; Mon, 22 Jul 2013 09:47:48 -0700 (PDT)
Received: by 10.76.180.106 with HTTP; Mon, 22 Jul 2013 09:47:48 -0700 (PDT)
In-Reply-To: <CABaLYCtT33y3Gbh5rduHNL8hFsamz34epciG+36pYbkMdwpujQ@mail.gmail.com>
References: <CACuKZqEBAqXs-cQF1U-g3npaXGR0LEoXZYxDv-3a+ftn-YG=_g@mail.gmail.com> <CABaLYCtT33y3Gbh5rduHNL8hFsamz34epciG+36pYbkMdwpujQ@mail.gmail.com>
Date: Mon, 22 Jul 2013 11:47:48 -0500
Message-ID: <CACuKZqFvzHnHx31CFz640NG7bS65k=VErNY1riuOVpsOc_92aA@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: Mike Belshe <mike@belshe.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset=ISO-8859-1
Received-SPF: pass client-ip=209.85.214.181; envelope-from=zhong.j.yu@gmail.com; helo=mail-ob0-f181.google.com
X-W3C-Hub-Spam-Status: No, score=-4.4
X-W3C-Hub-Spam-Report: AWL=-1.690, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1V1JHS-00085N-C1 0144d19cff8b082d558f3ee244006bd2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTPS 2.0 without TLS extension?
Archived-At: <http://www.w3.org/mid/CACuKZqFvzHnHx31CFz640NG7bS65k=VErNY1riuOVpsOc_92aA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18866
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Suppose a TLS connection is established without ALPN. Then an HTTP/1.1
request is sent over with Upgrade: HTTP/2.0. How should the server
respond?

1. drop the connection
2. respond with a 400 error
3. ignore Upgrade header, treat it as a normal request
4. upgrade the connection to 2.0

The simplest and the most sensible thing to do seems to be #4. If
that's the case, it means most servers would not enforce the
requirement of ALPN. This may start an evolution path that under the
pressure of interoperability eventually all implementations treat ALPN
as optional.

Though "Upgrade" mechanism is less ideal than ALPN, since the server
must support it anyway on TCP connections, I don't see why we should
forbid it on TLS connections.

Zhong Yu


On Mon, Jul 22, 2013 at 11:01 AM, Mike Belshe <mike@belshe.com> wrote:
> It should be available quite easily through OpenSSL and NSS long before
> http/2 ships.
>
> The structured integration with the SSL handshake is a much cleaner
> protocol.
>
> Mike
>
>
>
> On Mon, Jul 22, 2013 at 5:06 AM, Zhong Yu <zhong.j.yu@gmail.com> wrote:
>>
>> The draft mandates TLS extension ALPN for any https 2.0 connections,
>> but why is that necessary? Why can't we also establish an https 2.0
>> connection through the Upgrade mechanism, without ALPN? TLS extension
>> may not be available/convenient on some platforms for some time;
>> requiring it may discourage some potential implementers.
>>
>> Zhong Yu
>>
>