Re: [TLS] Next protocol negotiation

Adam Langley <> Wed, 20 January 2010 15:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7E9173A6917 for <>; Wed, 20 Jan 2010 07:06:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.977
X-Spam-Status: No, score=-106.977 tagged_above=-999 required=5 tests=[AWL=-1.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1z-hVqPXmSs0 for <>; Wed, 20 Jan 2010 07:06:24 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 47A1E3A6855 for <>; Wed, 20 Jan 2010 07:06:22 -0800 (PST)
Received: from ( []) by with ESMTP id o0KF6F45019288 for <>; Wed, 20 Jan 2010 15:06:16 GMT
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;; s=beta; t=1263999977; bh=mYdlScIyEfetZ5IO/QjqGb2Yu1g=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=j/kSZCxoAw8Ok7THiuc9kckx0dcAnuglr8IUs0t7SjldDwFIk+xPaqa5wZU8uBWaJ iAOVBs1Hws4QRd1vc+pSA==
DomainKey-Signature: a=rsa-sha1; s=beta;; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=MOGQ2jjkWa+x+UhgS2Vb+iq69H0iZz4HWOFzBUOgAzURmDO3YYXmvwNHxhBeYIydP DpIvFnL/UhVv/mf+60bww==
Received: from pwj20 ( []) by with ESMTP id o0KF5fGw024770 for <>; Wed, 20 Jan 2010 07:06:14 -0800
Received: by pwj20 with SMTP id 20so3312210pwj.38 for <>; Wed, 20 Jan 2010 07:06:14 -0800 (PST)
MIME-Version: 1.0
Received: by with SMTP id b10mr50836wfj.253.1263999955247; Wed, 20 Jan 2010 07:05:55 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Wed, 20 Jan 2010 07:05:55 -0800
Message-ID: <>
From: Adam Langley <>
To: Nikos Mavrogiannopoulos <>
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Subject: Re: [TLS] Next protocol negotiation
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Jan 2010 15:06:25 -0000

On Wed, Jan 20, 2010 at 6:46 AM, Nikos Mavrogiannopoulos
<> wrote:
> I was wondering, why not do it the other way round. I mean why not
> upgrade to TLS from
> websockets using the rfc2817 method (Upgrading to TLS Within
> HTTP/1.1), or similar. Wouldn't
> that solve the need for a new TLS extension?

For WebSockets, the answer seems pretty clear: one should use HTTPS
URLs. In that case, the protocol to use is communicated before hand.
The WebSockets protocol is designed to look like an HTTP Upgrade to
HTTP servers[1].

My email might not have been too clear, but the problem that we have
is that we wish to negotiate SPDY[2] (not WebSockets). There are also
other protocols that want to use TLS over port 443 (Tor is one that
I'm most familiar with).

Using HTTP Upgrade is a possibility for this, as discussed:

"We could have wrapped the first request in an HTTP presentation.
Base64 encoding and the HTTP headers increase the size of the request.
Later disambiguation also makes the server side code less modular. Lastly,
it simply strikes one as the wrong thing to do; admiting defeat and
accepting an accumulation of protocol detritus."