Re: [TLS] TLS ALPN (rfc7301), no reserved seperator char and why is 0 no banned

Andrei Popov <> Wed, 15 April 2015 19:00 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DBA2B1A8899 for <>; Wed, 15 Apr 2015 12:00:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.602
X-Spam-Status: No, score=-0.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_ILLEGAL_IP=1.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id O6I3mHy0qzbl for <>; Wed, 15 Apr 2015 12:00:22 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fc10::1:783]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7F4811A8852 for <>; Wed, 15 Apr 2015 12:00:16 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 15 Apr 2015 18:59:57 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 15 Apr 2015 18:59:55 +0000
Received: from ([]) by ([]) with mapi id 15.01.0136.026; Wed, 15 Apr 2015 18:59:55 +0000
From: Andrei Popov <>
To: Martin Thomson <>
Thread-Topic: [TLS] TLS ALPN (rfc7301), no reserved seperator char and why is 0 no banned
Date: Wed, 15 Apr 2015 18:59:55 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;
x-originating-ip: [2001:4898:80e8:ed31::3]
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB1252; UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB1267;
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(6009001)(377454003)(13464003)(19580395003)(93886004)(19580405001)(86612001)(76176999)(86362001)(54356999)(122556002)(99286002)(102836002)(50986999)(40100003)(2950100001)(2900100001)(77156002)(62966003)(33656002)(46102003)(74316001)(2656002)(110136001)(87936001)(92566002)(106116001)(76576001)(7059030)(3826002)(217873001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1252;; FPR:; SPF:None; MLV:sfv; LANG:en;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5002010)(5005006); SRVR:BN3PR0301MB1252; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB1252;
x-forefront-prvs: 0547116B72
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Apr 2015 18:59:55.2534 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0301MB1252
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] TLS ALPN (rfc7301), no reserved seperator char and why is 0 no banned
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Apr 2015 19:00:24 -0000

Since the ALPN RFC allows the use of octet strings as ALPN IDs, it seems wrong to characterize non-ASCII IDs as "junk" or "crazy" values. ALPN IDs are not intended for display to the user, and don't have to consist of ASCII characters.

It is true that one could implement an API that only takes NUL-terminated ASCII ALPN IDs. Such an API would be limited in that it's only useable with a subset of allowed ALPN IDs (but admittedly some people can live with that). It is more important that the ALPN I-D matching code treat the IDs correctly, as length-prefixed byte arrays.



-----Original Message-----
From: Martin Thomson [] 
Sent: Wednesday, April 15, 2015 11:38 AM
To: Andrei Popov
Cc: Hubert Kario;;
Subject: Re: [TLS] TLS ALPN (rfc7301), no reserved seperator char and why is 0 no banned

On 15 April 2015 at 11:14, Andrei Popov <> wrote:
> Having said that, ALPN RFC allows the use of arbitrary octet strings as ALPN IDs, so unfortunately the simple API that assumes NUL-terminated ASCII IDs is not sufficient. And of course any code that matches ALPN IDs has to perform the comparison of byte arrays rather than some form of string comparison.

Well, you *could* implement something that only took NUL-terminated ASCII labels.  That could still work, even if it encountered junk as long as the implementation correctly checked lengths first.  It would only fail to work if you actually need to talk to someone who wanted to include a crazy value.