Re: [TLS] Encrypting ALPN and other unused extensions
mrex@sap.com (Martin Rex) Fri, 25 April 2014 17:36 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F9B01A068B for <tls@ietfa.amsl.com>; Fri, 25 Apr 2014 10:36:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S-aqGNRBiYoj for <tls@ietfa.amsl.com>; Fri, 25 Apr 2014 10:36:18 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id CB9D21A0229 for <tls@ietf.org>; Fri, 25 Apr 2014 10:36:17 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id s3PHa8la018393 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 25 Apr 2014 19:36:09 +0200 (MEST)
In-Reply-To: <535A8CED.7030805@pobox.com>
To: Michael D'Errico <mike-list@pobox.com>
Date: Fri, 25 Apr 2014 19:36:08 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140425173608.E1A2E1ACE0@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/INRDfyrvtxrAjlfnfYn4phBcF8s
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypting ALPN and other unused extensions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2014 17:36:20 -0000
Michael D'Errico wrote: > Watson Ladd wrote: > > > > Some extensions aren't used by the TLS layer, like ALPN. > > ALPN is used by the TLS layer. The requested protocol is > one of several inputs to a server's certificate selection > algorithm, along with the SNI. I agree that the information is conveyed within the TLS protocol, so the TLS stack may need to be able to pass this information between TLS stack an application, but there is no need that the TLS stack uses this information for anything. With TLS extension SNI, the server side TLS stack might even completely ignore the information, i.e. not implement it. A Hosting provider could set up an SNI-aware load balancer and dispatch/NAT incoming TLS sessions in opaque fashion to individual TLS servers, and the individual server can just ignore the contents of TLS extension SNI (or may not even implement it), and virtual hosting would still work just fine. There would be no server name confirmantion in ServerHello extensions, but that is a quite irrelevant part of TLS extension SNI. -Martin
- [TLS] Encrypting ALPN and other unused extensions Watson Ladd
- Re: [TLS] Encrypting ALPN and other unused extens… Eric Rescorla
- Re: [TLS] Encrypting ALPN and other unused extens… Michael D'Errico
- Re: [TLS] Encrypting ALPN and other unused extens… Martin Thomson
- Re: [TLS] Encrypting ALPN and other unused extens… Martin Rex
- Re: [TLS] Encrypting ALPN and other unused extens… Gero, Charlie
- Re: [TLS] Encrypting ALPN and other unused extens… Watson Ladd
- Re: [TLS] Encrypting ALPN and other unused extens… Martin Thomson
- Re: [TLS] Encrypting ALPN and other unused extens… Michael D'Errico
- Re: [TLS] Encrypting ALPN and other unused extens… Paul Hoffman
- Re: [TLS] Encrypting ALPN and other unused extens… Peter Gutmann
- Re: [TLS] Encrypting ALPN and other unused extens… Watson Ladd
- Re: [TLS] Encrypting ALPN and other unused extens… Michael D'Errico
- Re: [TLS] Encrypting ALPN and other unused extens… Watson Ladd
- Re: [TLS] Encrypting ALPN and other unused extens… Salz, Rich