Re: [TLS] Recommending ALPN / backwards compatibility

ml+ietf-tls@esmtp.org Sat, 08 May 2021 09:11 UTC

Return-Path: <ca+envelope@esmtp.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20CF93A4510 for <tls@ietfa.amsl.com>; Sat, 8 May 2021 02:11:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KhZ_BXsIxWuF for <tls@ietfa.amsl.com>; Sat, 8 May 2021 02:11:14 -0700 (PDT)
Received: from kiel.esmtp.org (kiel.esmtp.org [195.244.235.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48F9B3A450E for <tls@ietf.org>; Sat, 8 May 2021 02:11:13 -0700 (PDT)
Received: from kiel.esmtp.org (localhost. [127.0.0.1]) by kiel.esmtp.org (MeTA1-1.1.Alpha16.0) with ESMTPS (TLS=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256, verify=OK) id S00000000000582DB00; Sat, 8 May 2021 11:11:11 +0200
Received: (from ca@localhost) by kiel.esmtp.org (8.16.0.41/8.12.10.Beta0/Submit) id 1489BBG7014374 for tls@ietf.org; Sat, 8 May 2021 11:11:11 +0200 (CEST)
Date: Sat, 8 May 2021 11:11:11 +0200
From: <ml+ietf-tls@esmtp.org>
To: tls@ietf.org
Message-ID: <20210508091111.GA50514@kiel.esmtp.org>
Reply-To: tls@ietf.org
References: <161921129877.20343.10624609154750488813@ietfa.amsl.com> <034F6C49-0195-4FAF-9EF2-1E39E809F902@sinodun.com> <7d8fa1d2-ef1a-4ed3-b660-955248a4ec63@www.fastmail.com> <753E5DAA-37C6-4F82-829D-29DA5458C1DB@akamai.com> <fe80ee08-eebc-45cf-8d83-51f2da83cb96@www.fastmail.com> <0f9101d73d89$a3f252e0$ebd6f8a0$@gmail.com> <2d256f02-95f8-44e5-93ab-239478a53a41@www.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2d256f02-95f8-44e5-93ab-239478a53a41@www.fastmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KE6tteKY3biRD8AyAKrSnQE0NDg>
Subject: Re: [TLS] Recommending ALPN / backwards compatibility
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 May 2021 09:11:16 -0000

On Fri, Apr 30, 2021, Martin Thomson wrote:
> An existing application protocol might not have been assigned an
> ALPN identifier.  For other protocols the ALPN identifier might
> not have been part of the original protocol definition, or use of
> ALPN might have been defined originally as being optional.

Sorry for this stupid/simple question but I cannot find a way for
a client to determine whether a server

1. does not support ALPN.
2. supports ALPN but did not select a protocol.

It seems it is only possible to return a selected protocol,
not am "empty" protocol to indicate case 2, correct?

IMHO this would be useful for backwards compatibility/ migrating a
protocol to support ALPN.  RFC 7301 states the server "SHALL" abort
in this case:

3.2.  Protocol Selection
...  In the event that the server supports no
   protocols that the client advertises, then the server SHALL respond
   with a fatal "no_application_protocol" alert.

but that might not be a good way to support migration, which probably
is why is just "SHALL" not "MUST"?

Maybe it would be useful to specify an "empty"/"dummy" protocol,
which just states case 2, e.g., "NOMATCH"?

-- 
Address is valid for this mailing list only, please do not reply
to it direcly, but to the list.