Re: [TLS] SNI and ALPN -- which firsr?

Martin Thomson <> Wed, 30 July 2014 16:42 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 82D181A0242 for <>; Wed, 30 Jul 2014 09:42:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nXNBszDzJCPE for <>; Wed, 30 Jul 2014 09:42:18 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 891B41A0197 for <>; Wed, 30 Jul 2014 09:42:18 -0700 (PDT)
Received: by with SMTP id hi2so7860567wib.4 for <>; Wed, 30 Jul 2014 09:42:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=1zafjxogWOrGvLsPlzlGeCLKSe4815s9qet41k7+OU4=; b=zk2lrKJxxBBN6wmJjq5wj9omBvu+ND1iXc3BNYxNGdBMpzyRXw1FXFPTuVGVzwSxA0 kgUhGFf8diRl04scZnwBkUzE0Y9VqdI+bYKXExxkBAzO55g7sqpKB6FyBE5PaNDhA5tf e+GllX7P1yIQUumdjdo6kLvFcWl0w30p2aqtTnAsqDeYb4Z0j6BuU44xQN35wVV+KZAh 21dIX0VZ/JoPxGdxR/uDupMmV8LKg21lQKCR01dG/up7AUUl/hc+wy4G+qkk6DRNB19n bTR4bNbqZmcuCK7ZVxYlss6z8bJqykt59HEGpbXbmIkTOPs3XQVWX2JQgnNZLFCtnPUL AytQ==
MIME-Version: 1.0
X-Received: by with SMTP id gb10mr8398451wib.65.1406738537119; Wed, 30 Jul 2014 09:42:17 -0700 (PDT)
Received: by with HTTP; Wed, 30 Jul 2014 09:42:17 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
Date: Wed, 30 Jul 2014 09:42:17 -0700
Message-ID: <>
From: Martin Thomson <>
To: "Salz, Rich" <>
Content-Type: text/plain; charset=UTF-8
Cc: " \(\)" <>
Subject: Re: [TLS] SNI and ALPN -- which firsr?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Jul 2014 16:42:22 -0000

On 30 July 2014 09:29, Salz, Rich <> wrote:
> A fixed order of precedence is generally a good thing.  Among other things, it forces you to think about  the interactions and encourages consistent behavior.  For example, which do YOU think should be done first?

I can imagine several different, but equally valid deployment
configurations that suggest either.

You could divide back-end servers by protocol.  Each of them can
handle the complete set of names that are served (,,, etc...), but one pool does
HTTP/1.1 and the other does HTTP/2.  In that case, you would route on
ALPN.  This is even more important if we start seeing clients connect
with an "xmpp" token rather than an "h2" or "http/1.1" token.  This
might help with the very different connection management profiles of
different protocol versions.

An alternative, which I'd consider preferable in the HTTP case,
divides back-end machines by function (,, and all hosts can handle all the
application protocols.

Or you might combine these.  For instance, is a host
that responds to SNI for that name, or an "xmpp" ALPN for an
unqualified  Other hosts could use any of the other

Where order of processing becomes relevant is where there are errors
generated by both extensions.  Which error do you report?  Honestly,
I'd rather not mandate anything in a standard here, though I might
appreciate that determinism is valuable when developing a test plan
for a product.