https://redmine.ruby-lang.org/https://redmine.ruby-lang.org/favicon.ico?17113305112012-05-27T19:25:21ZRuby Issue Tracking SystemRuby master - Feature #6503: Support for the NPN extension to TLS/SSLhttps://redmine.ruby-lang.org/issues/6503?journal_id=268532012-05-27T19:25:21Zmame (Yusuke Endoh)mame@ruby-lang.org
<ul><li><strong>Status</strong> changed from <i>Open</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>MartinBosslet (Martin Bosslet)</i></li></ul><p>Thank you Ilya!</p>
<p>Martin, could you tell me how hard is it to implement this?</p>
<p>--<br>
Yusuke Endoh <a href="mailto:mame@tsg.ne.jp" class="email">mame@tsg.ne.jp</a></p> Ruby master - Feature #6503: Support for the NPN extension to TLS/SSLhttps://redmine.ruby-lang.org/issues/6503?journal_id=270272012-06-06T07:32:22Zdavidbalbert (David Albert)davidbalbert@gmail.com
<ul></ul><p>If nobody has claimed this yet, I'm happy to take a crack at it over the next couple of days. I know the guy who wrote the Python patch and have a decent understanding of what went into it. It should not be a tremendous amount of work (famous last words). If there aren't any objections, I'll send a first pass at a patch soon.</p> Ruby master - Feature #6503: Support for the NPN extension to TLS/SSLhttps://redmine.ruby-lang.org/issues/6503?journal_id=270282012-06-06T08:31:02ZMartinBosslet (Martin Bosslet)Martin.Bosslet@gmail.com
<ul></ul><p>Thanks, Ilya, for the links!</p>
<p><a class="user active user-mention" href="https://redmine.ruby-lang.org/users/18">@mame (Yusuke Endoh)</a>: I just checked the Python patch and what OpenSSL already provides and what would be needed on our side. It's really not too much, basically feeding OpenSSL API with parameters that we could make a part of SSL context objects. One thing that worries me though is that we have nothing to really test this.</p>
<p><a class="user active user-mention" href="https://redmine.ruby-lang.org/users/6075">@ilya (Ilya Boltnev)</a>: Would you have any ideas what we could do? The RFC is still in draft status, and I've followed the conversation in [1]. Can 13172 and 67 be taken for granted? :)</p>
<p><a class="user active user-mention" href="https://redmine.ruby-lang.org/users/1960">@david (david he)</a>: It's OK, I'll take this, but thanks for your support!</p>
<p>[1] <a href="http://www.ietf.org/mail-archive/web/tls/current/msg08605.html" class="external">http://www.ietf.org/mail-archive/web/tls/current/msg08605.html</a></p> Ruby master - Feature #6503: Support for the NPN extension to TLS/SSLhttps://redmine.ruby-lang.org/issues/6503?journal_id=278332012-07-06T03:23:40Zigrigorik (Ilya Grigorik)igrigorik@gmail.com
<ul></ul><p>Hey guys, apologies about the wait.</p>
<p>@Martin: I don't follow the IANA politics, but for what its worth, I would consider it stable at this point. The support is there in OpenSSL, we have 50% of the browser market share using it to negotiate SPDY (Chrome + FF), and we have commercial vendors like F5, Akamai, and others supporting it.. :-)</p>
<p>Also, just realized that I linked to wrong version earlier: <a href="http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04" class="external">http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04</a></p>
<p>As far as testing, this is a bit of a chicken and egg problem. There are no pure Ruby libraries that you can run this against.. For an integration test, you could try performing a hadshake against a <a href="https://google.com" class="external">https://google.com</a> server and test the TLS upgrade. I do have a pure Ruby spdy gem, but it needs a few updates (NPN support is the missing link, really): <a href="http://github.com/igrigorik/spdy" class="external">http://github.com/igrigorik/spdy</a></p>
<p>Let me know how/if I can help.</p> Ruby master - Feature #6503: Support for the NPN extension to TLS/SSLhttps://redmine.ruby-lang.org/issues/6503?journal_id=278472012-07-06T15:53:16Zduerst (Martin Dürst)duerst@it.aoyama.ac.jp
<ul></ul><p>On 2012/07/06 3:23, igrigorik (Ilya Grigorik) wrote:</p>
<blockquote>
<p>Issue <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Support for the NPN extension to TLS/SSL (Closed)" href="https://redmine.ruby-lang.org/issues/6503">#6503</a> has been updated by igrigorik (Ilya Grigorik).</p>
<p>Hey guys, apologies about the wait.</p>
<p>@Martin: I don't follow the IANA politics,</p>
</blockquote>
<p>Just a small detail: That should be IETF politics, I guess. But I'm also<br>
not familiar with that corner of the IETF, sorry.</p>
<p>Regards, Martin.</p>
<blockquote>
<p>but for what its worth, I would consider it stable at this point. The support is there in OpenSSL, we have 50% of the browser market share using it to negotiate SPDY (Chrome + FF), and we have commercial vendors like F5, Akamai, and others supporting it.. :-)</p>
<p>Also, just realized that I linked to wrong version earlier: <a href="http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04" class="external">http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04</a></p>
<p>As far as testing, this is a bit of a chicken and egg problem. There are no pure Ruby libraries that you can run this against.. For an integration test, you could try performing a hadshake against a <a href="https://google.com" class="external">https://google.com</a> server and test the TLS upgrade. I do have a pure Ruby spdy gem, but it needs a few updates (NPN support is the missing link, really): <a href="http://github.com/igrigorik/spdy" class="external">http://github.com/igrigorik/spdy</a></p>
<a name="Let-me-know-howif-I-can-help"></a>
<h2 >Let me know how/if I can help.<a href="#Let-me-know-howif-I-can-help" class="wiki-anchor">¶</a></h2>
<p>Feature <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Support for the NPN extension to TLS/SSL (Closed)" href="https://redmine.ruby-lang.org/issues/6503">#6503</a>: Support for the NPN extension to TLS/SSL<br>
<a href="https://bugs.ruby-lang.org/issues/6503#change-27833" class="external">https://bugs.ruby-lang.org/issues/6503#change-27833</a></p>
<p>Author: igrigorik (Ilya Grigorik)<br>
Status: Assigned<br>
Priority: Normal<br>
Assignee: MartinBosslet (Martin Bosslet)<br>
Category:<br>
Target version:</p>
<p>OpenSSL 1.0.1+ added support for Next Protocol Negotiation (NPN) extensions. A couple of relevant links:</p>
<ul>
<li>Google technical note: <a href="https://technotes.googlecode.com/git/nextprotoneg.html" class="external">https://technotes.googlecode.com/git/nextprotoneg.html</a>
</li>
<li>IETF draft: <a href="http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-02" class="external">http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-02</a>
</li>
</ul>
<p>NPN allows the client to negotiate the session protocol as part of the TLS handshake (ex, "http 1.1", or "spdy/v{1,2,3}"). To support SPDY we need NPN support within OpenSSL core in Ruby. The API is already implemented in OpenSSL 1.0.1+, so it's a matter of adding support in Ruby core.</p>
<p>Sister bug for Python 3.3: <a href="http://bugs.python.org/issue14204" class="external">http://bugs.python.org/issue14204</a></p>
</blockquote> Ruby master - Feature #6503: Support for the NPN extension to TLS/SSLhttps://redmine.ruby-lang.org/issues/6503?journal_id=278482012-07-06T16:03:33ZMartinBosslet (Martin Bosslet)Martin.Bosslet@gmail.com
<ul><li><strong>Category</strong> set to <i>ext</i></li><li><strong>Target version</strong> set to <i>2.0.0</i></li></ul><blockquote>
<p>On 2012/07/06 3:23, igrigorik (Ilya Grigorik) wrote:</p>
<p>Issue <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Support for the NPN extension to TLS/SSL (Closed)" href="https://redmine.ruby-lang.org/issues/6503">#6503</a> has been updated by igrigorik (Ilya Grigorik).</p>
<p>Hey guys, apologies about the wait.</p>
</blockquote>
<p>No problem :)</p>
<blockquote>
<p>@Martin: I don't follow the IANA politics,</p>
<p>but for what its worth, I would consider it stable at this point. The support is there in OpenSSL, we have 50% of the browser market share using it to negotiate SPDY (Chrome + FF), and we have commercial vendors like F5, Akamai, and others supporting it.. :-)</p>
</blockquote>
<p>Yes, and to be honest, I'm also in favor of the technology, just wanted to make sure that it's stable enough. But from what I saw, we could handle most of it transparently, OpenSSL does the heavy lifting - so even if there were major changes, they should only affect OpenSSL itself, but hopefully not the API exposing the feature.</p>
<blockquote>
<p>Also, just realized that I linked to wrong version earlier: <a href="http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04" class="external">http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04</a></p>
</blockquote>
<p>OK, thanks for the hint!</p>
<blockquote>
<p>As far as testing, this is a bit of a chicken and egg problem. There are no pure Ruby libraries that you can run this against.. For an integration test, you could try performing a hadshake against a <a href="https://google.com" class="external">https://google.com</a> server and test the TLS upgrade. I do have a pure Ruby spdy gem, but it needs a few updates (NPN support is the missing link, really): <a href="http://github.com/igrigorik/spdy" class="external">http://github.com/igrigorik/spdy</a></p>
</blockquote>
<p>True. I also thought of directly testing against <a href="https://google.com" class="external">https://google.com</a>, it's a fairly stable server ;) But I was wondering how internal policies are, is it sound to test against external URLs? Could some of the other devs please comment on this?</p>
<blockquote>
<p>Let me know how/if I can help.</p>
</blockquote>
<p>Will do, thanks for your help! If nobody has major reservations, I would add support soon.</p>
<p>-Martin</p> Ruby master - Feature #6503: Support for the NPN extension to TLS/SSLhttps://redmine.ruby-lang.org/issues/6503?journal_id=278502012-07-06T16:08:00ZMartinBosslet (Martin Bosslet)Martin.Bosslet@gmail.com
<ul></ul><p>duerst (Martin Dürst) wrote:</p>
<blockquote>
<p>Just a small detail: That should be IETF politics, I guess. But I'm also<br>
not familiar with that corner of the IETF, sorry.</p>
</blockquote>
<p>Just out of curiosity - because IETF is in charge of the TLS extension registry?<br>
That's what I think I understood from [1] at least:</p>
<blockquote>
<p>TLS ExtensionType Registry: Future values are allocated via IETF Consensus</p>
</blockquote>
<p>[1] <a href="http://tools.ietf.org/html/rfc5246#section-12" class="external">http://tools.ietf.org/html/rfc5246#section-12</a></p> Ruby master - Feature #6503: Support for the NPN extension to TLS/SSLhttps://redmine.ruby-lang.org/issues/6503?journal_id=279132012-07-10T15:53:14Zduerst (Martin Dürst)duerst@it.aoyama.ac.jp
<ul></ul><p>On 2012/07/06 16:10, MartinBosslet (Martin Bosslet) wrote:</p>
<blockquote>
<p>Issue <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Support for the NPN extension to TLS/SSL (Closed)" href="https://redmine.ruby-lang.org/issues/6503">#6503</a> has been updated by MartinBosslet (Martin Bosslet).</p>
<p>duerst (Martin Dürst) wrote:</p>
<blockquote>
<p>Just a small detail: That should be IETF politics, I guess. But I'm also<br>
not familiar with that corner of the IETF, sorry.</p>
</blockquote>
<p>Just out of curiosity - because IETF is in charge of the TLS extension registry?<br>
That's what I think I understood from [1] at least:</p>
<blockquote>
<p>TLS ExtensionType Registry: Future values are allocated via IETF Consensus</p>
</blockquote>
</blockquote>
<p>Yes. More generally, IANA is only a clerical office function.</p>
<p>Regards, Martin.</p>
<blockquote>
<h2>[1] <a href="http://tools.ietf.org/html/rfc5246#section-12" class="external">http://tools.ietf.org/html/rfc5246#section-12</a>
</h2>
<p>Feature <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Support for the NPN extension to TLS/SSL (Closed)" href="https://redmine.ruby-lang.org/issues/6503">#6503</a>: Support for the NPN extension to TLS/SSL<br>
<a href="https://bugs.ruby-lang.org/issues/6503#change-27850" class="external">https://bugs.ruby-lang.org/issues/6503#change-27850</a></p>
<p>Author: igrigorik (Ilya Grigorik)<br>
Status: Assigned<br>
Priority: Normal<br>
Assignee: MartinBosslet (Martin Bosslet)<br>
Category: ext<br>
Target version: 2.0.0</p>
<p>OpenSSL 1.0.1+ added support for Next Protocol Negotiation (NPN) extensions. A couple of relevant links:</p>
<ul>
<li>Google technical note: <a href="https://technotes.googlecode.com/git/nextprotoneg.html" class="external">https://technotes.googlecode.com/git/nextprotoneg.html</a>
</li>
<li>IETF draft: <a href="http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-02" class="external">http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-02</a>
</li>
</ul>
<p>NPN allows the client to negotiate the session protocol as part of the TLS handshake (ex, "http 1.1", or "spdy/v{1,2,3}"). To support SPDY we need NPN support within OpenSSL core in Ruby. The API is already implemented in OpenSSL 1.0.1+, so it's a matter of adding support in Ruby core.</p>
<p>Sister bug for Python 3.3: <a href="http://bugs.python.org/issue14204" class="external">http://bugs.python.org/issue14204</a></p>
</blockquote> Ruby master - Feature #6503: Support for the NPN extension to TLS/SSLhttps://redmine.ruby-lang.org/issues/6503?journal_id=285022012-07-28T13:37:44Zigrigorik (Ilya Grigorik)igrigorik@gmail.com
<ul></ul><p>Martin, let me know if you run into any questions or issues.. would love to see this working, sooner rather later. :-)</p> Ruby master - Feature #6503: Support for the NPN extension to TLS/SSLhttps://redmine.ruby-lang.org/issues/6503?journal_id=285822012-08-01T23:44:26ZMartinBosslet (Martin Bosslet)Martin.Bosslet@gmail.com
<ul></ul><p>igrigorik (Ilya Grigorik) wrote:</p>
<blockquote>
<p>Martin, let me know if you run into any questions or issues.. would love to see this working, sooner rather later. :-)</p>
</blockquote>
<p>Thanks for the offer, I'll get back to you if I run into trouble :) I'll try to implement it for the next 1.9.3 patch release.</p> Ruby master - Feature #6503: Support for the NPN extension to TLS/SSLhttps://redmine.ruby-lang.org/issues/6503?journal_id=291222012-08-31T18:47:41ZAnonymous
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>This issue was solved with changeset r36871.<br>
Ilya, thank you for reporting this issue.<br>
Your contribution to Ruby is greatly appreciated.<br>
May Ruby be with you.</p>
<hr>
<ul>
<li>ext/openssl/extconf.rb: Check existence of OPENSSL_NPN_NEGOTIATED.<br>
ext/ossl_ssl.c: Support Next Protocol Negotiation. Protocols to be<br>
advertised by the server can be set in the SSLContext by using<br>
SSLContext#npn_protocols=, protocol selection on the client is<br>
supported by providing a selection callback with<br>
SSLContext#npn_select_cb. The protocol that was finally negotiated<br>
is available through SSL#npn_protocol.<br>
test/openssl/test_ssl.rb: Add tests for Next Protocol Negotiation.<br>
NEWS: add news about NPN support.<br>
[Feature <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Support for the NPN extension to TLS/SSL (Closed)" href="https://redmine.ruby-lang.org/issues/6503">#6503</a>] <a href="/issues/6503">[ruby-core:45272]</a></li>
</ul> Ruby master - Feature #6503: Support for the NPN extension to TLS/SSLhttps://redmine.ruby-lang.org/issues/6503?journal_id=291232012-08-31T18:56:47ZMartinBosslet (Martin Bosslet)Martin.Bosslet@gmail.com
<ul></ul><p>Protocols to be advertised by the server can now be set like this:</p>
<p>ctx = ... # some OpenSSL::SSL::SSLContext<br>
ctx.npn_protocols = ["spdy/3", "spdy/2", "http/1.1"]</p>
<p>Selection on the client is handled via callback:</p>
<p>ctx = ... # some OpenSSL::SSL::SSLContext<br>
ctx.npn_select_cb = lambda do |protocols|</p>
<a name="selection-logic-return-value-must-be-the-selected-protocol"></a>
<h1 >selection logic, return value must be the selected protocol<a href="#selection-logic-return-value-must-be-the-selected-protocol" class="wiki-anchor">¶</a></h1>
<p>protocols.first<br>
end</p>
<p>Raising or causing an error during the callback will effectively terminate the handshake.<br>
The protocol that was finally chosen can be inspected on the resulting SSL instance with<br>
SSL#npn_protocol. By default, not setting SSLContext#npn_protocols or SSLContext#npn_select_cb<br>
will have the effect that NPN extension support is disabled.</p>
<p><a class="user active user-mention" href="https://redmine.ruby-lang.org/users/6075">@ilya (Ilya Boltnev)</a>: Although I could write tests to assert the correctness of the basic behavior, I haven't<br>
tried it in a real life scenario yet. Could you please confirm that this is working for you?</p>