[vlc-devel] ALPN support on Apple platforms
david.fuhrmann at gmail.com
Sat Nov 5 17:51:37 CET 2016
After we started discussions about ALPN in various directions lately, I would like to summarize the problem and potential solutions in this mail, in order to find an improvement agreeable for everyone. I would be glad to read your comments or proposals regarding that issue.
To have a clean start, I’ll revert my recent patch in this regard as its incomplete anyhow currently.
Short problem description:
ALPN is an TLS extension to negotiate the Application layer protocol. Its primarily used to negotiate HTTP/2 support over TLS. For other protocols or HTTPS <= 1.1 its currently not relevant / needed in practice (please correct me if I’m wrong here).
ALPN is currently not supported in the securetransport module, which is the only default-enabled TLS module on Darwin platforms. test_modules_tls includes one test for ALPN, which currently fails because of that.
1) Add support of ALPN to the securetransport module
- Well, this does not seem to be possible currently, as the underlying securetransport framework does not support an API for that.
- —> So I do not see any possible improvements of the securetransport module right now.
2) Switch back to gnutls for Darwin platforms
- Main drawback of gnutls (and the main reason for securetransport actually): It still does not have any support to include the system trust store for root certificates.
- —> Because of that, switching back to gnutls does not seem an option seeing end user perception and security aspects.
3) Declare ALPN as not supported on Darwin platforms right now
- Currently, in practice all web services should be working perfectly fine without HTTP/2 and ALPN.
- This should involve
- checking the TLS interface again and documenting that ALPN is not always supported
- Disabling or skipping the test for ALPN on Darwin platforms as the default configuration does not support it
- Creating a feature request ticket to document that ALPN support is missing
- —> This is the only viable solution currently, in my opinion.
4) Ignore the failing test and just do nothing until someone from securetransport or gnutls adds support for the missing pieces.
- I think this is not an option as well, mainly because:
- We should not have always failing tests because a feature is not implemented
- It blocks CI and mainly it blocks visibility of compilation and test execution. So no other developer can see if some change fails on Darwin-platforms coincidentally.
Does anyone know another solution? Do you have any comments or ideas on how to proceed with this issue?
PS: It would be great if we can stay on-topic only for these discussions.
More information about the vlc-devel