[vlc-devel] ALPN support on Apple platforms

Steve Lhomme robux4 at gmail.com
Mon Nov 7 08:37:57 CET 2016 

Hi,

On Sat, Nov 5, 2016 at 5:51 PM, David Fuhrmann <david.fuhrmann at gmail.com> wrote:
> Hello all,
>
> After we started discussions about ALPN in various directions lately, I would like to summarize the problem and potential solutions in this mail, in order to find an improvement agreeable for everyone. I would be glad to read your comments or proposals regarding that issue.
> To have a clean start, I’ll revert my recent patch in this regard as its incomplete anyhow currently.
>
>
> Short problem description:
> ALPN is an TLS extension to negotiate the Application layer protocol. Its primarily used to negotiate HTTP/2 support over TLS. For other protocols or HTTPS <= 1.1 its currently not relevant / needed in practice (please correct me if I’m wrong here).
>
> ALPN is currently not supported in the securetransport module, which is the only default-enabled TLS module on Darwin platforms. test_modules_tls includes one test for ALPN, which currently fails because of that.

Out of curiosity, does Safari support HTTP/2 ? And if so, how do they
do it ? How about the HTTP client helper from the OS (which name I
don't remember) ? Same question for Chrome and Firefox although they
may provide their own TLS stack.

> Potential solutions:
>
> 1) Add support of ALPN to the securetransport module
> - Well, this does not seem to be possible currently, as the underlying securetransport framework does not support an API for that.
> - —> So I do not see any possible improvements of the securetransport module right now.
>
> 2) Switch back to gnutls for Darwin platforms
> - Main drawback of gnutls (and the main reason for securetransport actually): It still does not have any support to include the system trust store for root certificates.
> - —> Because of that, switching back to gnutls does not seem an option seeing end user perception and security aspects.

Can the system trust store support be added ? We did it for Windows RT (kinda).

> 3) Declare ALPN as not supported on Darwin platforms right now
> - Currently, in practice all web services should be working perfectly fine without HTTP/2 and ALPN.
> - This should involve
>    - checking the TLS interface again and documenting that ALPN is not always supported
>    - Disabling or skipping the test for ALPN on Darwin platforms as the default configuration does not support it
>    - Creating a feature request ticket to document that ALPN support is missing
> - —> This is the only viable solution currently, in my opinion.
>
> 4) Ignore the failing test and just do nothing until someone from securetransport or gnutls adds support for the missing pieces.
> - I think this is not an option as well, mainly because:
>   - We should not have always failing tests because a feature is not implemented
>   - It blocks CI and mainly it blocks visibility of compilation and test execution. So no other developer can see if some change fails on Darwin-platforms coincidentally.
>
> Does anyone know another solution? Do you have any comments or ideas on how to proceed with this issue?
> PS: It would be great if we can stay on-topic only for these discussions.
>
> Best regards,
> David
>
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> https://mailman.videolan.org/listinfo/vlc-devel

More information about the vlc-devel mailing list