[vlc-devel] ALPN support on Apple platforms
Marvin Scholz
epirat07 at gmail.com
Mon Nov 7 09:40:32 CET 2016
On 7 Nov 2016, at 8:37, Steve Lhomme wrote:
> Hi,
>
> On Sat, Nov 5, 2016 at 5:51 PM, David Fuhrmann
> <david.fuhrmann at gmail.com> wrote:
>> Hello all,
>>
>> After we started discussions about ALPN in various directions lately,
>> I would like to summarize the problem and potential solutions in this
>> mail, in order to find an improvement agreeable for everyone. I would
>> be glad to read your comments or proposals regarding that issue.
>> To have a clean start, I’ll revert my recent patch in this regard
>> as its incomplete anyhow currently.
>>
>>
>> Short problem description:
>> ALPN is an TLS extension to negotiate the Application layer protocol.
>> Its primarily used to negotiate HTTP/2 support over TLS. For other
>> protocols or HTTPS <= 1.1 its currently not relevant / needed in
>> practice (please correct me if I’m wrong here).
>>
>> ALPN is currently not supported in the securetransport module, which
>> is the only default-enabled TLS module on Darwin platforms.
>> test_modules_tls includes one test for ALPN, which currently fails
>> because of that.
>
> Out of curiosity, does Safari support HTTP/2 ? And if so, how do they
> do it ? How about the HTTP client helper from the OS (which name I
> don't remember) ? Same question for Chrome and Firefox although they
> may provide their own TLS stack.
>
Yes, Safari does support HTTP/2. Secure Transport supports it but lacks
a public API that we could use,
as far as I know.
Firefox, if I am not mistaken, use their own TLS library and they have a
separate trust store.
No idea about Chrome.
>> Potential solutions:
>>
>> 1) Add support of ALPN to the securetransport module
>> - Well, this does not seem to be possible currently, as the
>> underlying securetransport framework does not support an API for
>> that.
>> - —> So I do not see any possible improvements of the
>> securetransport module right now.
>>
>> 2) Switch back to gnutls for Darwin platforms
>> - Main drawback of gnutls (and the main reason for securetransport
>> actually): It still does not have any support to include the system
>> trust store for root certificates.
>> - —> Because of that, switching back to gnutls does not seem an
>> option seeing end user perception and security aspects.
>
> Can the system trust store support be added ? We did it for Windows RT
> (kinda).
>
>> 3) Declare ALPN as not supported on Darwin platforms right now
>> - Currently, in practice all web services should be working perfectly
>> fine without HTTP/2 and ALPN.
>> - This should involve
>> - checking the TLS interface again and documenting that ALPN is
>> not always supported
>> - Disabling or skipping the test for ALPN on Darwin platforms as
>> the default configuration does not support it
>> - Creating a feature request ticket to document that ALPN support
>> is missing
>> - —> This is the only viable solution currently, in my opinion.
>>
>> 4) Ignore the failing test and just do nothing until someone from
>> securetransport or gnutls adds support for the missing pieces.
>> - I think this is not an option as well, mainly because:
>> - We should not have always failing tests because a feature is not
>> implemented
>> - It blocks CI and mainly it blocks visibility of compilation and
>> test execution. So no other developer can see if some change fails on
>> Darwin-platforms coincidentally.
>>
>> Does anyone know another solution? Do you have any comments or ideas
>> on how to proceed with this issue?
>> PS: It would be great if we can stay on-topic only for these
>> discussions.
>>
>> Best regards,
>> David
>>
>> _______________________________________________
>> vlc-devel mailing list
>> To unsubscribe or modify your subscription options:
>> https://mailman.videolan.org/listinfo/vlc-devel
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> https://mailman.videolan.org/listinfo/vlc-devel
More information about the vlc-devel
mailing list