[vlc-devel] ALPN support on Apple platforms

Mon Nov 7 09:40:32 CET 2016

On 7 Nov 2016, at 8:37, Steve Lhomme wrote:

> Hi,
>
> On Sat, Nov 5, 2016 at 5:51 PM, David Fuhrmann 
> <david.fuhrmann at gmail.com> wrote:
>> Hello all,
>>
>> After we started discussions about ALPN in various directions lately, 
>> I would like to summarize the problem and potential solutions in this 
>> mail, in order to find an improvement agreeable for everyone. I would 
>> be glad to read your comments or proposals regarding that issue.
>> To have a clean start, I’ll revert my recent patch in this regard 
>> as its incomplete anyhow currently.
>>
>>
>> Short problem description:
>> ALPN is an TLS extension to negotiate the Application layer protocol. 
>> Its primarily used to negotiate HTTP/2 support over TLS. For other 
>> protocols or HTTPS <= 1.1 its currently not relevant / needed in 
>> practice (please correct me if I’m wrong here).
>>
>> ALPN is currently not supported in the securetransport module, which 
>> is the only default-enabled TLS module on Darwin platforms. 
>> test_modules_tls includes one test for ALPN, which currently fails 
>> because of that.
>
> Out of curiosity, does Safari support HTTP/2 ? And if so, how do they
> do it ? How about the HTTP client helper from the OS (which name I
> don't remember) ? Same question for Chrome and Firefox although they
> may provide their own TLS stack.
>

Yes, Safari does support HTTP/2. Secure Transport supports it but lacks 
a public API that we could use,
as far as I know.
Firefox, if I am not mistaken, use their own TLS library and they have a 
separate trust store.
No idea about Chrome.

>> Potential solutions:
>>
>> 1) Add support of ALPN to the securetransport module
>> - Well, this does not seem to be possible currently, as the 
>> underlying securetransport framework does not support an API for 
>> that.
>> - —> So I do not see any possible improvements of the 
>> securetransport module right now.
>>
>> 2) Switch back to gnutls for Darwin platforms
>> - Main drawback of gnutls (and the main reason for securetransport 
>> actually): It still does not have any support to include the system 
>> trust store for root certificates.
>> - —> Because of that, switching back to gnutls does not seem an 
>> option seeing end user perception and security aspects.
>
> Can the system trust store support be added ? We did it for Windows RT 
> (kinda).
>
>> 3) Declare ALPN as not supported on Darwin platforms right now
>> - Currently, in practice all web services should be working perfectly 
>> fine without HTTP/2 and ALPN.
>> - This should involve
>>    - checking the TLS interface again and documenting that ALPN is 
>> not always supported
>>    - Disabling or skipping the test for ALPN on Darwin platforms as 
>> the default configuration does not support it
>>    - Creating a feature request ticket to document that ALPN support 
>> is missing
>> - —> This is the only viable solution currently, in my opinion.
>>
>> 4) Ignore the failing test and just do nothing until someone from 
>> securetransport or gnutls adds support for the missing pieces.
>> - I think this is not an option as well, mainly because:
>>   - We should not have always failing tests because a feature is not 
>> implemented
>>   - It blocks CI and mainly it blocks visibility of compilation and 
>> test execution. So no other developer can see if some change fails on 
>> Darwin-platforms coincidentally.
>>
>> Does anyone know another solution? Do you have any comments or ideas 
>> on how to proceed with this issue?
>> PS: It would be great if we can stay on-topic only for these 
>> discussions.
>>
>> Best regards,
>> David
>>
>> _______________________________________________
>> vlc-devel mailing list
>> To unsubscribe or modify your subscription options:
>> https://mailman.videolan.org/listinfo/vlc-devel
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> https://mailman.videolan.org/listinfo/vlc-devel