Jump to content

Wikipedia The Free Encyclopedia

Application-Layer Protocol Negotiation

From Wikipedia, the free encyclopedia

Feature of the TLS network security protocol

This article relies excessively on references to primary sources . Please improve this article by adding secondary or tertiary sources.
Find sources: "Application-Layer Protocol Negotiation" – news · newspapers · books · scholar · JSTOR (April 2013) (Learn how and when to remove this message)

Application-Layer Protocol Negotiation (ALPN) is a Transport Layer Security (TLS) extension that allows the application layer to negotiate which protocol should be performed over a secure connection in a manner that avoids additional round trips and which is independent of the application-layer protocols. It is used to establish HTTP/2 connections without additional round trips (client and server can communicate over two ports previously assigned to HTTPS with HTTP/1.1 and upgrade to use HTTP/2 or continue with HTTP/1.1 without closing the initial connection).

Support

ALPN is supported by these libraries:

BSAFE Micro Edition Suite since version 5.0^[1]
GnuTLS since version 3.2.0 released in May 2013^[2]
MatrixSSL since version 3.7.1 released in December 2014^[3]
Network Security Services since version 3.15.5 released in April 2014^[4]
OpenSSL since version 1.0.2 released in January 2015^[5]
LibreSSL since version 2.1.3 released in January 2015^[6]
mbed TLS (previously PolarSSL) since version 1.3.6 released in April 2014^[7]
s2n since its original public release in June 2015.
wolfSSL (formerly CyaSSL) since version 3.7.0 released in October 2015^[8]
Go (in the standard library crypto/tls package) since version 1.4 released in December 2014^[9]
JSSE in Java since JDK 9 released in September 2017,^[10] backported to JDK 8 released in April 2020^[11]
Win32 SSPI since Windows 8.1 and Windows Server 2012 R2 were released October 18, 2013^[12]

History

Next Protocol Negotiation

In January 2010, Google introduced IETF standard draft describing Next Protocol Negotiation TLS extension.^[13] This extension was used to negotiate experimental SPDY connections between Google Chrome and some of Google's servers. As SPDY evolved, NPN was replaced with ALPN.

Application-Layer Protocol Negotiation

On July 11, 2014, ALPN was published as RFC 7301. ALPN replaces Next Protocol Negotiation (NPN) extension.^[14]

TLS False Start was disabled in Google Chrome from version 20 (2012) onward except for websites with the earlier NPN extension.^[15]

Example

ALPN is a TLS extension which is sent on the initial TLS handshake 'Client Hello', and it lists the protocols that the client (for example the web browser) supports:

HandshakeType:ClientHello(1)
Length:141
Version:TLS1.2(0x0303)
Random:dd67b5943e5efd0740519f38071008b59efbd68ab3114587...
SessionIDLength:0
CipherSuitesLength:10
CipherSuites(5suites)
CompressionMethodsLength:1
CompressionMethods(1method)
ExtensionsLength:90
[otherextensionsomitted]
Extension:application_layer_protocol_negotiation(len=14)
Type:application_layer_protocol_negotiation(16)
Length:14
ALPNExtensionLength:12
ALPNProtocol
ALPNstringlength:2
ALPNNextProtocol:h2
ALPNstringlength:8
ALPNNextProtocol:http/1.1

The resulting 'Server Hello' from the web server will also contain the ALPN extension, and it confirms which protocol will be used for the HTTP request:

HandshakeType:ServerHello(2)
Length:94
Version:TLS1.2(0x0303)
Random:44e447964d7e8a7d3b404c4748423f02345241dcc9c7e332...
SessionIDLength:32
SessionID:7667476d1d698d0a90caa1d9a449be814b89a0b52f470e2d...
CipherSuite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xc02f)
CompressionMethod:null(0)
ExtensionsLength:22
[otherextensionsomitted]
Extension:application_layer_protocol_negotiation(len=5)
Type:application_layer_protocol_negotiation(16)
Length:5
ALPNExtensionLength:3
ALPNProtocol
ALPNstringlength:2
ALPNNextProtocol:h2

References

^ "Dell BSAFE Micro Edition Suite 5.0 Release Advisory" . Retrieved 2022年10月18日.
^ "gnutls 3.2.0". Archived from the original on 2016年01月31日. Retrieved 2015年01月26日.
^ "MatrixSSL - News". 2014年12月04日. Archived from the original on 2015年02月14日. Retrieved 2015年01月26日.
^ "NSS 3.15.5 release notes". Mozilla Developer Network. Mozilla. Retrieved 2015年01月26日.
^ "OpenSSL 1.0.2 release notes". The OpenSSL Project. 2015年01月22日. Archived from the original on 2014年09月04日. Retrieved 2015年01月26日.
^ "LibreSSL 2.1.3 released". 2015年01月22日. Retrieved 2015年01月26日.
^ "Download overview - PolarSSL". 2014年04月11日. Archived from the original on 2015年02月09日. Retrieved 2015年01月26日.
^ "wolfSSL Release Change Log". 2015年10月26日. Retrieved 2015年09月11日.
^ "Go 1.4 Release Notes". 2014年12月10日. Retrieved 2017年11月28日.
^ "JEP 244: TLS Application-Layer Protocol Negotiation Extension". 2017年08月07日. Retrieved 2018年08月29日.
^ "Release Note: TLS Application-Layer Protocol Negotiation Extension". 2020年04月30日. Retrieved 2020年06月11日.
^ "What's New in TLS/SSL (Schannel SSP)". 31 August 2016. Retrieved 2020年03月30日.
^ Langley, A. (January 20, 2010). "Transport Layer Security (TLS) Next Protocol Negotiation Extension". IETF Datatracker.
^ Langley, Adam. "» NPN and ALPN" . Retrieved 2 April 2013.
^ Langley, Adam. "False Start's Failure (11 Apr 2012)" . Retrieved 25 September 2013.

External links

The registry of ALPN protocol IDs is maintained by IANA as a TLS extension.
draft-agl-tls-nextprotoneg-04 (NPN draft) (last updated: May 2012)
RFC 7301 "Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension"

v
t
e

Protocols and technologies

Transport Layer Security / Secure Sockets Layer (TLS/SSL)
Datagram Transport Layer Security (DTLS)
Server Name Indication (SNI)
Application-Layer Protocol Negotiation (ALPN)
DNS-based Authentication of Named Entities (DANE)
DNS Certification Authority Authorization (CAA)
HTTPS
HTTP Strict Transport Security (HSTS)
HTTP Public Key Pinning (HPKP)
OCSP stapling
Opportunistic TLS
Perfect forward secrecy

Public-key infrastructure

Automated Certificate Management Environment (ACME)
Certificate authority (CA)
CA/Browser Forum
Certificate policy
Certificate revocation
- Certificate revocation list (CRL)
- Online Certificate Status Protocol (OCSP)
- OCSP stapling
Domain-validated certificate (DV)
Extended Validation Certificate (EV)
Public key certificate
Public-key cryptography
Public key infrastructure (PKI)
Root certificate
Self-signed certificate

See also

Domain Name System Security Extensions (DNSSEC)
Internet Protocol Security (IPsec)
Secure Shell (SSH)

History

Implementations

Notaries

Vulnerabilities

Theory	Man-in-the-middle attack Padding oracle attack
Cipher	Bar mitzvah attack
Protocol	BEAST BREACH CRIME DROWN Logjam POODLE (in regards to SSL 3.0)
Implementation	Certificate authority compromise Random number generator attacks FREAK goto fail Heartbleed Lucky Thirteen attack POODLE (in regards to TLS 1.0) Kazakhstan MITM attack

Retrieved from "https://en.wikipedia.org/w/index.php?title=Application-Layer_Protocol_Negotiation&oldid=1257426145"

Hidden categories: