[stunnel-users] Extensions when negotiating TLS

Christopher Schultz chris at christopherschultz.net
Mon Nov 4 22:58:43 CET 2019


Tom,

On 11/4/19 16:05, Tom (AST) Watson wrote:
> Well, I thought it would be "easy", but maybe not.  I have an 
> application (#1) that uses http2, and isn't encrypted.  No problem 
> here.  Now I have another application (#2) that insists on using 
> https to talk to application #1.  So I gleefully setup stunnel to 
> connect the two.  Well, application #2 starts talking to stunnel with
> a "Client Hello" packet, and it includes an extension "Application
> Layer Protocol Extension" of "h2".

This is called ALPN, and is a requirement for h2s.

> While not versed in the minutia, I take this that the client 
> (application #2) wants to talk "http2" to the server (application 
> #1).

Yep, pretty much.

> OK, that is what I want.  The problem is that stunnel doesn't
> respond with ANY "Application Layer Protocol Extension" indicating
> acceptance of this request in its "server hello".  This means that
> application #2 fails in its negotiation.  No joy!
>
> Now I know that application #1 will nicely talk http2, but how do I 
> get stunnel to communicate this to application #2 (as encrypted 
> http2).  Am I missing something in my (pretty simple) configuration 
> file?

I can't find any references to stunnel supporting ALPN.
You may be (temporarily) out of luck, at least with stunnel.

You mentioned that app #2 insists on encryption (great, usually). Is
there a requirement that it use h2? Or can it be configured to use HTTP/1.1?

-chris

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20191104/da99eb20/attachment.sig>


More information about the stunnel-users mailing list