[stunnel-users] Extensions when negotiating TLS

Christopher Schultz chris at christopherschultz.net
Mon Nov 4 23:50:55 CET 2019 

Tom,

On 11/4/19 17:16, Tom (AST) Watson wrote:
> Yes, I understand about ALPN.  Sorry I described in detail. 
> Unfortunately application #2 wants encrypted http2 (it is a go
> program). Application #1 wants to talk in http2 (I can't change
> that!) and it doesn't encrypt "naturally" (and I want to see what is
> going on [Wireshark] as well) In looking further I might be able to
> get application #2 to go plaintext (I found a pointer). Yes, it seems
> that stunnel doesn't support ALPN, wishful thinking on my part
> 
> Back to the salt mines. (*SIGH*)

How difficult would it be to enable HTTP/1.1 on that application #1?
I've never seen an h2-only service before. h2 is more effective for web
applications that make a lot of tiny requests (like small resources for
pages, scripts, etc.). Most API-based services don't really get any
benefit from using h2.

-chris

> -----Original Message----- From: stunnel-users
> <stunnel-users-bounces at stunnel.org> On Behalf Of Christopher Schultz 
> Sent: Monday, November 4, 2019 13:59 To: stunnel-users at stunnel.org 
> Subject: [External] Re: [stunnel-users] Extensions when negotiating
> TLS
> 
> Tom,
> 
> On 11/4/19 16:05, Tom (AST) Watson wrote:
>> Well, I thought it would be "easy", but maybe not.  I have an 
>> application (#1) that uses http2, and isn't encrypted.  No problem
>>  here.  Now I have another application (#2) that insists on using
>> https to talk to application #1.  So I gleefully setup stunnel to
>> connect the two.  Well, application #2 starts talking to stunnel
>> with a "Client Hello" packet, and it includes an extension
>> "Application Layer Protocol Extension" of "h2".
> 
> This is called ALPN, and is a requirement for h2s.
> 
>> While not versed in the minutia, I take this that the client 
>> (application #2) wants to talk "http2" to the server (application
>> #1).
> 
> Yep, pretty much.
> 
>> OK, that is what I want.  The problem is that stunnel doesn't
>> respond with ANY "Application Layer Protocol Extension" indicating
>> acceptance of this request in its "server hello".  This means that
>> application #2 fails in its negotiation.  No joy!
>> 
>> Now I know that application #1 will nicely talk http2, but how do I
>>  get stunnel to communicate this to application #2 (as encrypted 
>> http2).  Am I missing something in my (pretty simple) configuration
>>  file?
> 
> I can't find any references to stunnel supporting ALPN. You may be
> (temporarily) out of luck, at least with stunnel.
> 
> You mentioned that app #2 insists on encryption (great, usually). Is
> there a requirement that it use h2? Or can it be configured to use
> HTTP/1.1?
> 
> -chris
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20191104/345a4d33/attachment-0001.sig>

More information about the stunnel-users mailing list