[gnutls-devel] GnuTLS | ALPN issue (#951)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sat Mar 7 18:22:48 CET 2020




Airtower commented:


Checking for ALPN to see if an incoming connection uses HTTPS is wrong. Many browsers do support ALPN because they also support HTTP/2, but an HTTP/1.1 client is correct in not sending ALPN (though it would be allowed to).

As a matter of principle there is no reliable way to check the protocol inside a TLS connection as long as the encryption is secure. Things like ALPN, SNI, or even traffic patterns are only hints. People can also use those hints in unusual ways, in particular if someone wants to avoid your firewall, e.g. set up a server that accepts any ALPN so clients can look like HTTP clients to your firewall, and then still speak some other protocol inside TLS.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/951#note_301207154
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200307/509f862e/attachment-0001.html>


More information about the Gnutls-devel mailing list