Login
Login

Application-Layer Protocol Negotiation

{{Short description|Feature of the TLS network security protocol}}

{{primary sources|date=April 2013}}

Application-Layer Protocol Negotiation (ALPN) is a Transport Layer Security (TLS) extension that allows the application layer to negotiate which protocol should be performed over a secure connection in a manner that avoids additional round trips and which is independent of the application-layer protocols. It is used to establish HTTP/2 connections without additional round trips (client and server can communicate over two ports previously assigned to HTTPS with HTTP/1.1 and upgrade to use HTTP/2 or continue with HTTP/1.1 without closing the initial connection).

Support

ALPN is supported by these libraries:

  • BSAFE Micro Edition Suite since version 5.0{{cite web|url=https://www.dell.com/support/kbdoc/000204231/dell-bsafe-micro-edition-suite-5-0-release-advisory|title=Dell BSAFE Micro Edition Suite 5.0 Release Advisory|accessdate=2022-10-18}}
  • GnuTLS since version 3.2.0 released in May 2013{{cite web|url=http://article.gmane.org/gmane.network.gnutls.general/3136|title=gnutls 3.2.0|accessdate=2015-01-26|archive-url=https://web.archive.org/web/20160131230710/http://article.gmane.org/gmane.network.gnutls.general/3136|archive-date=2016-01-31|url-status=dead}}
  • MatrixSSL since version 3.7.1 released in December 2014{{cite web|title=MatrixSSL - News |url=http://www.matrixssl.org/news.html |date=2014-12-04 |accessdate=2015-01-26 |url-status=dead |archiveurl=https://web.archive.org/web/20150214105056/http://www.matrixssl.org/news.html |archivedate=2015-02-14 }}
  • Network Security Services since version 3.15.5 released in April 2014{{cite web|url=https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.15.5_release_notes|work=Mozilla Developer Network|title=NSS 3.15.5 release notes|publisher=Mozilla|accessdate=2015-01-26}}
  • OpenSSL since version 1.0.2 released in January 2015{{cite web|url=https://www.openssl.org/news/openssl-1.0.2-notes.html|title=OpenSSL 1.0.2 release notes|date=2015-01-22|work=The OpenSSL Project|accessdate=2015-01-26|archive-date=2014-09-04|archive-url=https://web.archive.org/web/20140904045720/http://www.openssl.org/news/openssl-1.0.2-notes.html|url-status=dead}}
  • LibreSSL since version 2.1.3 released in January 2015{{cite web| title = LibreSSL 2.1.3 released| url = https://marc.info/?l=openbsd-announce&m=142193407304782| date = 2015-01-22| accessdate = 2015-01-26}}
  • mbed TLS (previously PolarSSL) since version 1.3.6 released in April 2014{{cite web|title=Download overview - PolarSSL|url=https://polarssl.org/tech-updates/releases/polarssl-1.3.6-released|date=2014-04-11|accessdate=2015-01-26|archive-date=2015-02-09|archive-url=https://web.archive.org/web/20150209195111/https://polarssl.org/tech-updates/releases/polarssl-1.3.6-released|url-status=dead}}
  • s2n since its original public release in June 2015.
  • wolfSSL (formerly CyaSSL) since version 3.7.0 released in October 2015{{cite web|title=wolfSSL Release Change Log|url=https://www.wolfssl.com/wolfSSL/Docs-wolfssl-changelog.html|date=2015-10-26 |accessdate=2015-09-11}}
  • Go (in the standard library crypto/tls package) since version 1.4 released in December 2014{{cite web|title=Go 1.4 Release Notes|url=https://golang.org/doc/go1.4#minor_library_changes|date=2014-12-10|accessdate=2017-11-28}}
  • JSSE in Java since JDK 9 released in September 2017,{{cite web|title=JEP 244: TLS Application-Layer Protocol Negotiation Extension|url=https://bugs.openjdk.java.net/browse/JDK-8051498|date=2017-08-07|accessdate=2018-08-29}} backported to JDK 8 released in April 2020{{cite web|title=Release Note: TLS Application-Layer Protocol Negotiation Extension|url=https://bugs.openjdk.java.net/browse/JDK-8242894|date=2020-04-30|accessdate=2020-06-11}}
  • Win32 SSPI since Windows 8.1 and Windows Server 2012 R2 were released October 18, 2013 {{cite web|title=What's New in TLS/SSL (Schannel SSP)|date=31 August 2016 |accessdate=2020-03-30|url=https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831771(v=ws.11)?redirectedfrom=MSDN#whats-new-in-tlsssl-schannel-ssp-in-windows-server-2012-r2-and-windows-81}}

History

= Next Protocol Negotiation =

In January 2010, Google introduced IETF standard draft describing Next Protocol Negotiation TLS extension.{{Cite journal|last=Langley|first=A.|date=January 20, 2010|title=Transport Layer Security (TLS) Next Protocol Negotiation Extension|url=https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-00|website=IETF Datatracker}} This extension was used to negotiate experimental SPDY connections between Google Chrome and some of Google's servers. As SPDY evolved, NPN was replaced with ALPN.

= Application-Layer Protocol Negotiation =

On July 11, 2014, ALPN was published as {{IETF RFC|7301}}. ALPN replaces Next Protocol Negotiation (NPN) extension.{{cite web|last=Langley|first=Adam|title=» NPN and ALPN|url=https://www.imperialviolet.org/2013/03/20/alpn.html|accessdate=2 April 2013}}

TLS False Start was disabled in Google Chrome from version 20 (2012) onward except for websites with the earlier NPN extension.{{cite web|last=Langley|first=Adam|title=False Start's Failure (11 Apr 2012)|url=https://www.imperialviolet.org/2012/04/11/falsestart.html|accessdate=25 September 2013}}

Example

ALPN is a TLS extension which is sent on the initial TLS handshake 'Client Hello', and it lists the protocols that the client (for example the web browser) supports:

Handshake Type: Client Hello (1)

Length: 141

Version: TLS 1.2 (0x0303)

Random: dd67b5943e5efd0740519f38071008b59efbd68ab3114587...

Session ID Length: 0

Cipher Suites Length: 10

Cipher Suites (5 suites)

Compression Methods Length: 1

Compression Methods (1 method)

Extensions Length: 90

[other extensions omitted]

Extension: application_layer_protocol_negotiation (len=14)

Type: application_layer_protocol_negotiation (16)

Length: 14

ALPN Extension Length: 12

ALPN Protocol

ALPN string length: 2

ALPN Next Protocol: h2

ALPN string length: 8

ALPN Next Protocol: http/1.1

The resulting 'Server Hello' from the web server will also contain the ALPN extension, and it confirms which protocol will be used for the HTTP request:

Handshake Type: Server Hello (2)

Length: 94

Version: TLS 1.2 (0x0303)

Random: 44e447964d7e8a7d3b404c4748423f02345241dcc9c7e332...

Session ID Length: 32

Session ID: 7667476d1d698d0a90caa1d9a449be814b89a0b52f470e2d...

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

Compression Method: null (0)

Extensions Length: 22

[other extensions omitted]

Extension: application_layer_protocol_negotiation (len=5)

Type: application_layer_protocol_negotiation (16)

Length: 5

ALPN Extension Length: 3

ALPN Protocol

ALPN string length: 2

ALPN Next Protocol: h2

References

{{Reflist}}

External links

  • [https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids The registry of ALPN protocol IDs is maintained by IANA as a TLS extension.]
  • [https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04 draft-agl-tls-nextprotoneg-04 (NPN draft)] (last updated: May 2012)
  • {{IETF RFC|7301}} "Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension"

{{SSL/TLS}}

Category:Transport Layer Security

Category:Telecommunications engineering

Category:Internet architecture

Category:Network performance