[jsr369-experts] Re: [servlet-spec users] Re: Re: Re: Re: Servlet 4.0 and ALPN

From: Greg Wilkins <gregw_at_webtide.com>
Date: Fri, 29 Jul 2016 13:08:39 +1000

On 29 July 2016 at 12:49, Stuart Douglas <sdouglas_at_redhat.com> wrote:

> My question was basically why do you need to discard the first
> SslEngine if it comes up with an acceptable protocol+cipher combo
> (which should be the case the majority of the time).

Sure, you can make a pretty good educated guess that the cipher will be h2
acceptable and set that on the SslEngine before doing the unwrap. If the
selected cipher is indeed acceptable, then you can proceed with that

But the edge case still exists where the negotiated cipher will not be h2
acceptable, so in that case the only current option is to discard the
SslEngine and replay the hello to a new one.

I suspect that this will be too much for many implementations and they will
not implement that code and will either fail on these edge cases or attempt
to use the unacceptable cipher (which will then put it back to the client
if they fail the connection or also continue).

So yes we can be more efficient in the hopefully common case of mostly
having h2 acceptable ciphers. But in general, the current SslEngine does
not allow you to set a protocol choice until after the selection of a
cipher that may influence the protocol choice. Note that eventually we
may get h3 or other ALPN protocols to negotiate and thus any happenstance
efficiencies may not continue unless the design is right.


Greg Wilkins <gregw@webtide.com> CTO http://webtide.com