Re: TLS ALPN Proposal v2

[Xuelei Fan]

On 6/5/2015 8:37 AM, Bradford Wetmore wrote:
>> I'd like to use:
>>
>> -  * Gets the application protocol value(s) received from the peer
>> -  * for this connection.
>> +  * Gets a {@link List} of requested application protocol value(s)
>> +  * for this connection.
> 
> I've never seen a link inside an opening sentence.  I have seen @code,
> but there's only 6 in the entire java namespace.
Better to use @code.

Xuelei

Re: TLS ALPN Proposal v2

[Xuelei Fan]

Hi,

See inlines, please.

On 6/5/2015 5:30 AM, Simone Bordet wrote:
> Hi,
> 
> On Thu, Jun 4, 2015 at 6:50 PM, Xuelei Fan  wrote:
>> Hm, I see your point now.  But I may not agree with your ALPN "MUST
>> happen after" protocol/cipher suite negotiation conclusion.
>>
>> I parse this section as, a H2 server must be strong enough(comply to
>> RFC7540), and a H2 client must also be strong enough (comply to
>> RFC7540).  Otherwise, both side may terminated the connection, and
>> cannot declare as complying to H2.  It is not necessary for an
>> application protocol selector to detect whether a H2 server/client
>> comply to H2 or not.
>>
>> If "H2" is requested, it means that the client supports H2. Otherwise,
>> it's a client application bug.
> 
> Not that simple, see below.
> 
>> If "H2" is selected by a selected, it
>> means that the selected server supports H2.  Otherwise, it is a selector
>> implementation bug.  If something wrong in either client or server, it
>> is expected to terminate the connection immediately, rather than
>> downgrade to a not-strong enough level.
>>
>> From the points above, I think an application protocol selector may not
>> need to know the negotiated protocol version and cipher suite.
> 
> No.
> 
> The client may send ciphers that are valid for http/1.1 (but invalid
> for h2), along with ciphers that are good for h2 (as well as http/1.1
> of course), plus the list of protocols it supports.
> The client has no idea what the server supports.
> 
I think it should be true that if a client requests h2, the client MUST
support H2 and the requested cipher suites MUST contains at least one H2
required cipher suite.  Otherwise, it's bug in client side.

> When the server sees that the client supports h2, it MUST pick a
> cipher that is valid for h2.
> Alternatively, the ciphers on the server are sorted so that those
> valid for h2 have higher priority (they are attempted before all the
> others), so that there is a high chance that a h2 valid cipher is
> chosen (but no guarantee) before choosing the application protocol.
> When the application protocol selector callback is invoked, it can
> only pick h2 IFF the cipher is h2 valid, otherwise it has to fallback
> to http/1.1.
> 
I think it should be true that if a server can negotiate h2, the server
MUST support H2 and the enabled cipher suites MUST contains at least one
H2 required cipher suite.  Otherwise, it's bug in server side.

It's instinctive that if a server support h2, and then the application
protocol selector would select h2.  If the server declare to support h2,
but no suitable cipher suites, it may be a server bug.  The connection
should be terminated rather than downgrade to HTTP/1.1, I think.

Is it possible that client only request h2_valid_cipher_a, but server
only support h2_valid_cipher_b, and as would result in that there is no
common cipher suites between client and server for H2?  It is possible,
surely.  Should the connection be terminated, or fall-back to HTTP/1.1?
 I think connection should be terminated immediately, rather than
fall-back to HTTP/1.1.  Per page 68, section 9.2.2, RFC 7540, there is
an mandatory cipher suite (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) MUST
be supported in both client and server.  If there is no common cipher
suites between client and server for H2, it is actually a bad
deployments, and the connection should be terminated rather than
fall-back to HTTP/1.1.  Version downgrading is not a safe behavior, I think.

> With your reasoning, the client can send [h2_invalid_cipher,
> h2_valid_cipher], the server may pick h2_invalid_cipher, then the
> application protocol selector is invoked, which will only look at the
> protocols, pick h2 since it's supported by client and server, and now
> you have an invalid connection: the h2 protocol with
> h2_invalid_cipher.
> 
That's an interesting case.  The question actually is: between requested
application protocols and cipher suites, which preference should be
respected at first.  Because it is a application requirement that a
certain cipher suite is not suitable to H2, I think requested
application protocols should be respected at first.

My scenarios look like:
1. client sends [h2_invalid_cipher, h2_valid_cipher] and h2/http/1.1
application protocol.
2. server selects h2 (we need an API for the selection).
3. server selects h2_valid_cipher because of h2 is selected previously
(may need an API for the selection).

In #1, if there is no h2_valid_cipher requested, it is a bug in client side.
In #3, if there is no h2_valid_cipher that can be negotiated, it is a
bug in server side, or the client does not enabled the mandatory cipher
suite (a bug in client).

> We have been through these issues for months in the RFC 7540 expert
> group, and the outcome is that protocol selection, for h2, depends on
> the cipher.
> We have also been through a number of scenarios where both the client
> and the server send h2 valid ciphers, but their intersection is empty
> (

Re: TLS ALPN Proposal v2

[Bradford Wetmore]

On 6/2/2015 11:23 PM, Xuelei Fan wrote:

src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java
=

List getReceivedApplicationProtocols()
--
C1. It might be useful to know the client requested application
protocols in some circumstance.  Better to set the application protocols
in client side either.


For ALPN, the client supplies the list, the server chooses.  For NPN, 
the server supplies the list, the client chooses.  So it's a list of 
received (requested) protocols.  I've changed it for now, not a big deal 
to me.



I'd like to use:

-  * Gets the application protocol value(s) received from the peer
-  * for this connection.
+  * Gets a {@link List} of requested application protocol value(s)
+  * for this connection.


I've never seen a link inside an opening sentence.  I have seen @code, 
but there's only 6 in the entire java namespace.  The



-public List getReceivedApplicationProtocols() {
+public List getRequesedApplicationProtocols() {


I'll assume that was supposed to be requested.  :)


C2. The return value would better to be immutable, and better to
describe the preference per RFC 7301.  Maybe looks like:
-* @return the non-null list of application protocol names
+* @return the non-null immutable list of application protocol
+* names, in descending order of preference.  The returned
+* list may be empty if no application protocols were
+* requested.


Done.


src/java.base/share/classes/javax/net/ssl/SSLParameters.java


List getApplicationProtocols()
--
C3. Better to indicate explicitly that this method only apply to client
mode.


See above.


C4. The method description is not instinctive enough for an application
developer.  Can we use words to indicate the purpose of the setting?
For example:
-  * Gets the list of application-level protocol names that could
-  * be sent to the SSL/TLS peer.
+  * Gets the {@link List} of application layer protocol names that
+  * can be negotiated over SSL/TLS/DTLS protocols.


Changed, except for the @link.


C5. Prefer to use immutable return value:
-  * @return a non-null list of application protocol names.
+  * @return a non-null immutable list of application protocol names.


Changed.


C6. Nice to have a link for the standard protocol names.


I wasn't planning on having a list of standard protocol names.
See below.


void setApplicationProtocols(List protocols)

C7. see C3.
C8. see C4.


Changed.


s/getApplicationProtocolSelector()
--
C9. The use of SSLFunction make the implementation of
protocol selector and JSSE provider implementation complicated.

 From the spec, looks like the selector may want to know address/ports,
SSL protocol versions or the negotiated cipher suit.  As would require
that before use this selector, the handshaking must negotiate the
protocol version and the cipher suite.  That's a specific JSSE
implementation requirement.  It does not sound like a reasonable behavior.

The implement of the selector is not straightforward, I think.

Per section 4, RFC 7301:
   "... The
"application_layer_protocol_negotiation" ServerHello extension is
intended to be definitive for the connection (until the connection is
renegotiated) and is sent in plaintext to permit network elements to
provide differentiated service for the connection when the TCP or UDP
port number is not definitive for the application-layer protocol to
be used in the connection.  By placing ownership of protocol
selection on the server, ALPN facilitates scenarios in which
certificate selection or connection rerouting may be based on the
negotiated protocol."

Per my understanding, application protocol should be negotiated before
cipher suite and protocol version negotiated.  And the connection may be
rerouted (even to different machines) for further operation.  The
requested application protocols list should be the only information for
the selection of a suitable application protocol.

Based on that, I think it is more simple to use Simone's proposal:

@FunctionalInterface
interface ApplicationProtocolSelector
{
 String select(List protocols) throws SSLException;
}

Hence, no need for a SSLBase any more.


There's been a lot of discussion this morning, I'll return to this later 
when I've had a chance to parse it.



public static final String AP_HTTP_1_1 = "http/1.1";
public static final String AP_H2 = "h2";

C10. I understand why the constants are defined here.  However, usually,
we don't define standard names in JSSE APIs.  Instead, we normally use
Oracle standard names documentation.


This is not really a Standard Name in our normal sense/usage.  Usuall

Re: RFR 7191662: JCE providers should be located via ServiceLoader

[Valerie Peng]

Build experts,

Can you please review the make file related change, i.e. the new file 
make/gensrc/Gensrc-java.naming.gmk, in the following webrev: 
http://cr.openjdk.java.net/~valeriep/7191662/webrev.03


This is for merging the java.security.Provider file from various 
providers and use the (merged) result for the final image build.


Thanks,
Valerie

On 6/3/2015 10:27 AM, Valerie (Yu-Ching) Peng wrote:


Correct, if the makefile related changes are removed then no need for 
build team to review 7191662 webrev anymore.
There are other discussions ongoing and we should be able to reach a 
decision in a day or two.

Will update the list again.
Thanks,
Valerie

On 06/01/15 16:39, Magnus Ihse Bursie wrote:

On 2015-05-29 00:10, Valerie Peng wrote:


Please find comments in line...

On 5/27/2015 3:42 PM, Mandy Chung wrote:

Valerie,

Did you see my comment yesterday?
http://mail.openjdk.java.net/pipermail/security-dev/2015-May/012254.html 

Yes, we exchanged emails after this above one. I will follow up your 
latest one later today.




Since you have reverted the java.security to keep the classname, to 
avoid causing merge conflict to jimage refresh, let’s remove the 
META-INF files in the first push and the build change.


The security providers will be loaded via the fallback mechanism 
(i.e. ProviderLoader.legacyLoad method).  You should keep the 
ProviderLoader.load method to take the provider name instead of 
classname.
Sure, I can remove the META-INF files so the providers are loaded 
through the legacyLoad().
Hmm, the ProviderLoader.load() method is used by java.security file 
provider loading. Since the current list still uses class name, it 
should take class name when checking for matches while iterating 
through the list returned by ServiceLoader.
This way, when changes are sync'ed into Jake, no extra change 
required and the providers will be loaded through 
ProviderLoader.load() automatically with the current list.


I’ll file a bug to follow up to change java.security to list the 
provider name.  This will wait after the jimage refresh goes into 
jdk9/dev

Ok.
Thanks,
Valerie


I'm not sure I followed completely here were this landed. Does this 
mean that there's currently no need for a build system code review on 
http://cr.openjdk.java.net/~valeriep/7191662/webrev.01/, and that a 
new webrev will be posted instead?


/Magnus




.

Mandy

On May 27, 2015, at 3:29 PM, Valerie 
Peng  wrote:


Hi, build experts,

Can you please review the make file related change, i.e. the new 
file make/gensrc/Gensrc-java.naming.gmk, in the following webrev:

http://cr.openjdk.java.net/~valeriep/7191662/webrev.01/

This is for merging the java.security.Provider file from various 
providers and use the (merged) result for the final image build.


The rest of source code changes are reviewed by my team already.
Thanks,
Valerie
(Java Security Team)

Re: TLS ALPN Proposal v2

[Simone Bordet]

Hi,

On Thu, Jun 4, 2015 at 6:50 PM, Xuelei Fan  wrote:
> Hm, I see your point now.  But I may not agree with your ALPN "MUST
> happen after" protocol/cipher suite negotiation conclusion.
>
> I parse this section as, a H2 server must be strong enough(comply to
> RFC7540), and a H2 client must also be strong enough (comply to
> RFC7540).  Otherwise, both side may terminated the connection, and
> cannot declare as complying to H2.  It is not necessary for an
> application protocol selector to detect whether a H2 server/client
> comply to H2 or not.
>
> If "H2" is requested, it means that the client supports H2. Otherwise,
> it's a client application bug.

Not that simple, see below.

> If "H2" is selected by a selected, it
> means that the selected server supports H2.  Otherwise, it is a selector
> implementation bug.  If something wrong in either client or server, it
> is expected to terminate the connection immediately, rather than
> downgrade to a not-strong enough level.
>
> From the points above, I think an application protocol selector may not
> need to know the negotiated protocol version and cipher suite.

No.

The client may send ciphers that are valid for http/1.1 (but invalid
for h2), along with ciphers that are good for h2 (as well as http/1.1
of course), plus the list of protocols it supports.
The client has no idea what the server supports.

When the server sees that the client supports h2, it MUST pick a
cipher that is valid for h2.
Alternatively, the ciphers on the server are sorted so that those
valid for h2 have higher priority (they are attempted before all the
others), so that there is a high chance that a h2 valid cipher is
chosen (but no guarantee) before choosing the application protocol.
When the application protocol selector callback is invoked, it can
only pick h2 IFF the cipher is h2 valid, otherwise it has to fallback
to http/1.1.

With your reasoning, the client can send [h2_invalid_cipher,
h2_valid_cipher], the server may pick h2_invalid_cipher, then the
application protocol selector is invoked, which will only look at the
protocols, pick h2 since it's supported by client and server, and now
you have an invalid connection: the h2 protocol with
h2_invalid_cipher.

We have been through these issues for months in the RFC 7540 expert
group, and the outcome is that protocol selection, for h2, depends on
the cipher.
We have also been through a number of scenarios where both the client
and the server send h2 valid ciphers, but their intersection is empty
(this may happen when a very old client talks to a very new server,
think TLS 1.2 vs TLS 1.4, or viceversa).
Same outcome: to pick h2 you MUST have a h2 valid cipher in common
between client and server, so application protocol selection, for h2,
depends on the cipher.

A bit of warning here: we are designing an API for ALPN, not for HTTP/2.
The ALPN API should be flexible enough to implement *at least* HTTP/2,
possibly even more complex scenarios (for example alias selection),
but IMHO it should not be tied to HTTP/2.

Again, I see 2 cases: either the JDK implementation picks the TLS
protocol, the cipher and the alias like it does now, and then invokes
the "callback" to pick the application protocol (current Jetty ALPN
behavior), or the implementation must be reviewed to perform TLS
protocol, cipher, alias and application protocol selection at once,
with a "callback" that will be invoked possibly multiple times until
it can find the right tuple to return.

The latter would be the optimal solution, the former has certainly
working implementations.

Hope this clarified.

Thanks !

-- 
Simone Bordet
http://bordet.blogspot.com
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz

RSA intrinsics [Was: RFR(L): 8069539: RSA acceleration]

[Andrew Haley]

I'm sorry this is a rather long email, and I pray for your patience.

I'm getting close to something I can put forward for review.  The
performance is encouraging.

[ Some background: The kernel of RSA and Diffie-Hellman key exchange
is Montgomery multiplication.  Optimizing RSA basically comes down to
optimizing Montgomery multiplication.  The core of OpenJDK's RSA is
BigInteger.oddModPow().  ]

My Montgomery multiply routine (mostly portable C, with a small
assembly-language insert) executes a 1024-bit multiply/reduce in about
2000ns; the hand-coded assembly language equivalent in OpenSSL is
faster (as you'd expect) but not very much faster: about 1700ns.  In
other words, compiled C is only about 20% slower.

Firstly, this is pretty remarkable performance by GCC (Yay!  Go GCC!)
and it shows I'm on the right track.  It also shows that there isn't a
huge amount to be gained by hand-coding Montgomery multiplication, but
anybody who fancies their hand can try to improve on GCC.  This is
also very nice because porting it to non-x86 hardware is fairly
straightforward -- certainly far easier than writing a large assembly-
language routine.

Here are some numbers for comparison.

Today's hs-comp:

  signverifysign/s verify/s
rsa  512 bits 0.000133s 0.09s   7508.5 112819.1
rsa 1024 bits 0.000667s 0.28s   1498.6  35497.2
rsa 2048 bits 0.003867s 0.97s258.6  10342.7
rsa 4096 bits 0.026383s 0.000357s 37.9   2799.8

After my patch:

  signverifysign/s verify/s
rsa  512 bits 0.71s 0.05s  14127.3 204112.4
rsa 1024 bits 0.000292s 0.13s   3424.5  74204.1
rsa 2048 bits 0.001628s 0.45s614.4  22399.7
rsa 4096 bits 0.010966s 0.000163s 91.2   6117.8

So, it's about twice as fast we have at present.

[ Note that this comparison includes the latest "8081778: Use Intel
x64 CPU instructions for RSA acceleration" patch. ]

However, even after my patch OpenJDK is still somewhat slower than
OpenSSL, which is:

  signverifysign/s verify/s
rsa  512 bits 0.48s 0.04s  20687.1 257399.4
rsa 1024 bits 0.000189s 0.11s   5288.3  91711.5
rsa 2048 bits 0.001174s 0.37s851.7  27367.2
rsa 4096 bits 0.008475s 0.000137s118.0   7305.4

[ I am assuming that OpenSSL represents something like the "speed of
light" for RSA on x86: this is carefully hand-coded assembly language
and C, hand tuned.  Getting anywhere near OpenSSL is a major win. ]

Here's my problem:

Some of this slowdown is due to the overhead of using the JCE, but not
very much.  Quite a lot of it, however, is due to the fact that the
scratch memory used in oddModPow() is a big-endian array of jints.  I
have to convert the big-endian jints into native jlongs to do the
multiply on little-endian x86-64.

If I do the word reversal during the multiply (i.e. keep all data in
memory in little-endian form, swap words when reading and writing to
memory) the performance is horrible: a 1024-bit multiply takes 3000ns,
50% longer.  This perhaps isn't very surprising: if you do the
word-reversal before the multiplication you have O(N) swaps, if you do
it during the multiplication you have O(N^2).

I have found that the best thing to do is to word reverse all the data
in memory into temporary little-endian arrays and do the work on them.
It's much faster, but still really is very annoying: for 1024-bit RSA
the word reversal is 14% of the total runtime.

It would be nice to keep all of the data in an array of jlongs for the
duration of oddModPow().  Here's one idea: I could write a version of
oddModPow() which is guaranteed never to use the Java version of the
Montgomery multiply.  This would use a JNI method which calls the
native Montgomery multiply routine, guaranteeing that that we always
use that native routine, even from the interpreter and C1.  Then I
could keep all the internal state in native word order, and all this
word-swapping would just go away.  This would have the additional
benefit that it would be faster when using the interpreter and C1.
So, we'd have two versions of oddModPow() in BigInteger, and switch
between them depending on whether the platform had support for a
native Montgomery multiplication.

The downside of having two versions of oddModPow() would, of course,
be some code duplication.

Or am I just making too much fuss about this?  Maybe I should be happy
with what I've got.

Thank you for reading this far,

Andrew.

Re: TLS ALPN Proposal v2

[Xuelei Fan]

On 6/5/2015 12:12 AM, Simone Bordet wrote:
> Hi,
> 
> On Thu, Jun 4, 2015 at 5:53 PM, Xuelei Fan  wrote:
>> On 6/4/2015 8:19 PM, Simone Bordet wrote:
>>> This is not possible for HTTP/2.
>>> Application protocol negotiation MUST happen *after* the TLS protocol
>>> and the TLS cipher are negotiated.
>>>
>> Why? Is it a spec of HTTP/2?  It is a point I don't understand now.
>> Please help with more details.
> 
> http://tools.ietf.org/html/rfc7540#section-9.2
> 
> You can only speak h2 if the cipher is strong enough as defined by RFC 7540.
> 
Hm, I see your point now.  But I may not agree with your ALPN "MUST
happen after" protocol/cipher suite negotiation conclusion.

I parse this section as, a H2 server must be strong enough(comply to
RFC7540), and a H2 client must also be strong enough (comply to
RFC7540).  Otherwise, both side may terminated the connection, and
cannot declare as complying to H2.  It is not necessary for an
application protocol selector to detect whether a H2 server/client
comply to H2 or not.

If "H2" is requested, it means that the client supports H2. Otherwise,
it's a client application bug.  If "H2" is selected by a selected, it
means that the selected server supports H2.  Otherwise, it is a selector
implementation bug.  If something wrong in either client or server, it
is expected to terminate the connection immediately, rather than
downgrade to a not-strong enough level.

>From the points above, I think an application protocol selector may not
need to know the negotiated protocol version and cipher suite.

Thanks,
Xuelei

Re: TLS ALPN Proposal v2

[Simone Bordet]

Hi,

On Thu, Jun 4, 2015 at 5:53 PM, Xuelei Fan  wrote:
> On 6/4/2015 8:19 PM, Simone Bordet wrote:
>> This is not possible for HTTP/2.
>> Application protocol negotiation MUST happen *after* the TLS protocol
>> and the TLS cipher are negotiated.
>>
> Why? Is it a spec of HTTP/2?  It is a point I don't understand now.
> Please help with more details.

http://tools.ietf.org/html/rfc7540#section-9.2

You can only speak h2 if the cipher is strong enough as defined by RFC 7540.

-- 
Simone Bordet
http://bordet.blogspot.com
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz

Re: TLS ALPN Proposal v2

[Michael McMahon]

On 04/06/15 15:18, Simone Bordet wrote:

Hi,

On Thu, Jun 4, 2015 at 3:08 PM, Michael McMahon
 wrote:

On 04/06/15 13:19, Simone Bordet wrote:

Hi,

On Wed, Jun 3, 2015 at 8:23 AM, Xuelei Fan  wrote:

Per section 4, RFC 7301:
"... The
 "application_layer_protocol_negotiation" ServerHello extension is
 intended to be definitive for the connection (until the connection is
 renegotiated) and is sent in plaintext to permit network elements to
 provide differentiated service for the connection when the TCP or UDP
 port number is not definitive for the application-layer protocol to
 be used in the connection.  By placing ownership of protocol
 selection on the server, ALPN facilitates scenarios in which
 certificate selection or connection rerouting may be based on the
 negotiated protocol."

Per my understanding, application protocol should be negotiated before
cipher suite and protocol version negotiated.

This is not possible for HTTP/2.
Application protocol negotiation MUST happen *after* the TLS protocol
and the TLS cipher are negotiated.


What do you mean by "after"? As far as TLS is concerned, all of this
negotiation happens in one negotiation. The client proposes a list of
ciphers and application protocols. The server chooses a cipher
and application protocol and sends back its choices.

Currently, IIUC, the cipher selection is an iterative process where a
cipher is attempted until one is negotiated.
In this process, there is no looking at the application protocol.

Here we're trying to find a solution for ALPN, and either we 1) look
the application protocol in this iterative process (and therefore the
SSLFunction is invoked multiple times), so that TLS protocol, cipher
(possibly the alias too) and application protocol are chosen together,
at once (for each iteration); or 2) we separate the TLS protocol and
cipher negotiation (and alias) in one step, and we perform application
protocol selection afterwards.
The latter is how Jetty's ALPN works, and that's what I mean with *after*.
For HTTP/2 it won't work to pick the application protocol before the
cipher. Either at the same time, or after.

That is why I asked to specify how the mechanism worked.


Okay. I've been looking at it from the client point of view, and
as far as I understand it, all of the information is available to the client
at the right time.


The HTTP/2 RFC specifically warns against splitting this negotiation
with the example that a client could propose a mandatory TLS 1.2 cipher,
but which is black-listed by HTTP/2. If (internally) the server chooses that
cipher first,
without knowing the application protocol is going to be HTTP/2
then you end up with a non-compliant connection that will probably have
to be closed for reason of insufficient security.

If the server chooses a blacklisted cipher, and then "h2" as protocol,
it's a non compliant server.
Communication of clients with compliant (and properly configured)
servers is guaranteed if the application protocol is chosen after (or
at the same time of) the cipher.

If I understand you correctly, you are proposing to rework the
internal JDK code to perform TLS protocol, cipher, alias and
application protocol in one point, which is then possibly iterated
multiple times until a satisfactory tuple is selected ?

I am fine with this approach too, but I guess the API will be very
different from Jetty's ALPN and this current proposal (which is fine
as well - does not have to be similar to Jetty's).
I don't know enough about the TLS implementation to say how much work it is.

Thanks !



Actually, I'm not proposing anything at this stage. But, I wonder if
it might be simpler to just make all relevant information available
to the existing negotiation API, rather than splitting it into separate 
calls


- Michael.

Re: TLS ALPN Proposal v2

[Xuelei Fan]

On 6/4/2015 8:19 PM, Simone Bordet wrote:
> Hi,
> 
> On Wed, Jun 3, 2015 at 8:23 AM, Xuelei Fan  wrote:
>> Per section 4, RFC 7301:
>>   "... The
>>"application_layer_protocol_negotiation" ServerHello extension is
>>intended to be definitive for the connection (until the connection is
>>renegotiated) and is sent in plaintext to permit network elements to
>>provide differentiated service for the connection when the TCP or UDP
>>port number is not definitive for the application-layer protocol to
>>be used in the connection.  By placing ownership of protocol
>>selection on the server, ALPN facilitates scenarios in which
>>certificate selection or connection rerouting may be based on the
>>negotiated protocol."
>>
>> Per my understanding, application protocol should be negotiated before
>> cipher suite and protocol version negotiated.
> 
> This is not possible for HTTP/2.
> Application protocol negotiation MUST happen *after* the TLS protocol
> and the TLS cipher are negotiated.
> 
Why? Is it a spec of HTTP/2?  It is a point I don't understand now.
Please help with more details.

>> And the connection may be
>> rerouted (even to different machines) for further operation.  The
>> requested application protocols list should be the only information for
>> the selection of a suitable application protocol.
> 
> Not sure what you exactly mean here,
Here is an example to explain the "rerouting".

For example, there a four entities, an TLS client, a router, an http/2
over TLS server, and an http/1.1 over TLS server.
1. the client request a connection to the http/2 server, the TCP
connection is established between the client the router at first.
2. the router analysis the ClientHello message, and reroute the
connection to the http/2 server.
3. the client and http/2 server negotiate the TLS connection, including
the SSL protocol and cipher suite.

The router should not be able to play man-in-the-middle negotiation if
it does not know the server credentials.

> but you can't pick the HTTP/2
> protocol unless you have the TLS protocol and TLS cipher available.
> So *only* the list of protocol sent by the client is not enough for
> HTTP/2, we would need additional contextual information.
>
See my question above.


> What a HTTP/2 aware load balancer written in Java that offloads TLS
> would need to do is to negotiate the TLS protocol, negotiate the TLS
> cipher, *then* negotiate the application protocol (whether "h2" or
> "http/1.1"), and with the last information pick a backend server,
> typically forwarding clear text bytes to the backend.
> 
See my question above.

Thanks,
Xuelei

Re: TLS ALPN Proposal v2

[Simone Bordet]

Hi,

On Thu, Jun 4, 2015 at 3:08 PM, Michael McMahon
 wrote:
> On 04/06/15 13:19, Simone Bordet wrote:
>>
>> Hi,
>>
>> On Wed, Jun 3, 2015 at 8:23 AM, Xuelei Fan  wrote:
>>>
>>> Per section 4, RFC 7301:
>>>"... The
>>> "application_layer_protocol_negotiation" ServerHello extension is
>>> intended to be definitive for the connection (until the connection is
>>> renegotiated) and is sent in plaintext to permit network elements to
>>> provide differentiated service for the connection when the TCP or UDP
>>> port number is not definitive for the application-layer protocol to
>>> be used in the connection.  By placing ownership of protocol
>>> selection on the server, ALPN facilitates scenarios in which
>>> certificate selection or connection rerouting may be based on the
>>> negotiated protocol."
>>>
>>> Per my understanding, application protocol should be negotiated before
>>> cipher suite and protocol version negotiated.
>>
>> This is not possible for HTTP/2.
>> Application protocol negotiation MUST happen *after* the TLS protocol
>> and the TLS cipher are negotiated.
>
>
> What do you mean by "after"? As far as TLS is concerned, all of this
> negotiation happens in one negotiation. The client proposes a list of
> ciphers and application protocols. The server chooses a cipher
> and application protocol and sends back its choices.

Currently, IIUC, the cipher selection is an iterative process where a
cipher is attempted until one is negotiated.
In this process, there is no looking at the application protocol.

Here we're trying to find a solution for ALPN, and either we 1) look
the application protocol in this iterative process (and therefore the
SSLFunction is invoked multiple times), so that TLS protocol, cipher
(possibly the alias too) and application protocol are chosen together,
at once (for each iteration); or 2) we separate the TLS protocol and
cipher negotiation (and alias) in one step, and we perform application
protocol selection afterwards.
The latter is how Jetty's ALPN works, and that's what I mean with *after*.
For HTTP/2 it won't work to pick the application protocol before the
cipher. Either at the same time, or after.

That is why I asked to specify how the mechanism worked.

> The HTTP/2 RFC specifically warns against splitting this negotiation
> with the example that a client could propose a mandatory TLS 1.2 cipher,
> but which is black-listed by HTTP/2. If (internally) the server chooses that
> cipher first,
> without knowing the application protocol is going to be HTTP/2
> then you end up with a non-compliant connection that will probably have
> to be closed for reason of insufficient security.

If the server chooses a blacklisted cipher, and then "h2" as protocol,
it's a non compliant server.
Communication of clients with compliant (and properly configured)
servers is guaranteed if the application protocol is chosen after (or
at the same time of) the cipher.

If I understand you correctly, you are proposing to rework the
internal JDK code to perform TLS protocol, cipher, alias and
application protocol in one point, which is then possibly iterated
multiple times until a satisfactory tuple is selected ?

I am fine with this approach too, but I guess the API will be very
different from Jetty's ALPN and this current proposal (which is fine
as well - does not have to be similar to Jetty's).
I don't know enough about the TLS implementation to say how much work it is.

Thanks !

-- 
Simone Bordet
http://bordet.blogspot.com
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz

Re: TLS ALPN Proposal v2

[Michael McMahon]

On 04/06/15 13:19, Simone Bordet wrote:

Hi,

On Wed, Jun 3, 2015 at 8:23 AM, Xuelei Fan  wrote:

Per section 4, RFC 7301:
   "... The
"application_layer_protocol_negotiation" ServerHello extension is
intended to be definitive for the connection (until the connection is
renegotiated) and is sent in plaintext to permit network elements to
provide differentiated service for the connection when the TCP or UDP
port number is not definitive for the application-layer protocol to
be used in the connection.  By placing ownership of protocol
selection on the server, ALPN facilitates scenarios in which
certificate selection or connection rerouting may be based on the
negotiated protocol."

Per my understanding, application protocol should be negotiated before
cipher suite and protocol version negotiated.

This is not possible for HTTP/2.
Application protocol negotiation MUST happen *after* the TLS protocol
and the TLS cipher are negotiated.


What do you mean by "after"? As far as TLS is concerned, all of this
negotiation happens in one negotiation. The client proposes a list of
ciphers and application protocols. The server chooses a cipher
and application protocol and sends back its choices.

The HTTP/2 RFC specifically warns against splitting this negotiation
with the example that a client could propose a mandatory TLS 1.2 cipher,
but which is black-listed by HTTP/2. If (internally) the server chooses 
that cipher first,

without knowing the application protocol is going to be HTTP/2
then you end up with a non-compliant connection that will probably have
to be closed for reason of insufficient security.

- Michael


And the connection may be
rerouted (even to different machines) for further operation.  The
requested application protocols list should be the only information for
the selection of a suitable application protocol.

Not sure what you exactly mean here, but you can't pick the HTTP/2
protocol unless you have the TLS protocol and TLS cipher available.
So *only* the list of protocol sent by the client is not enough for
HTTP/2, we would need additional contextual information.

What a HTTP/2 aware load balancer written in Java that offloads TLS
would need to do is to negotiate the TLS protocol, negotiate the TLS
cipher, *then* negotiate the application protocol (whether "h2" or
"http/1.1"), and with the last information pick a backend server,
typically forwarding clear text bytes to the backend.

Thanks !

Re: TLS ALPN Proposal v2

[Simone Bordet]

Hi,

On Wed, Jun 3, 2015 at 8:23 AM, Xuelei Fan  wrote:
> Per section 4, RFC 7301:
>   "... The
>"application_layer_protocol_negotiation" ServerHello extension is
>intended to be definitive for the connection (until the connection is
>renegotiated) and is sent in plaintext to permit network elements to
>provide differentiated service for the connection when the TCP or UDP
>port number is not definitive for the application-layer protocol to
>be used in the connection.  By placing ownership of protocol
>selection on the server, ALPN facilitates scenarios in which
>certificate selection or connection rerouting may be based on the
>negotiated protocol."
>
> Per my understanding, application protocol should be negotiated before
> cipher suite and protocol version negotiated.

This is not possible for HTTP/2.
Application protocol negotiation MUST happen *after* the TLS protocol
and the TLS cipher are negotiated.

> And the connection may be
> rerouted (even to different machines) for further operation.  The
> requested application protocols list should be the only information for
> the selection of a suitable application protocol.

Not sure what you exactly mean here, but you can't pick the HTTP/2
protocol unless you have the TLS protocol and TLS cipher available.
So *only* the list of protocol sent by the client is not enough for
HTTP/2, we would need additional contextual information.

What a HTTP/2 aware load balancer written in Java that offloads TLS
would need to do is to negotiate the TLS protocol, negotiate the TLS
cipher, *then* negotiate the application protocol (whether "h2" or
"http/1.1"), and with the last information pick a backend server,
typically forwarding clear text bytes to the backend.

Thanks !

-- 
Simone Bordet
http://bordet.blogspot.com
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz

Re: TLS ALPN Proposal v2

[Simone Bordet]

Hi,

On Wed, Jun 3, 2015 at 2:56 AM, Bradford Wetmore
 wrote:
> Hi,
>
> I have just posted the second iteration of the ALPN proposal which hopefully
> addresses all of the comments raised here.  It is in javadoc format, but
> things can certainly be adjusted:
>
> http://cr.openjdk.java.net/~wetmore/8051498/webrev.00/
>
> Please see the archive [1] for previous design discussion.  I will be
> writing up usage examples in the next few days.
>
> The significant changes:
>
> ExtendedSSLSession
> public List getReceivedApplicationProtocols() {
>
> This will allow applications to examine which protocol names were
> sent.

This is a constant once the application protocols are received, so it
can be surely retrieved from SSLParameters.
I don't understand why it is replicated here ?

> SSLParameters
> mentions both ALPN/NPN as possible protocols.  I removed the
> discussion about "server" and "client" since ALPN/NPN essentially
> reverse the roles.
>
> mentions "appropriate character sets" for String-byte[] conversions
> such as UTF-8 for ALPN.
>
> The application protocol selector is now a @FunctionalInterface
> (i.e. lambda-ready) called SSLFunction.  It is to throw an
> SSLException if no values are supported, or null if you want to
> treat as an unknown extension.
>
> Defined constants for HTTP/1.1 and HTTP/2.
>
> SSLSession
>
> Called out that getHandshakeSession's ciphersuite may vary until
> selected.
>
> SSLBase
>
> A new marker interface that SSLEngine/SSLSocket will implement.
> This will allow for a single SSLFunction instead of having
> SSLFunctionSSLEngine and SSLFunctionSSLSocket.  It does require
> that the lambda do a instanceof, unless we were to move the common
> Socket/Engine APIs into this class.

I'm not sure about this one being a marker interface.
I could understand if it extracted the common functionality of
SSLEngine and SSLSocket, but a marker interface does not really add
much, and perhaps I would prefer it entirely gone.

On the same note, why is SSLFunction generic at all ?

Also, it is critical to detail how the mechanism work.
Will SSLFunction be invoked multiple times, or only once ? When,
exactly, with respect to cipher selection and alias selection ?

Example implementations for SSLFunction would be great to have: the
typical HTTP/2 case is to select the application protocol based on the
TLS protocol and the already negotiated cipher.

Thanks !

-- 
Simone Bordet
http://bordet.blogspot.com
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz

Re: [9] Review request for 8072515: Test Task: Develop new tests for JEP 219: Datagram Transport Layer Security (DTLS)

[Konstantin Shefov]

Hi Xue-Lei

Thanks for reviewing! I will reduce the line size, make JPRT testing and 
push then.


-Konstantin

On 06/04/2015 04:57 AM, Xuelei Fan wrote:

Looks fine to me.

It's nice to keep each line not exceed 80 characters.  For example

-  * @run main/othervm -Dtest.security.protocol=DTLS -Dtest.mode=norm
DTLSBufferOverflowUnderflowTest
+  * @run main/othervm -Dtest.security.protocol=DTLS
+  * -Dtest.mode=norm DTLSBufferOverflowUnderflowTest

Thanks,
Xuelei

On 6/2/2015 8:15 PM, Konstantin Shefov wrote:

Hello,

Please review new tests fro DTLS feature for JDK 9:

bug: https://bugs.openjdk.java.net/browse/JDK-8072515
webrev: http://cr.openjdk.java.net/~kshefov/8072515/webrev.00/


Thanks
-Konstantin