No no_application_protocol when server doesn't support any client protocol

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

No no_application_protocol when server doesn't support any client protocol

John Jiang
Hi,
Using 9.4.22.

My jetty server supports HTTP/2, including h2c and h2, and try the below command,
openssl s_client -alpn h3,h4 -connect host:port
For this case, per RFC 7301 section 3.2, the server shall alter fatal no_application_protocol.
But with my testing, the server raised warning user_canceled.
Is this a bug?

Thanks!

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: No no_application_protocol when server doesn't support any client protocol

Glen Peterson
Hi John,

I was having similar issues and made a minimal sample project to debug my issues.  When I run it and issue:
$ openssl s_client -alpn h3,h4 -connect localhost:8443
in another terminal, I get:

...
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 872 bytes and written 403 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
ALPN protocol: h3
Early data was not sent
Verify return code: 18 (self signed certificate)
---
read:errno=0

If that's what you wanted, you can see how I configured jetty here:

On Tue, Nov 12, 2019 at 1:49 AM John Jiang <[hidden email]> wrote:
Hi,
Using 9.4.22.

My jetty server supports HTTP/2, including h2c and h2, and try the below command,
openssl s_client -alpn h3,h4 -connect host:port
For this case, per RFC 7301 section 3.2, the server shall alter fatal no_application_protocol.
But with my testing, the server raised warning user_canceled.
Is this a bug?

Thanks!
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Glen K. Peterson
(828) 393-0081

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: No no_application_protocol when server doesn't support any client protocol

John Jiang
Hi Glen,
Not sure understand your point.
It looks the application protocol was successfully negotiated in your case.
But that's not my case.
In my case, the negotiation should fail, but the alter would be fatal no_application_protocol instead of warning user_canceled.

On Wed, Nov 13, 2019 at 1:19 AM Glen Peterson <[hidden email]> wrote:
Hi John,

I was having similar issues and made a minimal sample project to debug my issues.  When I run it and issue:
$ openssl s_client -alpn h3,h4 -connect localhost:8443
in another terminal, I get:

...
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 872 bytes and written 403 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
ALPN protocol: h3
Early data was not sent
Verify return code: 18 (self signed certificate)
---
read:errno=0

If that's what you wanted, you can see how I configured jetty here:

On Tue, Nov 12, 2019 at 1:49 AM John Jiang <[hidden email]> wrote:
Hi,
Using 9.4.22.

My jetty server supports HTTP/2, including h2c and h2, and try the below command,
openssl s_client -alpn h3,h4 -connect host:port
For this case, per RFC 7301 section 3.2, the server shall alter fatal no_application_protocol.
But with my testing, the server raised warning user_canceled.
Is this a bug?

Thanks!
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Glen K. Peterson
(828) 393-0081
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: No no_application_protocol when server doesn't support any client protocol

John Jiang
In reply to this post by John Jiang

On Tue, Nov 12, 2019 at 2:48 PM John Jiang <[hidden email]> wrote:
Hi,
Using 9.4.22.

My jetty server supports HTTP/2, including h2c and h2, and try the below command,
openssl s_client -alpn h3,h4 -connect host:port
For this case, per RFC 7301 section 3.2, the server shall alter fatal no_application_protocol.
But with my testing, the server raised warning user_canceled.
Is this a bug?

Thanks!

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: No no_application_protocol when server doesn't support any client protocol

Simone Bordet-3
In reply to this post by Glen Peterson
Glen,

On Tue, Nov 12, 2019 at 6:19 PM Glen Peterson <[hidden email]> wrote:

>
> Hi John,
>
> I was having similar issues and made a minimal sample project to debug my issues.  When I run it and issue:
> $ openssl s_client -alpn h3,h4 -connect localhost:8443
> in another terminal, I get:
>
> ...
> Peer signing digest: SHA256
> Peer signature type: ECDSA
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 872 bytes and written 403 bytes
> Verification error: self signed certificate
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 256 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ALPN protocol: h3
> Early data was not sent
> Verify return code: 18 (self signed certificate)
> ---
> read:errno=0

How did you support h3?

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: No no_application_protocol when server doesn't support any client protocol

Glen Peterson
I saw HTTP/2 and thought it might be related to some stuff I had worked on.  I guess I effectively posted a promotion for my test project, which I should not do.  I apologize.

My test project does not support h3.  I don't even know what h3 is.  Or h4 or h2c for that matter.  Maybe that's why I was so quick to gloss over that part.

On Wed, Nov 13, 2019 at 2:20 AM Simone Bordet <[hidden email]> wrote:
Glen,

On Tue, Nov 12, 2019 at 6:19 PM Glen Peterson <[hidden email]> wrote:
>
> Hi John,
>
> I was having similar issues and made a minimal sample project to debug my issues.  When I run it and issue:
> $ openssl s_client -alpn h3,h4 -connect localhost:8443
> in another terminal, I get:
>
> ...
> Peer signing digest: SHA256
> Peer signature type: ECDSA
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 872 bytes and written 403 bytes
> Verification error: self signed certificate
> ---
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 256 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ALPN protocol: h3
> Early data was not sent
> Verify return code: 18 (self signed certificate)
> ---
> read:errno=0

How did you support h3?

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Glen K. Peterson
(828) 393-0081

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: No no_application_protocol when server doesn't support any client protocol

Simone Bordet-3
Hi,

On Wed, Nov 13, 2019 at 2:32 PM Glen Peterson <[hidden email]> wrote:
>
> I saw HTTP/2 and thought it might be related to some stuff I had worked on.  I guess I effectively posted a promotion for my test project, which I should not do.  I apologize.

No need to apologize! This is the Jetty community and if you have a
Jetty related project there is no problem mentioning it.

FTR, this issue is being discussed in
https://github.com/eclipse/jetty.project/issues/4305.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: No no_application_protocol when server doesn't support any client protocol

Joakim Erdfelt-8
In reply to this post by Glen Peterson

I saw HTTP/2 and thought it might be related to some stuff I had worked on.  I guess I effectively posted a promotion for my test project, which I should not do.  I apologize.

My test project does not support h3.  I don't even know what h3 is.  Or h4 or h2c for that matter.  Maybe that's why I was so quick to gloss over that part.


The protocols "h3" and "h4" don't exist. 
They are made up. (to test the no_application_protocol behavior being reported here)

"h2c" is the HTTP/2 over clear-text TCP (as documented at https://tools.ietf.org/html/rfc7540#section-3.3 )

I personally don't see a use case for TLS + ALPN + "h2c", but hey, it exists.
(To me, when "h2c" is used, TLS + ALPN isn't involved)

- Joakim
 

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users