Reminder that NPN is deprecated in 2015.
134 views
Skip to first unread message
Adam Langley
Nov 17, 2014, 2:24:04 PM11/17/14
to securi...@chromium.org
NPN[1] was the original TLS extension by which SPDY was negotiated. In
it's path through the IETF that need was met by ALPN[2], which is the
official method for negotiating HTTP/2.
At the moment, NPN is still supported by Chrome and by Google servers
and it's still possible to negotiate any ALPN protocol by using NPN. I
announced in March of 2013 that NPN would be deprecated in 2015
because, at the time, we didn't have security-dev for such
announcements.
This is just a reminder about that date, which applies to both Chrome
and Google servers. Sites and clients should be supporting ALPN at
this point.
[1] https://technotes.googlecode.com/git/nextprotoneg.html
[2] https://tools.ietf.org/html/rfc7301
[3] https://www.imperialviolet.org/2013/03/20/alpn.html
Cheers
AGL
it's path through the IETF that need was met by ALPN[2], which is the
official method for negotiating HTTP/2.
At the moment, NPN is still supported by Chrome and by Google servers
and it's still possible to negotiate any ALPN protocol by using NPN. I
announced in March of 2013 that NPN would be deprecated in 2015
because, at the time, we didn't have security-dev for such
announcements.
This is just a reminder about that date, which applies to both Chrome
and Google servers. Sites and clients should be supporting ALPN at
this point.
[1] https://technotes.googlecode.com/git/nextprotoneg.html
[2] https://tools.ietf.org/html/rfc7301
[3] https://www.imperialviolet.org/2013/03/20/alpn.html
Cheers
AGL
Bence Béky
Nov 17, 2014, 2:45:38 PM11/17/14
to Adam Langley, securi...@chromium.org
Hi Adam,
Thanks for reminding us about the NPN deprecation schedule. FYI David
Benjamin and I implemented a UMA histogram called
Net.SSLProtocolNegotiation that tracks NPN/ALPN usage and the protocol
negotiated as seen from the Chromium side. (It is a 2D histogram
flattened out to 1D.) Unfortunately NPN still seems to be widely
used, but I really hope it will change soon. I'm all up for
deprecating NPN!
Cheers,
Bence
Thanks for reminding us about the NPN deprecation schedule. FYI David
Benjamin and I implemented a UMA histogram called
Net.SSLProtocolNegotiation that tracks NPN/ALPN usage and the protocol
negotiated as seen from the Chromium side. (It is a 2D histogram
flattened out to 1D.) Unfortunately NPN still seems to be widely
used, but I really hope it will change soon. I'm all up for
deprecating NPN!
Cheers,
Bence
Alex Gaynor
Nov 17, 2014, 3:08:26 PM11/17/14
to Bence Béky, Adam Langley, securi...@chromium.org
Hi Folks,
One of the major blockers to websites (that aren't run by Google ;-)) offering ALPN is the fact that it's not actually in a released version of OpenSSL. I'm not aware of a published release schedule for OpenSSL 1.0.2 -- has any thought been given to deferring the NPN removal in Chrome until an OpenSSL release is available.
One of the major blockers to websites (that aren't run by Google ;-)) offering ALPN is the fact that it's not actually in a released version of OpenSSL. I'm not aware of a published release schedule for OpenSSL 1.0.2 -- has any thought been given to deferring the NPN removal in Chrome until an OpenSSL release is available.
Alex
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
Chris Bentzel
Nov 17, 2014, 3:25:44 PM11/17/14
to Alex Gaynor, net-dev, Bence Béky, Adam Langley, security-dev
Adam Langley
Nov 18, 2014, 2:16:31 PM11/18/14
to Alex Gaynor, Bence Béky, securi...@chromium.org
On Mon, Nov 17, 2014 at 12:08 PM, Alex Gaynor <alex....@gmail.com> wrote:
> One of the major blockers to websites (that aren't run by Google ;-))
> offering ALPN is the fact that it's not actually in a released version of
> OpenSSL. I'm not aware of a published release schedule for OpenSSL 1.0.2 --
> has any thought been given to deferring the NPN removal in Chrome until an
> OpenSSL release is available.
I'm hoping that OpenSSL 1.0.2 will be released quite soon.
> One of the major blockers to websites (that aren't run by Google ;-))
> offering ALPN is the fact that it's not actually in a released version of
> OpenSSL. I'm not aware of a published release schedule for OpenSSL 1.0.2 --
> has any thought been given to deferring the NPN removal in Chrome until an
> OpenSSL release is available.
I've got lots of things to do so it's not like I'll be working on Jan
1st to remove NPN support, but this is notice that anyone depending on
it really needs to be thinking about ALPN.
If 1.0.2 is delayed then I'll probably hold off on removing NPN
support for a bit because the aim isn't to cause a mess.
Cheers
AGL
Adam Langley
Dec 1, 2014, 3:15:39 PM12/1/14
to Chris Bentzel, Alex Gaynor, net-dev, Bence Béky, security-dev
Dear all,
Based on feedback we might reconsider this schedule. The March 2013
version of me might have been too optimistic.
I'll update this thread when we have more news. For now, if still
using NPN, don't panic.
Cheers
AGL
Based on feedback we might reconsider this schedule. The March 2013
version of me might have been too optimistic.
I'll update this thread when we have more news. For now, if still
using NPN, don't panic.
Cheers
AGL
Reply all
Reply to author
Forward
0 new messages