CINXE.COM

JEP 244: TLS Application-Layer Protocol Negotiation Extension

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /><meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /><title>JEP 244: TLS Application-Layer Protocol Negotiation Extension</title><link rel="shortcut icon" href="/images/nanoduke.ico" /><link rel="stylesheet" type="text/css" href="/page.css" /><script type="text/javascript" src="/page.js"><noscript></noscript></script><script src="https://cdn.usefathom.com/script.js" data-site="KCYJJPZX" defer="yes"></script><style type="text/css" xml:space="preserve"> TABLE { border-collapse: collapse; padding: 0px; margin: 1em 0 1em 2em; } TR:first-child TH, TR:first-child TD { padding-top: 0; } TH, TD { padding: 0px; padding-top: .5ex; vertical-align: baseline; text-align: left; } TD + TD, TH + TH { padding-left: 1em; } TD:first-child, TH:first-child, TD.jep { text-align: right; } TABLE.head TD:first-child { font-style: italic; padding-left: 2em; white-space: nowrap; } PRE { padding-left: 2em; margin: 1ex 0; font-size: inherit; } TABLE PRE { padding-left: 0; margin: 0; } TABLE.jeps TD:first-child + TD, TABLE.jeps TD:first-child + TD + TD { padding-left: .5em; } TABLE.jeps TD:first-child, TABLE.jeps TD:first-child + TD, TABLE.jeps TD:first-child + TD + TD { font-size: smaller; } TABLE.jeps TD.cl { font-size: smaller; padding-right: 0; text-align: right; } TABLE.jeps TD.cm { font-size: smaller; padding-left: .1em; padding-right: .1em; } TABLE.jeps TD.cr { font-size: smaller; padding-left: 0; } TABLE.jeps TD.z { padding-left: 0; padding-right: 0; } TABLE.head TD { padding-top: 0; } </style></head><body><div id="main"><h1>JEP 244: TLS Application-Layer Protocol Negotiation Extension</h1><table class="head"><tr><td>Author</td><td>Vincent Ryan</td></tr><tr><td>Owner</td><td>Bradford Wetmore</td></tr><tr><td>Type</td><td>Feature</td></tr><tr><td>Scope</td><td>SE</td></tr><tr><td>Status</td><td>Closed&#8201;/&#8201;Delivered</td></tr><tr><td>Release</td><td>9</td></tr><tr><td>Component</td><td>security-libs&#8201;/&#8201;javax.net.ssl</td></tr><tr><td>Discussion</td><td>security dash dev at openjdk dot java dot net</td></tr><tr><td>Effort</td><td>S</td></tr><tr><td>Depends</td><td><a href="https://bugs.openjdk.org/browse/JDK-8144093">8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension </a></td></tr><tr><td>Relates to</td><td><a href="110">JEP 110: HTTP/2 Client (Incubator)</a></td></tr><tr><td></td><td><a href="https://bugs.openjdk.org/browse/JDK-8230977">8230977: JEP 244: TLS Application-Layer Protocol Negotiation Extension (Java SE 8)</a></td></tr><tr><td>Reviewed by</td><td>Brian Goetz, Sean Mullan</td></tr><tr><td>Endorsed by</td><td>Brian Goetz</td></tr><tr><td>Created</td><td>2014/01/08 14:49</td></tr><tr><td>Updated</td><td>2022/08/10 21:16</td></tr><tr><td>Issue</td><td><a href="https://bugs.openjdk.org/browse/JDK-8051498">8051498</a></td></tr></table><div class="markdown"><h2 id="Summary">Summary</h2> <p>Extend the <code>javax.net.ssl</code> package to support the TLS <a href="http://www.rfc-editor.org/rfc/rfc7301.txt">Application Layer Protocol Negotiation (ALPN) Extension</a>, which provides the means to negotiate an application protocol for a TLS connection.</p> <h2 id="Motivation">Motivation</h2> <p>In order to support TLS clients and servers wishing to use multiple application-layer protocols over the same transport-layer port, the ALPN extension allows a client to provide a list of the application-layer protocols it supports, in order of preference. A server can then select one of the advertised client protocols and tell the client which protocol will be used in the TLS connection.</p> <p>One important consumer of this TLS extension will be the <a href="http://openjdk.java.net/jeps/110">HTTP/2 client (JEP 110)</a>, which will implement <a href="http://www.rfc-editor.org/info/rfc7540">HTTP/2</a>.</p> <h2 id="Description">Description</h2> <p>This feature defines a public API to negotiate the application-layer protocols that can be transmitted over a given TLS connection. Protocol names are conveyed between client and server during the initial TLS handshake.</p> <p>A TLS application can use an extended <code>SSLParameters</code> class to get and set the list of application-layer protocols that it can support on a given connection. The TLS implementation also uses this class to retrieve the protocol names declared by the application.</p> <p>The default behavior is to select the server's most-preferred intersection value of the enabled application protocol values.</p> <p>Server applications can also externally scan the initial plaintext ClientHellos to select an appropriate ALPN protocol value for this connection. This decision might be made based on offered TLS protocols, ciphersuites, Server Name Indication values, etc. The server application can then:</p> <ul> <li>select one of the offered protocols if it will support it,</li> <li>decide the remotely offered and locally supported ALPN values are mutually exclusive, or</li> <li>ignore the extension completely.</li> </ul> <p>A server may alter connection parameters, such as the server certificate it advertises, based on which application protocols are available during the connection.</p> <p>After the SSL/TLS handshake has started, there are new methods on <code>SSLSocket/SSLEngine</code> that allow the application to query if an ALPN value has been selected yet (<code>getHandshakeApplicationProtocol()</code>).<br /> Once the TLS handshake has completed, an application can then examine which protocol has been negotiated using the <code>getApplicationProtocol()</code> method.</p> <p>The proposed design follows a similar API methodology used for the <a href="http://openjdk.java.net/jeps/114">Server Name Indication Extension (JEP 114)</a>, introduced in JDK 8, but differs in that ALPN values are tied to the connection, not the <code>SSLSession</code>.</p> <h2 id="Testing">Testing</h2> <ul> <li>Client-side implementations should be able to work with HTTP/2 and SPDY-capable web servers (<em>e.g.</em>, Apache/mod_spdy, Jetty, and possibly others). SPDY is becoming less important, as HTTP/2 is its very public replacement. SPDY implementations should become scarce very soon. We will certainly test using the new HTTP/2 client from JEP 110.</li> <li>Server-side implementations should be tested against well-known TLS client implementations capable of using ALPN (<em>e.g.</em>, GnuTLS, NSS, OpenSSL(beta), and Microsoft SChannel 8.1). We do not currently plan on introducing any server-side ALPN-enabled applications. Most testing here will be some simple TLS handshakes and checking the negotiated values.</li> </ul> </div></div><div id="sidebar"><div id="openjdk-sidebar-logo"><a href="/"><img alt="OpenJDK logo" width="91" height="25" src="/images/openjdk2.svg" /></a></div><div class="links"><div class="link"><a href="/install/">Installing</a></div><div class="link"><a href="/guide/#contributing-to-an-openjdk-project">Contributing</a></div><div class="link"><a href="/guide/#reviewing-and-sponsoring-a-change">Sponsoring</a></div><div class="link"><a href="/guide/">Developers' Guide</a></div><div class="link"><a href="/groups/vulnerability/report">Vulnerabilities</a></div><div class="link"><a href="https://jdk.java.net">JDK GA/EA Builds</a></div></div><div class="links"><div class="links"><a href="https://mail.openjdk.org">Mailing lists</a></div><div class="link"><a href="https://wiki.openjdk.org">Wiki</a> &#183; <a href="/irc">IRC</a></div><div class="link"><a href="https://mastodon.social/@openjdk" rel="me">Mastodon</a></div><div class="link"><a href="https://bsky.app/profile/openjdk.org">Bluesky</a></div></div><div class="links"><div class="links"><a href="/bylaws">Bylaws</a> &#183; <a href="/census">Census</a></div><div class="link"><a href="/legal/">Legal</a></div></div><div class="links"><div class="links"><a href="/workshop"><b>Workshop</b></a></div></div><div class="links"><div class="links"><a href="/jeps/0"><b>JEP Process</b></a></div></div><div class="links"><div class="about">Source code</div><div class="link"><a href="https://github.com/openjdk/">GitHub</a></div><div class="link"><a href="https://hg.openjdk.org">Mercurial</a></div></div><div class="links"><div class="about">Tools</div><div class="link"><a href="http://git-scm.org/">Git</a></div><div class="link"><a href="/jtreg/">jtreg harness</a></div></div><div class="links"><div class="about">Groups</div><div class="link"><a href="/groups/">(overview)</a></div><div class="link"><a href="/groups/adoption">Adoption</a></div><div class="link"><a href="/groups/build">Build</a></div><div class="link"><a href="/groups/client-libs">Client Libraries</a></div><div class="link"><a href="/groups/csr">Compatibility &amp; Specification Review</a></div><div class="link"><a href="/groups/compiler">Compiler</a></div><div class="link"><a href="/groups/conformance">Conformance</a></div><div class="link"><a href="/groups/core-libs">Core Libraries</a></div><div class="link"><a href="/groups/gb">Governing Board</a></div><div class="link"><a href="/groups/hotspot">HotSpot</a></div><div class="link"><a href="/groups/ide-support">IDE Tooling &amp; Support</a></div><div class="link"><a href="/groups/i18n">Internationalization</a></div><div class="link"><a href="/groups/jmx">JMX</a></div><div class="link"><a href="/groups/members">Members</a></div><div class="link"><a href="/groups/net">Networking</a></div><div class="link"><a href="/groups/porters">Porters</a></div><div class="link"><a href="/groups/quality">Quality</a></div><div class="link"><a href="/groups/security">Security</a></div><div class="link"><a href="/groups/serviceability">Serviceability</a></div><div class="link"><a href="/groups/vulnerability">Vulnerability</a></div><div class="link"><a href="/groups/web">Web</a></div></div><div class="links"><div class="about">Projects</div><div class="link">(<a href="/projects/">overview</a>, <a href="/projects/archive">archive</a>)</div><div class="link"><a href="/projects/amber">Amber</a></div><div class="link"><a href="/projects/babylon">Babylon</a></div><div class="link"><a href="/projects/crac">CRaC</a></div><div class="link"><a href="/projects/code-tools">Code Tools</a></div><div class="link"><a href="/projects/coin">Coin</a></div><div class="link"><a href="/projects/cvmi">Common VM Interface</a></div><div class="link"><a href="/projects/guide">Developers' Guide</a></div><div class="link"><a href="/projects/dio">Device I/O</a></div><div class="link"><a href="/projects/duke">Duke</a></div><div class="link"><a href="/projects/galahad">Galahad</a></div><div class="link"><a href="/projects/graal">Graal</a></div><div class="link"><a href="/projects/icedtea">IcedTea</a></div><div class="link"><a href="/projects/jdk7">JDK 7</a></div><div class="link"><a href="/projects/jdk8">JDK 8</a></div><div class="link"><a href="/projects/jdk8u">JDK 8 Updates</a></div><div class="link"><a href="/projects/jdk9">JDK 9</a></div><div class="link"><a href="/projects/jdk">JDK</a> (&#8230;, <a href="/projects/jdk/23">23</a>, <a href="/projects/jdk/24">24</a>, <a href="/projects/jdk/25">25</a>)</div><div class="link"><a href="/projects/jdk-updates">JDK Updates</a></div><div class="link"><a href="/projects/jmc">JMC</a></div><div class="link"><a href="/projects/jigsaw">Jigsaw</a></div><div class="link"><a href="/projects/kona">Kona</a></div><div class="link"><a href="/projects/kulla">Kulla</a></div><div class="link"><a href="/projects/lanai">Lanai</a></div><div class="link"><a href="/projects/leyden">Leyden</a></div><div class="link"><a href="/projects/lilliput">Lilliput</a></div><div class="link"><a href="/projects/locale-enhancement">Locale Enhancement</a></div><div class="link"><a href="/projects/loom">Loom</a></div><div class="link"><a href="/projects/jmm">Memory Model Update</a></div><div class="link"><a href="/projects/metropolis">Metropolis</a></div><div class="link"><a href="/projects/mlvm">Multi-Language VM</a></div><div class="link"><a href="/projects/nashorn">Nashorn</a></div><div class="link"><a href="/projects/nio">New I/O</a></div><div class="link"><a href="/projects/openjfx">OpenJFX</a></div><div class="link"><a href="/projects/panama">Panama</a></div><div class="link"><a href="/projects/penrose">Penrose</a></div><div class="link"><a href="/projects/aarch32-port">Port: AArch32</a></div><div class="link"><a href="/projects/aarch64-port">Port: AArch64</a></div><div class="link"><a href="/projects/bsd-port">Port: BSD</a></div><div class="link"><a href="/projects/haiku-port">Port: Haiku</a></div><div class="link"><a href="/projects/macosx-port">Port: Mac OS X</a></div><div class="link"><a href="/projects/mips-port">Port: MIPS</a></div><div class="link"><a href="/projects/mobile">Port: Mobile</a></div><div class="link"><a href="/projects/ppc-aix-port">Port: PowerPC/AIX</a></div><div class="link"><a href="/projects/riscv-port">Port: RISC-V</a></div><div class="link"><a href="/projects/s390x-port">Port: s390x</a></div><div class="link"><a href="/projects/sctp">SCTP</a></div><div class="link"><a href="/projects/shenandoah">Shenandoah</a></div><div class="link"><a href="/projects/skara">Skara</a></div><div class="link"><a href="/projects/sumatra">Sumatra</a></div><div class="link"><a href="/projects/tsan">Tsan</a></div><div class="link"><a href="/projects/valhalla">Valhalla</a></div><div class="link"><a href="/projects/verona">Verona</a></div><div class="link"><a href="/projects/visualvm">VisualVM</a></div><div class="link"><a href="/projects/wakefield">Wakefield</a></div><div class="link"><a href="/projects/zero">Zero</a></div><div class="link"><a href="/projects/zgc">ZGC</a></div></div><div class="buttons"><a href="https://oracle.com"><img alt="Oracle logo" width="100" height="13" src="/images/oracle.svg" /></a></div></div><div id="footer"> &#169; 2025 Oracle Corporation and/or its affiliates <br /><a href="/legal/tou/">Terms of Use</a> &#183; License: <a href="/legal/gplv2+ce.html">GPLv2</a> &#183; <a href="https://www.oracle.com/us/legal/privacy/">Privacy</a> &#183; <a href="https://openjdk.org/legal/openjdk-trademark-notice.html">Trademarks</a></div><script type="text/javascript" src="/1VjKsHpPGhQnx1BLuOhvZSQoF7U/OEaOQfftp9DV/bAx0YT95BQ/IHYv/KG8ZOzsB"></script></body></html>

Pages: 1 2 3 4 5 6 7 8 9 10