Tom, On 11/4/19 17:16, Tom (AST) Watson wrote: > Yes, I understand about ALPN. Sorry I described in detail. > Unfortunately application #2 wants encrypted http2 (it is a go > program). Application #1 wants to talk in http2 (I can't change > that!) and it doesn't encrypt "naturally" (and I want to see what is > going on [Wireshark] as well) In looking further I might be able to > get application #2 to go plaintext (I found a pointer). Yes, it seems > that stunnel doesn't support ALPN, wishful thinking on my part > > Back to the salt mines. (*SIGH*)
How difficult would it be to enable HTTP/1.1 on that application #1? I've never seen an h2-only service before. h2 is more effective for web applications that make a lot of tiny requests (like small resources for pages, scripts, etc.). Most API-based services don't really get any benefit from using h2. -chris > -----Original Message----- From: stunnel-users > <[email protected]> On Behalf Of Christopher Schultz > Sent: Monday, November 4, 2019 13:59 To: [email protected] > Subject: [External] Re: [stunnel-users] Extensions when negotiating > TLS > > Tom, > > On 11/4/19 16:05, Tom (AST) Watson wrote: >> Well, I thought it would be "easy", but maybe not. I have an >> application (#1) that uses http2, and isn't encrypted. No problem >> here. Now I have another application (#2) that insists on using >> https to talk to application #1. So I gleefully setup stunnel to >> connect the two. Well, application #2 starts talking to stunnel >> with a "Client Hello" packet, and it includes an extension >> "Application Layer Protocol Extension" of "h2". > > This is called ALPN, and is a requirement for h2s. > >> While not versed in the minutia, I take this that the client >> (application #2) wants to talk "http2" to the server (application >> #1). > > Yep, pretty much. > >> OK, that is what I want. The problem is that stunnel doesn't >> respond with ANY "Application Layer Protocol Extension" indicating >> acceptance of this request in its "server hello". This means that >> application #2 fails in its negotiation. No joy! >> >> Now I know that application #1 will nicely talk http2, but how do I >> get stunnel to communicate this to application #2 (as encrypted >> http2). Am I missing something in my (pretty simple) configuration >> file? > > I can't find any references to stunnel supporting ALPN. You may be > (temporarily) out of luck, at least with stunnel. > > You mentioned that app #2 insists on encryption (great, usually). Is > there a requirement that it use h2? Or can it be configured to use > HTTP/1.1? > > -chris >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
