New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: remove NPN support #28362

Open
FiloSottile opened this Issue Oct 24, 2018 · 4 comments

Comments

Projects
None yet
4 participants
@FiloSottile
Member

FiloSottile commented Oct 24, 2018

NPN, the Next Protocol Negotiation extension, is specified by a draft expired 6 years ago and has been replaced by ALPN, which we also support. We should look at the NPN usage in the ecosystem and remove support for it.

@FiloSottile FiloSottile added this to the Go1.12 milestone Oct 24, 2018

@FiloSottile FiloSottile self-assigned this Oct 24, 2018

@bradfitz

This comment has been minimized.

Member

bradfitz commented Oct 24, 2018

Do the Chrome ULA or Firefox Telemetry dashboards have data on whether NPN or ALPN was used to initiate HTTP/2?

Actually, now I forget the protocol details enough to know whether the client side can even detect whether the server used one vs the other in its decision making process.

Looking at https://telemetry.mozilla.org/dashboard-generator/index.html and adding SPDY_NPN_CONNECT (if that's the right number) + "Add to Dashboard" + "Generate Dashboard" it says 33.12%. Does that mean one third of HTTP/2 is over NPN instead of ALPN? If so, sounds like we shouldn't remove it yet.

/cc @agl too

@agl

This comment has been minimized.

Contributor

agl commented Oct 27, 2018

I wonder what SPDY_NPN_CONNECT actually means, given that there's no ALPN version of the same.

As a server, our internal data suggests that NPN is very nearly ready to remove. The only exceptions are some gRPC clients using old versions of OpenSSL. (gRPC clients, unlike HTTP clients, are dead in the water if they don't get HTTP/2.)

As a client, I don't have great data off-hand, but I would expect that it would be fine to remove.

@davidben

This comment has been minimized.

Contributor

davidben commented Nov 25, 2018

On the client, Firefox and Chrome removed NPN in April 2017, and April 2016, respectively, so presumably metrics from both are zero at this point. :-) I can only assume SPDY_NPN_CONNECT does not actually imply NPN.

@davidben

This comment has been minimized.

Contributor

davidben commented Nov 25, 2018

Also gone from Edge/IE on Windows 10 it seems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment