Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: remove Next Protocol Negotiation? [rfc] #14602

Closed
bnoordhuis opened this issue Aug 2, 2017 · 9 comments
Closed

tls: remove Next Protocol Negotiation? [rfc] #14602

bnoordhuis opened this issue Aug 2, 2017 · 9 comments
Assignees
@bnoordhuis
Labels
tls Issues and PRs related to the tls subsystem.

Comments

@bnoordhuis
Copy link
Member

Rationale: NPN has been superseded by ALPN. Chrome dropped support a year ago in Chrome 51. It's not needed for HTTP/2.

Strawman proposal:

  • deprecate tls.convertNPNProtocols() in node 9 (or now - it's undocumented)
  • warn on NPNProtocols option or access of .npnProtocol property in node 9?
  • remove in node 10

Backwards compatibility concerns:

  • OpenSSL < 1.0.2 supports NPN but not ALPN. Doesn't affect Node.js itself but there might be interoperability issues with TLS-based services that are linked to obsolete versions of OpenSSL.

Chrome already paved the way, though. I don't see it as a serious concern.

cc @nodejs/security
@bnoordhuis bnoordhuis added discuss Issues opened for discussions and feedbacks. tls Issues and PRs related to the tls subsystem. labels Aug 2, 2017
@mscdex
Copy link
Contributor

mscdex commented Aug 2, 2017

Do we know about support for NPN (without ALPN) by the rest of the ecosystem (e.g. browsers, popular web servers, etc.)?

I'd be hesitant to remove it yet since web standards adoption tend to lag a fair amount. FWIW the RFC for ALPN was first published in 2014.

@bnoordhuis
Copy link
Member Author

NPN is only two years older. The fact that Chrome hasn't supported it since mid-2016 is IMO a good indicator that it's not used much.

@shigeki
Copy link
Contributor

shigeki commented Aug 3, 2017

Firefox(NSS) has already disabled NPN. https://hg.mozilla.org/projects/nss/rev/24581a36b2bb
Safari and IE are now still using NPN and both are also supporting ALPN so we need not to worry about them.

The only affected thing is that some old versions of distributions (e.g. RHEL) still have OpenSSL-1.0.1 with their own backports even it is EOLS. But I think that we cannot care about their each product life cycles for the date when NPN support ends.

I agree removing NPN and prefer to start from the documentation-only deprecation in Node-v9.

@jasnell
Copy link
Member

jasnell commented Aug 3, 2017

+1 to a docs-only deprecation of NPN in 9.x, followed potentially by a runtime deprecation in 10.x.

@bnoordhuis
Copy link
Member Author

Yeah, no, that's not what I'm proposing; that would mean NPN stays around until 2021 because of node 10's LTS status. That's not a good thing for a deprecated protocol.

@jasnell
Copy link
Member

jasnell commented Aug 3, 2017

A case could definitely be made for a more aggressive schedule and the point about 10.x LTS is good. While it's not my preference, I'd be good with a runtime deprecation in 9.x and EOL on 10.x

@refack refack mentioned this issue Aug 7, 2017
Closed
@maclover7
Copy link
Contributor

ping @bnoordhuis

@Trott Trott removed the discuss Issues opened for discussions and feedbacks. label Mar 11, 2018
@bnoordhuis
Copy link
Member Author

We never seemed to reach real consensus here (but no real opposition either) so unless someone speaks up in the next 48-ish hours, I'll open a pull request removing NPN in Node.js 10.

@bnoordhuis bnoordhuis self-assigned this Mar 13, 2018
@bnoordhuis bnoordhuis mentioned this issue Mar 17, 2018
Merged
@bnoordhuis
Copy link
Member Author

#19403

bnoordhuis added a commit to bnoordhuis/io.js that referenced this issue Mar 27, 2018
@bnoordhuis
tls: drop NPN (next protocol negotiation) support
5bfbe5c 
NPN has been superseded by ALPN.  Chrome and Firefox removed support for
NPN in 2016 and 2017 respectively to no ill effect.

Fixes: nodejs#14602
PR-URL: nodejs#19403
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
bnoordhuis added a commit to bnoordhuis/io.js that referenced this issue Mar 27, 2018
@bnoordhuis
tls: runtime-deprecate tls.convertNPNProtocols()
9204a0d 
Fixes: nodejs#14602
PR-URL: nodejs#19403
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
@RaimondB RaimondB mentioned this issue Dec 27, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bnoordhuis bnoordhuis

Labels
tls Issues and PRs related to the tls subsystem.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mscdex @bnoordhuis @jasnell @Trott @shigeki @maclover7