From: "MartinBosslet (Martin Bosslet)" Date: 2012-07-06T16:03:33+09:00 Subject: [ruby-core:46220] [ruby-trunk - Feature #6503] Support for the NPN extension to TLS/SSL Issue #6503 has been updated by MartinBosslet (Martin Bosslet). Category set to ext Target version set to 2.0.0 > On 2012/07/06 3:23, igrigorik (Ilya Grigorik) wrote: > > Issue #6503 has been updated by igrigorik (Ilya Grigorik). > > > Hey guys, apologies about the wait. No problem :) > @Martin: I don't follow the IANA politics, > > but for what its worth, I would consider it stable at this point. The support is there in OpenSSL, we have 50% of the browser market share using it to negotiate SPDY (Chrome + FF), and we have commercial vendors like F5, Akamai, and others supporting it.. :-) Yes, and to be honest, I'm also in favor of the technology, just wanted to make sure that it's stable enough. But from what I saw, we could handle most of it transparently, OpenSSL does the heavy lifting - so even if there were major changes, they should only affect OpenSSL itself, but hopefully not the API exposing the feature. > Also, just realized that I linked to wrong version earlier: http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04 OK, thanks for the hint! > As far as testing, this is a bit of a chicken and egg problem. There are no pure Ruby libraries that you can run this against.. For an integration test, you could try performing a hadshake against a https://google.com server and test the TLS upgrade. I do have a pure Ruby spdy gem, but it needs a few updates (NPN support is the missing link, really): http://github.com/igrigorik/spdy True. I also thought of directly testing against https://google.com, it's a fairly stable server ;) But I was wondering how internal policies are, is it sound to test against external URLs? Could some of the other devs please comment on this? > Let me know how/if I can help. Will do, thanks for your help! If nobody has major reservations, I would add support soon. -Martin ---------------------------------------- Feature #6503: Support for the NPN extension to TLS/SSL https://bugs.ruby-lang.org/issues/6503#change-27848 Author: igrigorik (Ilya Grigorik) Status: Assigned Priority: Normal Assignee: MartinBosslet (Martin Bosslet) Category: ext Target version: 2.0.0 OpenSSL 1.0.1+ added support for Next Protocol Negotiation (NPN) extensions. A couple of relevant links: - Google technical note: https://technotes.googlecode.com/git/nextprotoneg.html - IETF draft: http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-02 NPN allows the client to negotiate the session protocol as part of the TLS handshake (ex, "http 1.1", or "spdy/v{1,2,3}"). To support SPDY we need NPN support within OpenSSL core in Ruby. The API is already implemented in OpenSSL 1.0.1+, so it's a matter of adding support in Ruby core. Sister bug for Python 3.3: http://bugs.python.org/issue14204 -- http://bugs.ruby-lang.org/