[New-bugs-announce] [issue14204] Support for the NPN extension to TLS/SSL

Colin Marc report at bugs.python.org
Mon Mar 5 21:21:01 CET 2012

New submission from Colin Marc <colinmarc at gmail.com>:

Recent versions of OpenSSL (1.0.1 and greater) support a new extension to SSL/TLS called Next Protocol Negotiation, defined here: http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-02. 

The extension allows servers and clients to advertise which protocols they support (for example, both HTTP and SPDY) and then agree on one during the handshake according to a simple algorithm.

This patch to 2.7 adds support for the NPN extension via another parameter to ssl.wrap_socket, called 'npn_protocols', and by using the OpenSSL API. It should fail gracefully if the linked version of OpenSSL has no support for NPN, using a macro guard. Once the handshake is completed, SSLSocket.selected_protocol() returns whatever was agreed upon.

Although I included client/server tests with the patch, testing this functionality in real-life situations proved difficult. Google chrome has SPDY and NPN functionality baked in, so I wrote a simple socket server that advertises SPDY/2 in addition to HTTP/1.1. Chrome, pointed at this server, correctly completed the handshake and started merrily sending SPDY control frames.

files: npn_patch.diff
keywords: patch
messages: 154973
nosy: colinmarc
priority: normal
severity: normal
status: open
title: Support for the NPN extension to TLS/SSL
type: enhancement
versions: Python 2.7
Added file: http://bugs.python.org/file24739/npn_patch.diff

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list