<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<p style="color: #777777;">
<a href="https://gitlab.com/airtower-luna">Airtower</a>
commented:
</p>
<div style="">
<p dir="auto">Checking for ALPN to see if an incoming connection uses HTTPS is wrong. Many browsers do support ALPN because they also support HTTP/2, but an HTTP/1.1 client is correct in not sending ALPN (though it would be allowed to).</p>
<p dir="auto">As a matter of principle there is no reliable way to check the protocol inside a TLS connection as long as the encryption is secure. Things like ALPN, SNI, or even traffic patterns are only hints. People can also use those hints in unusual ways, in particular if someone wants to avoid your firewall, e.g. set up a server that accepts any ALPN so clients can look like HTTP clients to your firewall, and then still speak some other protocol inside TLS.</p>
</div>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/951#note_301207154">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/a037319eaf1b3852f5bc5059bcb752aa/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/951#note_301207154"}}</script>
</p>
</div>
</body>
</html>