ALPN support in SecureTransport

Starting from iOS 11 (and macOS 10.13.x) SDKs SecureTransport has ALPN-related API, namely, two functions SSLSetALPNProtocols and SSLCopyALPNProtocols. On a client side things seem to be rather straightforward - you set a list of protocols, sorted by priority,

during the handshake you copy the selected one (if any). But for a server this API: a) looks a bit strange and incomplete (OpenSSL, for example, has a callback for this there you can select the desired protocol), b) apparently just not implemented - whatever I do - my ServerHello sent via SecureTransport _never_ contains APLN extension and the protocol (the single one) I set via SSLSetALPNProtocols never sent to the client.

I'm not sure what is the actual version of coreTLS it's using, but looking at the code - it appears that SSLProcessClientHelloExtension simply ignores ALPN extension (there is a switch statement on different extensions). Interesting enough, NPN (which is outdated by ALPN) is handled in this code and would probably work ... Did somebody manage to make a server-side connection work with ALPN?

Accepted Reply

My best guess here is that this simply isn’t implemented. However, I can’t do a proper investigation in the context of DevForums. If you open a DTS tech support incident I should be able to get a definitive answer.

ps Are you using Secure Transport over a custom protocol? Or over TCP?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

My best guess here is that this simply isn’t implemented. However, I can’t do a proper investigation in the context of DevForums. If you open a DTS tech support incident I should be able to get a definitive answer.

ps Are you using Secure Transport over a custom protocol? Or over TCP?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

> If you open a DTS tech support incident I should be able to get a definitive answer.


Ok, will do, thanks for your reply. Yes, I'm using SecureTranposrt over TCP and I need ALPN to negotiate 'h2' protocol. While my client can do this (for example, connecting to google.com), my server fails this negotiation.

What was the reply? I think I'm hitting the same issue.

For those reading along at home, see this thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"