Re: New tunnel protocol

Willy - I think the intention is that this is used whether or not there 
is TLS in play, but that the ALPN token used in Tunnel-Protocol wouldn't 
match what is in the ALPN in any tunneled TLS (if any).

E.g. if tunneling SMTP over TLS, you'd advertise smtps in the 
Tunnel-Protocol header, and smtp in the ALPN field in the client helo in 

If tunneling SMTP, you'd just advertise smtp in the Tunnel-Protocol 
header.  So it's using the Tunnel-Protocol to describe possibly several 

I personally would prefer to separate it out so that a proxy can know 
the next layer is TLS regardless of what is transported over TLS.


------ Original Message ------
From: "Willy Tarreau" <>
To: "Martin Thomson" <>
Cc: "HTTP Working Group" <>
Sent: 27/01/2015 7:47:11 p.m.
Subject: Re: New tunnel protocol

>On Mon, Jan 26, 2015 at 04:00:16PM -0800, Martin Thomson wrote:
>>  On 25 January 2015 at 10:57, Willy Tarreau <> wrote:
>>  > OK, then maybe put ALPN in the header field's name to remove the
>>  > ambiguity, because there there's nothing that makes it obvious
>>  > that TLS is in use at all, and the name makes one think it's the
>>  > protocol being tunnelled which is named instead of the one inside
>>  > TLS.
>>  I've always considered the name on this draft to be weak. But I
>>  haven't found a name that I liked better.
>The name of the draft has little importance, you need one to start
>discussions, so by definition the contents may change over time.
>>  Please send suggestions.
>For the header field, I'd suggest : Tunnel-ALPN. That clearly covers
>your purpose of advertising the ALPN names registered at IANA.
>But like Amos and Adrien, I think that you're missing an opportunity
>to have a header field indicating what is transported when it's not
>TLS, and possibly to make it more flexible to indicate what is put
>on top of TLS. I understand the benefits of ALPN (given that it
>advertises a list of protocols to be negociated), as well as I'm
>pretty convinced about the benefits of indicating what is transported
>so that clients may help policy enforcement detect their protocol and
>validate it (eventhough I respect that it could be out of the scope
>of your proposal).
>At least, calling it Tunnel-ALPN or TLS-ALPN, or Tunnel-TLS-ALPN will
>serve your purpose and will not prevent anyone from proposing to
>address the other needs with another non-confusing header field name.

Received on Tuesday, 27 January 2015 09:02:12 UTC