Improve ALPN support about msquic HOT 5 CLOSED

The current design allows for multiple ALPNs to be used on the server side by creating multiple listeners in different sessions (one for each ALPN). Since each listener only registers for a single ALPN, you know which ALPN is negotiated based on which listener is given the NEW_CONNECTION. The AlpnList here is in TLS format, and does contain the full list.

Besides that, I generally agree with all your other statements. It's been on my TODO list for some time to clean up how we deal with ALPNs at the API layer.

from msquic.

The AlpnList here is in TLS format, and does contain the full list.

Great, that just need documentation then.

The current design allows for multiple ALPNs to be used on the server side by creating multiple listeners in different sessions (one for each ALPN). Since each listener only registers for a single ALPN, you know which ALPN is negotiated based on which listener is given the NEW_CONNECTION

Can you have multiple listeners on the same IP+port?

This model precludes allowing the server to make a dynamic decision about ALPNs after receiving the Client Hello, such as using a different ALPN depending on the SNI information.

from msquic.

Can you have multiple listeners on the same IP+port?

Yes, for the same process you can unlimited listeners (for different/unique ALPNs) on the same IP+port. We don't currently support cross-process sharing of the IP+port though.

This model precludes allowing the server to make a dynamic decision about ALPNs after receiving the Client Hello, such as using a different ALPN depending on the SNI information.

Correct. It is not a goal to be able to pick the ALPN as a result of the requested SNI. The listener is first chosen from the currently registered based on the connection's requested IP, UDP port and ALPN list. Once the listener is chosen, the NEW_CONNECTION event is delivered and then the listener can decide which certificate to provide. To add SNI to the mix would complicate the transport logic considerably.

from msquic.

Correct. It is not a goal to be able to pick the ALPN as a result of the requested SNI.

I understand that's the current design and we're not blocked by it, but expect customers to ask for dynamic ALPN at some point, they've already asked for every other setting to be dynamic.

What kind of diagnostics does the app get if a new connection does not match any registered ALPNs?

from msquic.

What kind of diagnostics does the app get if a new connection does not match any registered ALPNs?

The (server) app is not directly informed of any failed connection attempts due to requests for unregistered ALPNs. This follows the similar pattern of not informing the server of an attempt to connect to a UDP port it wasn't listening to.

I understand that's the current design and we're not blocked by it, but expect customers to ask for dynamic ALPN at some point, they've already asked for every other setting to be dynamic.

As far as supporting dynamic ALPN support, that would greatly complicate the design msquic currently has, and I'd push back hard until a real good reason for supporting this was provided.

from msquic.