Dropping NPN seems like a bad idea. As far as I know neither Debian stable nor Ubuntu LTS currently ship an OpenSSL version that supports ALPN. This will make deploying HTTP/2 for smaller companies or individual developers much more complicated.
That is a heck of a short turn-around time (about one month) to upgrade the entire LTS install base. 12.04 is on LTS through late 2017 and 14.04 is on LTS through late 2019. I think it's reasonable to expect servers running those operating systems to stay in the wild through those time frames. I may be in the minority but I skipped 12.04 completely and upgraded my 10.04 servers to 14.04 just as 10.04 was going off LTS. This could get ugly!
> That is a heck of a short turn-around time (about one month) to upgrade the entire LTS install base.
I was merely pointing out that "Ubuntu LTS doesn't have a version of OpenSSL with ALPN support" was changing between now and that change. I wasn't suggesting that the entire LTS install base would be upgraded before that change (nor do I think that's relevant; lots of Ubuntu LTS servers presumably are not web servers for which this is relevant.)
In any case, that NPN and SPDY would be removed in favor of ALPN and HTTP/2 in "~early 2016" was announced on February 9, 2015. Not sure there are good excuses for people for whom this is a big deal being caught unprepared at this point.
> lots of Ubuntu LTS servers presumably are not web servers for which this is relevant
Well, not all web servers, only web servers terminating TLS. And really, not all TLS-terminating web servers, only TLS-terminating web servers advertising False Start.
In the context of a discussion about False Start-advertising, TLS-terminating web servers, when someone says something like "the entire LTS install base", it should be clear they mean "the entire LTS install base of False Start-advertising, TLS-terminating web servers". Verbosity can really kill a discussion, you know?
> Not sure there are good excuses for people for whom this is a big deal being caught unprepared at this point.
I hear what you're saying, but one of the main selling points of choosing an LTS release for your server operating system is so you don't have to chase after version upgrades to stay up-to-date with the common denominator. I don't think it's unreasonable to hope for this feature to be backported to OpenSSL in 12.04 and 14.04. Again, these versions are viable for several years yet.
I do, however, think it's unreasonable to expect that the operators of False Start-advertising, TLS-terminating web servers (just to be clear) can turn around OS upgrades within a month of an appropriate version (a .0 version, it's worth keeping in mind) becoming available in order to stay compatible with an emergent web standard. Google announcing that this change was going to happen at whatever time in the past apparently wasn't enough to spur on the underfunded and overworked Debian, OpenSSL, and Ubuntu contributors, and it's not clear why I, a lowly systems admin, should be required to bear the brunt of that gap. Short of ramping up on a pre-release version of Ubuntu 16.04 LTS in my environment or hacking away at OpenSSL myself there's not much I can personally do to be better-prepared for this breaking change. I suppose I will just have to block off my calendar for late April and early May!
9 comments
[ 2.0 ms ] story [ 33.7 ms ] threadSame article, without a 960 pixel circular logo at the top :)
My understanding is that Ubuntu 16.04 LTS will, which will be the current LTS version before this change for Chrome goes into effect.
I was merely pointing out that "Ubuntu LTS doesn't have a version of OpenSSL with ALPN support" was changing between now and that change. I wasn't suggesting that the entire LTS install base would be upgraded before that change (nor do I think that's relevant; lots of Ubuntu LTS servers presumably are not web servers for which this is relevant.)
In any case, that NPN and SPDY would be removed in favor of ALPN and HTTP/2 in "~early 2016" was announced on February 9, 2015. Not sure there are good excuses for people for whom this is a big deal being caught unprepared at this point.
Well, not all web servers, only web servers terminating TLS. And really, not all TLS-terminating web servers, only TLS-terminating web servers advertising False Start.
In the context of a discussion about False Start-advertising, TLS-terminating web servers, when someone says something like "the entire LTS install base", it should be clear they mean "the entire LTS install base of False Start-advertising, TLS-terminating web servers". Verbosity can really kill a discussion, you know?
> Not sure there are good excuses for people for whom this is a big deal being caught unprepared at this point.
I hear what you're saying, but one of the main selling points of choosing an LTS release for your server operating system is so you don't have to chase after version upgrades to stay up-to-date with the common denominator. I don't think it's unreasonable to hope for this feature to be backported to OpenSSL in 12.04 and 14.04. Again, these versions are viable for several years yet.
I do, however, think it's unreasonable to expect that the operators of False Start-advertising, TLS-terminating web servers (just to be clear) can turn around OS upgrades within a month of an appropriate version (a .0 version, it's worth keeping in mind) becoming available in order to stay compatible with an emergent web standard. Google announcing that this change was going to happen at whatever time in the past apparently wasn't enough to spur on the underfunded and overworked Debian, OpenSSL, and Ubuntu contributors, and it's not clear why I, a lowly systems admin, should be required to bear the brunt of that gap. Short of ramping up on a pre-release version of Ubuntu 16.04 LTS in my environment or hacking away at OpenSSL myself there's not much I can personally do to be better-prepared for this breaking change. I suppose I will just have to block off my calendar for late April and early May!