[TLS] ALPN or NPN ?

ALPN and NPN seem very close. Nevertheless they impact differently the performance and the complexity of migration scenario.

 

More and more applications are being migrated over TLS. Consequently reverse proxies have to deal with more and more complex situations and need to know the application protocol to guide incoming TLS sessions toward the right servers. ALPN is very efficient because with ALPN a reverse proxy is able to start the resource selection immediately after the processing of the ClientHello. NPN is less efficient as the reverse proxy has to wait an additional TLS exchange before initiating the resource.

 

More and more applications are being partially or totally virtualized and carried over TLS. In these cases reverse proxies rely on information like Server Name Indication to select the server credential to return in the ServerHello. There are situations where the selection of the server credential requires the knowledge of the Server Name and of the Application Protocol. ALPN and SNI provide this information in time as there are both carried in the ClientHello. This is not possible with NPN as the Application Protocol is determined by the client after receiving the ServerHello.

 

源 ： http://www.ietf.org/mail-archive/web/tls/current/msg09272.html