tls: remove Next Protocol Negotiation? [rfc]

[bnoordhuis]

Rationale: NPN has been superseded by ALPN. Chrome dropped support a year ago in Chrome 51. It's not needed for HTTP/2.

Strawman proposal:

• deprecate tls.convertNPNProtocols() in node 9 (or now - it's undocumented)
• warn on NPNProtocols option or access of .npnProtocol property in node 9?
• remove in node 10

Backwards compatibility concerns:

• OpenSSL < 1.0.2 supports NPN but not ALPN. Doesn't affect Node.js itself but there might be interoperability issues with TLS-based services that are linked to obsolete versions of OpenSSL.

Chrome already paved the way, though. I don't see it as a serious concern.

cc @nodejs/security

[mscdex]

Do we know about support for NPN (without ALPN) by the rest of the ecosystem (e.g. browsers, popular web servers, etc.)?

I'd be hesitant to remove it yet since web standards adoption tend to lag a fair amount. FWIW the RFC for ALPN was first published in 2014.

[bnoordhuis]

NPN is only two years older. The fact that Chrome hasn't supported it since mid-2016 is IMO a good indicator that it's not used much.

[shigeki]

Firefox(NSS) has already disabled NPN. https://hg.mozilla.org/projects/nss/rev/24581a36b2bb
Safari and IE are now still using NPN and both are also supporting ALPN so we need not to worry about them.

The only affected thing is that some old versions of distributions (e.g. RHEL) still have OpenSSL-1.0.1 with their own backports even it is EOLS. But I think that we cannot care about their each product life cycles for the date when NPN support ends.

I agree removing NPN and prefer to start from the documentation-only deprecation in Node-v9.

[jasnell]

+1 to a docs-only deprecation of NPN in 9.x, followed potentially by a runtime deprecation in 10.x.

[bnoordhuis]

Yeah, no, that's not what I'm proposing; that would mean NPN stays around until 2021 because of node 10's LTS status. That's not a good thing for a deprecated protocol.

[jasnell]

A case could definitely be made for a more aggressive schedule and the point about 10.x LTS is good. While it's not my preference, I'd be good with a runtime deprecation in 9.x and EOL on 10.x

[maclover7]

ping @bnoordhuis

[bnoordhuis]

We never seemed to reach real consensus here (but no real opposition either) so unless someone speaks up in the next 48-ish hours, I'll open a pull request removing NPN in Node.js 10.