Skip to content
  1. Apr 12, 2017
  2. Apr 11, 2017
  3. Apr 10, 2017
    • Pauli's avatar
    • Benjamin Kaduk's avatar
      Allow an ALPN callback to pretend to not exist · 8313a787
      Benjamin Kaduk authored
      RFC 7301 mandates that the server SHALL respond with a fatal
      "no_application_protocol" alert when there is no overlap between
      the client's supplied list and the server's list of supported protocols.
      In commit 06217867
      
       we changed from
      ignoring non-success returns from the supplied alpn_select_cb() to
      treating such non-success returns as indicative of non-overlap and
      sending the fatal alert.
      
      In effect, this is using the presence of an alpn_select_cb() as a proxy
      to attempt to determine whether the application has configured a list
      of supported protocols.  However, there may be cases in which an
      application's architecture leads it to supply an alpn_select_cb() but
      have that callback be configured to take no action on connections that
      do not have ALPN configured; returning SSL_TLSEXT_ERR_NOACK from
      the callback would be the natural way to do so.  Unfortunately, the
      aforementioned behavior change also treated SSL_TLSEXT_ERR_NOACK as
      indicative of no overlap and terminated the connection; this change
      supplies special handling for SSL_TLSEXT_ERR_NOACK returns from the
      callback.  In effect, it provides a way for a callback to obtain the
      behavior that would have occurred if no callback was registered at
      all, which was not possible prior to this change.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/2570)
      8313a787