Skip to content
  1. Apr 11, 2017
    • Benjamin Kaduk's avatar
      Allow an ALPN callback to pretend to not exist · a504540f
      Benjamin Kaduk authored
      RFC 7301 mandates that the server SHALL respond with a fatal
      "no_application_protocol" alert when there is no overlap between
      the client's supplied list and the server's list of supported protocols.
      In commit 06217867
      
       we changed from
      ignoring non-success returns from the supplied alpn_select_cb() to
      treating such non-success returns as indicative of non-overlap and
      sending the fatal alert.
      
      In effect, this is using the presence of an alpn_select_cb() as a proxy
      to attempt to determine whether the application has configured a list
      of supported protocols.  However, there may be cases in which an
      application's architecture leads it to supply an alpn_select_cb() but
      have that callback be configured to take no action on connections that
      do not have ALPN configured; returning SSL_TLSEXT_ERR_NOACK from
      the callback would be the natural way to do so.  Unfortunately, the
      aforementioned behavior change also treated SSL_TLSEXT_ERR_NOACK as
      indicative of no overlap and terminated the connection; this change
      supplies special handling for SSL_TLSEXT_ERR_NOACK returns from the
      callback.  In effect, it provides a way for a callback to obtain the
      behavior that would have occurred if no callback was registered at
      all, which was not possible prior to this change.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/3158)
      (cherry picked from commit 8313a787)
      a504540f
  2. Apr 10, 2017
  3. Apr 08, 2017
  4. Apr 07, 2017
  5. Apr 06, 2017
  6. Apr 04, 2017
  7. Apr 03, 2017
  8. Apr 02, 2017
  9. Apr 01, 2017
  10. Mar 31, 2017
  11. Mar 30, 2017
  12. Mar 29, 2017
  13. Mar 28, 2017