diff options
| author | tb <> | 2025-04-30 13:50:50 +0000 |
|---|---|---|
| committer | tb <> | 2025-04-30 13:50:50 +0000 |
| commit | 57fbc2fcc87151c9659e9408fe1bdd5dd553f16e (patch) | |
| tree | 68bc21d0a48df674b4af12a7c63c4ad62eb45f8b | |
| parent | c2fc132851c07f7761eae31f7a9e2d0393a48192 (diff) | |
| download | openbsd-57fbc2fcc87151c9659e9408fe1bdd5dd553f16e.tar.gz openbsd-57fbc2fcc87151c9659e9408fe1bdd5dd553f16e.tar.bz2 openbsd-57fbc2fcc87151c9659e9408fe1bdd5dd553f16e.zip | |
tlsext: stop sending SNI before ALPN in clients
All supported releases of LibreSSL ensure that the corresponding callbacks
are called in a predefined order rather than honoring the order in which a
client sends its extensions. Therefore the ALPN callback for apache-httpd's
virtual host setups can rely on SNI information being available and we no
longer need to work around this on hte client side. Cuts the amount of code
needed for tlsext randomization in half.
ok jsing
| -rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 25 |
1 files changed, 1 insertions, 24 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 08bf5593ec..57efb75d32 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_tlsext.c,v 1.154 2024/07/09 12:27:27 beck Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.155 2025/04/30 13:50:50 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -2410,7 +2410,6 @@ tlsext_randomize_build_order(SSL *s) | |||
| 2410 | { | 2410 | { |
| 2411 | const struct tls_extension *psk_ext; | 2411 | const struct tls_extension *psk_ext; |
| 2412 | size_t idx, new_idx; | 2412 | size_t idx, new_idx; |
| 2413 | size_t alpn_idx = 0, sni_idx = 0; | ||
| 2414 | 2413 | ||
| 2415 | free(s->tlsext_build_order); | 2414 | free(s->tlsext_build_order); |
| 2416 | s->tlsext_build_order_len = 0; | 2415 | s->tlsext_build_order_len = 0; |
| @@ -2433,28 +2432,6 @@ tlsext_randomize_build_order(SSL *s) | |||
| 2433 | s->tlsext_build_order[new_idx] = &tls_extensions[idx]; | 2432 | s->tlsext_build_order[new_idx] = &tls_extensions[idx]; |
| 2434 | } | 2433 | } |
| 2435 | 2434 | ||
| 2436 | /* | ||
| 2437 | * XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN | ||
| 2438 | * for clients so that virtual host setups work correctly. | ||
| 2439 | */ | ||
| 2440 | |||
| 2441 | if (s->server) | ||
| 2442 | return 1; | ||
| 2443 | |||
| 2444 | for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) { | ||
| 2445 | if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn) | ||
| 2446 | alpn_idx = idx; | ||
| 2447 | if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name) | ||
| 2448 | sni_idx = idx; | ||
| 2449 | } | ||
| 2450 | if (alpn_idx < sni_idx) { | ||
| 2451 | const struct tls_extension *tmp; | ||
| 2452 | |||
| 2453 | tmp = s->tlsext_build_order[alpn_idx]; | ||
| 2454 | s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx]; | ||
| 2455 | s->tlsext_build_order[sni_idx] = tmp; | ||
| 2456 | } | ||
| 2457 | |||
| 2458 | return 1; | 2435 | return 1; |
| 2459 | } | 2436 | } |
| 2460 | 2437 | ||