diff options
| author | tb <> | 2021-09-10 09:25:29 +0000 |
|---|---|---|
| committer | tb <> | 2021-09-10 09:25:29 +0000 |
| commit | 47a94cad06ffc8bf1c64c7870f0dc905ed8485e4 (patch) | |
| tree | 2fcdf6ff9ae24aab6ae8fc69b1f46e80b647dd92 /src/lib/libssl/man | |
| parent | d17eb2a4cbcb7c76bb5dd38f9d1c26044d64118f (diff) | |
| download | openbsd-47a94cad06ffc8bf1c64c7870f0dc905ed8485e4.tar.gz openbsd-47a94cad06ffc8bf1c64c7870f0dc905ed8485e4.tar.bz2 openbsd-47a94cad06ffc8bf1c64c7870f0dc905ed8485e4.zip | |
Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback
As reported by Jeremy Harris, we inherited a strange behavior from
OpenSSL, in that we ignore the SSL_TLSEXT_ERR_FATAL return from the
ALPN callback. RFC 7301, 3.2 states: 'In the event that the server
supports no protocols that the client advertises, then the server
SHALL respond with a fatal "no_application_protocol" alert.'
Honor this requirement and succeed only on SSL_TLSEXT_ERR_{OK,NOACK}
which is the current behavior of OpenSSL. The documentation change
is taken from OpenSSL 1.1.1 as well.
As pointed out by jsing, there is more to be fixed here:
- ensure that the same protocol is selected on session resumption
- should the callback be called even if no ALPN extension was sent?
- ensure for TLSv1.2 and earlier that the SNI has already been processed
ok beck jsing
Diffstat (limited to 'src/lib/libssl/man')
| -rw-r--r-- | src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 b/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 index 540fd011f5..683b6696e3 100644 --- a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 +++ b/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.7 2018/03/23 14:28:16 schwarze Exp $ | 1 | .\" $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.8 2021/09/10 09:25:29 tb Exp $ |
| 2 | .\" OpenSSL 87b81496 Apr 19 12:38:27 2017 -0400 | 2 | .\" OpenSSL 87b81496 Apr 19 12:38:27 2017 -0400 |
| 3 | .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 | 3 | .\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 |
| 4 | .\" | 4 | .\" |
| @@ -49,7 +49,7 @@ | |||
| 49 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | 49 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 50 | .\" OF THE POSSIBILITY OF SUCH DAMAGE. | 50 | .\" OF THE POSSIBILITY OF SUCH DAMAGE. |
| 51 | .\" | 51 | .\" |
| 52 | .Dd $Mdocdate: March 23 2018 $ | 52 | .Dd $Mdocdate: September 10 2021 $ |
| 53 | .Dt SSL_CTX_SET_ALPN_SELECT_CB 3 | 53 | .Dt SSL_CTX_SET_ALPN_SELECT_CB 3 |
| 54 | .Os | 54 | .Os |
| 55 | .Sh NAME | 55 | .Sh NAME |
| @@ -252,8 +252,12 @@ must return one of the following: | |||
| 252 | .Bl -tag -width Ds | 252 | .Bl -tag -width Ds |
| 253 | .It SSL_TLSEXT_ERR_OK | 253 | .It SSL_TLSEXT_ERR_OK |
| 254 | ALPN protocol selected. | 254 | ALPN protocol selected. |
| 255 | .It SSL_TLSEXT_ERR_ALERT_FATAL | ||
| 256 | There was no overlap between the client's supplied list and the | ||
| 257 | server configuration. | ||
| 255 | .It SSL_TLSEXT_ERR_NOACK | 258 | .It SSL_TLSEXT_ERR_NOACK |
| 256 | ALPN protocol not selected. | 259 | ALPN protocol not selected, e.g., because no ALPN protocols are |
| 260 | configured for this connection. | ||
| 257 | .El | 261 | .El |
| 258 | .Sh SEE ALSO | 262 | .Sh SEE ALSO |
| 259 | .Xr ssl 3 , | 263 | .Xr ssl 3 , |