1 files changed, 1 insertions, 24 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 08bf5593ec..57efb75d32 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.154 2024/07/09 12:27:27 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.155 2025/04/30 13:50:50 tb Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -2410,7 +2410,6 @@ tlsext_randomize_build_order(SSL *s)
 {
        const struct tls_extension *psk_ext;
        size_t idx, new_idx;
-        size_t alpn_idx = 0, sni_idx = 0;
        free(s->tlsext_build_order);
        s->tlsext_build_order_len = 0;
@@ -2433,28 +2432,6 @@ tlsext_randomize_build_order(SSL *s)
                s->tlsext_build_order[new_idx] = &tls_extensions[idx];
        }
-        /*
-         * XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN
-         * for clients so that virtual host setups work correctly.
-         */
-        if (s->server)
-                return 1;
-        for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) {
-                if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn)
-                        alpn_idx = idx;
-                if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name)
-                        sni_idx = idx;
-        }
-        if (alpn_idx < sni_idx) {
-                const struct tls_extension *tmp;
-                tmp = s->tlsext_build_order[alpn_idx];
-                s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx];
-                s->tlsext_build_order[sni_idx] = tmp;
-        }
        return 1;
 }

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 08bf5593ec..57efb75d32 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.154 2024/07/09 12:27:27 beck Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.155 2025/04/30 13:50:50 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -2410,7 +2410,6 @@ tlsext_randomize_build_order(SSL *s)
2410	{	2410	{
2411	const struct tls_extension *psk_ext;	2411	const struct tls_extension *psk_ext;
2412	size_t idx, new_idx;	2412	size_t idx, new_idx;
2413	size_t alpn_idx = 0, sni_idx = 0;
2414		2413
2415	free(s->tlsext_build_order);	2414	free(s->tlsext_build_order);
2416	s->tlsext_build_order_len = 0;	2415	s->tlsext_build_order_len = 0;
@@ -2433,28 +2432,6 @@ tlsext_randomize_build_order(SSL *s)
2433	s->tlsext_build_order[new_idx] = &tls_extensions[idx];	2432	s->tlsext_build_order[new_idx] = &tls_extensions[idx];
2434	}	2433	}
2435		2434
2436	/*
2437	* XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN
2438	* for clients so that virtual host setups work correctly.
2439	*/
2440
2441	if (s->server)
2442	return 1;
2443
2444	for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) {
2445	if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn)
2446	alpn_idx = idx;
2447	if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name)
2448	sni_idx = idx;
2449	}
2450	if (alpn_idx < sni_idx) {
2451	const struct tls_extension *tmp;
2452
2453	tmp = s->tlsext_build_order[alpn_idx];
2454	s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx];
2455	s->tlsext_build_order[sni_idx] = tmp;
2456	}
2457
2458	return 1;	2435	return 1;
2459	}	2436	}
2460		2437