From 2237cbfc7bb81e07c1a424f450cd6e0946803679 Mon Sep 17 00:00:00 2001 From: tb <> Date: Wed, 4 Jun 2025 10:25:30 +0000 Subject: libtls: abort handshake on no ALPN protcol overlap RFC 7301, section 3.2: In the event that the server supports no protocols that the client advertises, then the server SHALL respond with a fatal "no_application_protocol" alert. This change makes tlsext_alpn_server_process() send the alert rather than pretending no callback was present. ok jsing --- src/lib/libtls/tls_server.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index a94b4221ed..42a697327a 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.51 2024/03/26 08:54:48 joshua Exp $ */ +/* $OpenBSD: tls_server.c,v 1.52 2025/06/04 10:25:30 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -75,7 +75,7 @@ tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, OPENSSL_NPN_NEGOTIATED) return (SSL_TLSEXT_ERR_OK); - return (SSL_TLSEXT_ERR_NOACK); + return (SSL_TLSEXT_ERR_ALERT_FATAL); } static int -- cgit v1.2.3-55-g6feb