From 57fbc2fcc87151c9659e9408fe1bdd5dd553f16e Mon Sep 17 00:00:00 2001 From: tb <> Date: Wed, 30 Apr 2025 13:50:50 +0000 Subject: tlsext: stop sending SNI before ALPN in clients All supported releases of LibreSSL ensure that the corresponding callbacks are called in a predefined order rather than honoring the order in which a client sends its extensions. Therefore the ALPN callback for apache-httpd's virtual host setups can rely on SNI information being available and we no longer need to work around this on hte client side. Cuts the amount of code needed for tlsext randomization in half. ok jsing --- src/lib/libssl/ssl_tlsext.c | 25 +------------------------ 1 file changed, 1 insertion(+), 24 deletions(-) (limited to 'src') diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 08bf5593ec..57efb75d32 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.154 2024/07/09 12:27:27 beck Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.155 2025/04/30 13:50:50 tb Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -2410,7 +2410,6 @@ tlsext_randomize_build_order(SSL *s) { const struct tls_extension *psk_ext; size_t idx, new_idx; - size_t alpn_idx = 0, sni_idx = 0; free(s->tlsext_build_order); s->tlsext_build_order_len = 0; @@ -2433,28 +2432,6 @@ tlsext_randomize_build_order(SSL *s) s->tlsext_build_order[new_idx] = &tls_extensions[idx]; } - /* - * XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN - * for clients so that virtual host setups work correctly. - */ - - if (s->server) - return 1; - - for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) { - if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn) - alpn_idx = idx; - if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name) - sni_idx = idx; - } - if (alpn_idx < sni_idx) { - const struct tls_extension *tmp; - - tmp = s->tlsext_build_order[alpn_idx]; - s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx]; - s->tlsext_build_order[sni_idx] = tmp; - } - return 1; } -- cgit v1.2.3-55-g6feb