Commit 50c5042c authored by Cody P Schafer's avatar Cody P Schafer
Browse files

ssl/npn+alpn: adjust protocol selection to fail if no protocols match 

The current behavior causes a server written using rust-openssl to (if
it cannot negotiate a protocol) fallback to the first protocol it has
avaliable.

This makes it impossible to detect protocol mismatches.

This updates our selection to be more similar to how openssl's
s_server behaves: non-matching protocols are not supplied with a
fallback.

Note that some setups may actually want a fallback protocol supplied
via ALPN. To support those cases, we should consider adding a generic
callback that allows protocol selection to be entirely controlled by
the programmer.

For the purposes of having a sane default, however, not supplying a
default (and mimicing s_server's behavior) is the best choice.
parent 164f3f08

openssl-sys/src/lib.rs

+3 −3
Original line number Diff line number Diff line
@@ -167,11 +167,11 @@ macro_rules! import_options { 


include!("ssl_options.rs");



#[cfg(feature = "npn")]

#[cfg(any(feature = "npn", feature = "alpn"))]

pub const OPENSSL_NPN_UNSUPPORTED: c_int = 0;

#[cfg(feature = "npn")]

#[cfg(any(feature = "npn", feature = "alpn"))]

pub const OPENSSL_NPN_NEGOTIATED: c_int = 1;

#[cfg(feature = "npn")]

#[cfg(any(feature = "npn", feature = "alpn"))]

pub const OPENSSL_NPN_NO_OVERLAP: c_int = 2;



pub const V_ASN1_GENERALIZEDTIME: c_int = 24;

openssl/src/ssl/mod.rs

+5 −2
Original line number Diff line number Diff line
@@ -308,9 +308,12 @@ unsafe fn select_proto_using(ssl: *mut ffi::SSL, 
        let client_len = protocols.len() as c_uint;

        // Finally, let OpenSSL find a protocol to be used, by matching the given server and

        // client lists.

        ffi::SSL_select_next_proto(out, outlen, inbuf, inlen, client, client_len);

        if ffi::SSL_select_next_proto(out, outlen, inbuf, inlen, client, client_len) != ffi::OPENSSL_NPN_NEGOTIATED {

            ffi::SSL_TLSEXT_ERR_NOACK

        } else {

            ffi::SSL_TLSEXT_ERR_OK

        }

}



/// The function is given as the callback to `SSL_CTX_set_next_proto_select_cb`.

///