Commit 63c2789
crypto: make ALPN the same for OpenSSL 1.0.2 & 1.1.0
This is kind of hairy. OpenSSL 1.0.2 ignored the return value and always
treated everything as SSL_TLSEXT_ERR_NOACK (so the comment was wrong and
Node was never sending a warning alert). OpenSSL 1.1.0 honors
SSL_TLSEXT_ERR_NOACK vs SSL_TLSEXT_ERR_FATAL_ALERT and treats everything
unknown as SSL_TLSEXT_ERR_FATAL_ALERT.
Since this is a behavior change (tests break too), start by aligning
everything on SSL_TLSEXT_ERR_NOACK. If sending no_application_protocol
is desirable in the future, this can by changed to
SSL_TLSEXT_ERR_FATAL_ALERT with whatever deprecation process is
appropriate.
However, note that, contrary to
https://rt.openssl.org/Ticket/Display.html?id=3463#txn-54498,
SSL_TLSEXT_ERR_FATAL_ALERT is *not* useful to a server with no fallback
protocol. Even if such mismatches were rejected, such a server must
*still* account for the fallback protocol case when the client does not
advertise ALPN at all. Thus this may not be worth bothering.
PR-URL: nodejs#16130
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rod Vagg <rod@vagg.org>1 parent d9b9229 commit 63c2789
1 file changed
Lines changed: 6 additions & 14 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2502 | 2502 | | |
2503 | 2503 | | |
2504 | 2504 | | |
2505 | | - | |
2506 | | - | |
2507 | | - | |
2508 | | - | |
2509 | | - | |
2510 | | - | |
2511 | | - | |
2512 | | - | |
2513 | | - | |
2514 | | - | |
2515 | | - | |
2516 | | - | |
2517 | | - | |
2518 | | - | |
| 2505 | + | |
| 2506 | + | |
| 2507 | + | |
| 2508 | + | |
| 2509 | + | |
| 2510 | + | |
2519 | 2511 | | |
2520 | 2512 | | |
2521 | 2513 | | |
| |||
0 commit comments