Does openssl sanity check ALPN strings?
Wim Lewis
wiml at omnigroup.com
Wed Jun 26 23:47:14 UTC 2019
On Jun 26, 2019, at 4:25 PM, Hal Murray <hmurray at megapathdsl.net> wrote:
> If a client passes {99, "a", "z" } with a length of 3 to
> SSL_CTX_set_alpn_protos,
> does that get rejected or sent to the server?
>
> If a somebody sends that to a server, does it get passed to the alpn callback?
I don't think OpenSSL does any checking on the client side --- whatever bytes you supply get sent to the server.
On the server side it does some checking before calling the alpn callback but I don't know that it makes any guarantees of validity.
More information about the openssl-users
mailing list