Does openssl sanity check ALPN strings?
Hal Murray
hmurray at megapathdsl.net
Fri Jun 28 08:36:05 UTC 2019
wiml at omnigroup.com said:
> I don't think OpenSSL does any checking on the client side --- whatever bytes
> you supply get sent to the server.
> On the server side it does some checking before calling the alpn callback but
> I don't know that it makes any guarantees of validity.
Thanks.
Does out/outlen as returned by the server side alpn callback include the
length byte?
man page says:
cb is the application defined callback. The in, inlen parameters are a
vector in protocol-list format. The value of the out, outlen vector
should be set to the value of a single protocol selected from the in,
inlen vector. The out buffer may point directly into in, or to a buffer
that outlives the handshake. The arg parameter is the pointer set via
SSL_CTX_set_alpn_select_cb().
--
These are my opinions. I hate spam.
More information about the openssl-users
mailing list