By commit 50932c4af2fdd1da01203e9fabe176f9c106882b, ssl_next_proto_validate (in ssl/t1_lib.c) is not validating the length of each advertised protocol name. GitHub Pull Request: https://github.com/openssl/openssl/pull/506 -- Kazuki Yamaguchi <k at rhe.jp>