[openssl-dev] SNI/ALPN ordering
Stefan Eissing
stefan.eissing at greenbytes.de
Wed Jun 17 12:08:11 UTC 2015
*NOT A SECURITY ISSUE*
That our of the way: while debugging my HTTP/2 module for Apache httpd, I see that the callback for SNI seems to be invoked *after* the callback for ALPN had been called (OpenSSL 1.0.2c). Can this be correct? Is there anything to influence this ordering?
My issue is that the proposed ALPN protocols depend on the virtual host the client wants to talk to. So, the observed order poses a bit of a problem. The code *can* check the server name via SSL_get_servername() and the correct name is reported. However this is not how it is supposed to work, right?
Again, if there is anything influencing the order of the callback invocation, I'd be willing to adapt. Otherwise, I think, the order needs to be defined in the OpenSSL API and it should be SNI before ALPN.
Cheers,
Stefan
<green/>bytes GmbH
Hafenweg 16, 48155 Münster, Germany
Phone: +49 251 2807760. Amtsgericht Münster: HRB5782
More information about the openssl-dev
mailing list