[openssl-dev] ALPN and SNI callbacks in 1.0.2

Short, Todd tshort at akamai.com
Thu Mar 3 19:33:06 UTC 2016

We’ve run into an issue with the ALPN and SNI TLS extension callbacks in 1.0.2. The same behavior may be in master, but I have yet to check.

In summary, the ALPN selection callback is invoked before the SNI/servername callback, yet the ALPN value returned may be dependent on the server being connected to. In other words, ALPN may be broken for virtual servers.

There’s a comment in ssl_parse_clienthello_tlsext() that clearly states:

     * Internally supported extensions are parsed first so SNI can be handled
     * before custom extensions. An application processing SNI will typically
     * switch the parent context using SSL_set_SSL_CTX and custom extensions
     * need to be handled by the new SSL_CTX structure.

There are 4 functions that handle TLS extensions, and are invoked in the following order

	* saves servername
	* saves ec_point_formats
	* saves elliptic_curve list
	* saves opaque PRF input
	* calls session ticket callback
	* saves status request
	* saves heartbeat
	* notes NPN seen
	* calls ALPN callback

	* calls servername callback
	* calls PRF callback

	* parses custom extensions

	* calls status callback

I would argue that ALPN data should be saved in ssl_scan_clienthello_tlsext() and processed in ssl_check_clienthello_tlsext_early() - after the servername callback

-Todd Short
// tshort at akamai.com
// "One if by land, two if by sea, three if by the Internet."

More information about the openssl-dev mailing list