Does openssl sanity check ALPN strings?

Wim Lewis wiml at
Wed Jun 26 23:47:14 UTC 2019

On Jun 26, 2019, at 4:25 PM, Hal Murray <hmurray at> wrote:
> If a client passes {99, "a", "z" } with a length of 3 to 
> SSL_CTX_set_alpn_protos,
> does that get rejected or sent to the server?
> If a somebody sends that to a server, does it get passed to the alpn callback?

I don't think OpenSSL does any checking on the client side --- whatever bytes you supply get sent to the server.

On the server side it does some checking before calling the alpn callback but I don't know that it makes any guarantees of validity.

More information about the openssl-users mailing list