Does openssl sanity check ALPN strings?

Wim Lewis wiml at omnigroup.com
Wed Jun 26 23:47:14 UTC 2019


On Jun 26, 2019, at 4:25 PM, Hal Murray <hmurray at megapathdsl.net> wrote:
> If a client passes {99, "a", "z" } with a length of 3 to 
> SSL_CTX_set_alpn_protos,
> does that get rejected or sent to the server?
> 
> If a somebody sends that to a server, does it get passed to the alpn callback?

I don't think OpenSSL does any checking on the client side --- whatever bytes you supply get sent to the server.

On the server side it does some checking before calling the alpn callback but I don't know that it makes any guarantees of validity.




More information about the openssl-users mailing list