Does openssl sanity check ALPN strings?

Hal Murray hmurray at
Fri Jun 28 08:36:05 UTC 2019

wiml at said:
> I don't think OpenSSL does any checking on the client side --- whatever bytes
> you supply get sent to the server.

> On the server side it does some checking before calling the alpn callback but
> I don't know that it makes any guarantees of validity. 


Does out/outlen as returned by the server side alpn callback include the 
length byte?

man page says:
       cb is the application defined callback. The in, inlen parameters are a
       vector in protocol-list format. The value of the out, outlen vector
       should be set to the value of a single protocol selected from the in,
       inlen vector. The out buffer may point directly into in, or to a buffer
       that outlives the handshake. The arg parameter is the pointer set via

These are my opinions.  I hate spam.

More information about the openssl-users mailing list