enforce ALPN overlap?
Tomas Mraz
tomas at openssl.org
Wed Jun 9 16:43:34 UTC 2021
On Wed, 2021-06-09 at 12:32 -0400, Jan Schaumann via openssl-users
wrote:
> Hello,
>
> Based on https://alpaca-attack.com/, I was looking at
> how a TLS connection with ALPN set to e.g., "banana"
> by the client to a server that has ALPN set to "h2"
> would behave. For example:
>
> $ openssl s_server -www -accept 443 -alpn h2 \
> -key /tmp/key.pem -cert /tmp/cert.pem
>
> and
>
> $ openssl s_client -connect localhost:443 -alpn banana
>
> It seems that OpenSSL will simply not negotiate ALPN,
> but leave the connection open:
>
> [...]
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> [...]
> ---
> read R BLOCK
>
> In Go, a recent commit changed their behavior to
> enforce ALPN overlap:
> https://github.com/golang/go/commit/90d6bbbe42c15d444c1da0a1c293192d6f735a8e
>
>
> Is there any plan or consideration to follow that
> approach?
The OpenSSL library allows the alpn application callback to decide.
Please see https://github.com/openssl/openssl/issues/2708
Also in the master branch the callback in the s_server application is
already changed to reject the connection in such case.
https://github.com/openssl/openssl/pull/11415
But even in 1.1.1 this is very well possible in 3rd party servers.
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]
More information about the openssl-users
mailing list