enforce ALPN overlap?

Tomas Mraz tomas at openssl.org
Wed Jun 9 16:43:34 UTC 2021

On Wed, 2021-06-09 at 12:32 -0400, Jan Schaumann via openssl-users
> Hello,
> Based on https://alpaca-attack.com/, I was looking at
> how a TLS connection with ALPN set to e.g., "banana"
> by the client to a server that has ALPN set to "h2"
> would behave.  For example:
> $ openssl s_server -www -accept 443 -alpn h2 \
> 	-key /tmp/key.pem -cert /tmp/cert.pem
> and
> $ openssl s_client -connect localhost:443 -alpn banana
> It seems that OpenSSL will simply not negotiate ALPN,
> but leave the connection open:
> [...]
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> [...]
> ---
> read R BLOCK
> In Go, a recent commit changed their behavior to
> enforce ALPN overlap:
> https://github.com/golang/go/commit/90d6bbbe42c15d444c1da0a1c293192d6f735a8e
> Is there any plan or consideration to follow that
> approach?

The OpenSSL library allows the alpn application callback to decide.
Please see https://github.com/openssl/openssl/issues/2708

Also in the master branch the callback in the s_server application is
already changed to reject the connection in such case.

But even in 1.1.1 this is very well possible in 3rd party servers. 

Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your

More information about the openssl-users mailing list