SSL_CTX_set_alpn_select_cb and Other OpenSSL API ALPN Functions + Their Callbacks

Matt Caswell matt at openssl.org
Mon Aug 1 10:37:14 UTC 2022



On 29/07/2022 17:21, Angus Robertson - Magenta Systems Ltd wrote:
>> I don't understand how to write the callback functions some of
>> the OpenSSL ALPN functions expect, and the manual really isn't
>> helping there either, so I'd like some help.
> 
> Use SSL_CTX_set_client_hello_cb to set a SSL_client_hello_cb_fn
> function, which you can parse to get TLSEXT_TYPE_server_name and
> TLSEXT_TYPE_application_layer_protocol_negotiation, and everything else
> sent in the Client Hello (if you need it) like SSL versions and ciphers
> supported.
> 
> Within this callback you can change SSL_CTX depending on SNI and ALPN.
> 
> 
> Ignore the SNI and ALPN callbacks.  client_hello_cb was only added in
> 1.1.1 so is often missing from old examples, FAQs and manuals.

While this may be reasonable advice for SNI, I'm not sure that this is 
correct for ALPN. I don't think it is actually possible to set the 
selected ALPN *without* using the ALPN callback. At least I can't see a way.

A useful addition to OpenSSL might be a new API to set the selected ALPN 
directly which could be called from a client_hello_cb.

There's an example of an alpn selection callback here:

https://github.com/openssl/openssl/blob/72a85c17aae602e881c917c3f6e93bd7f7260093/apps/s_server.c#L643-L680

https://github.com/openssl/openssl/blob/72a85c17aae602e881c917c3f6e93bd7f7260093/apps/s_server.c#L1786-L1791

https://github.com/openssl/openssl/blob/72a85c17aae602e881c917c3f6e93bd7f7260093/apps/s_server.c#L2048-L2049


Matt


More information about the openssl-users mailing list