SSL_CTX_set_alpn_select_cb and Other OpenSSL API ALPN Functions + Their Callbacks
Angus Robertson - Magenta Systems Ltd
angus at magsys.co.uk
Mon Aug 1 13:17:00 UTC 2022
> While this may be reasonable advice for SNI, I'm not sure that
> this is correct for ALPN. I don't think it is actually possible
> to set the selected ALPN *without* using the ALPN callback. At
> least I can't see a way.
Correct, I wondered why I still used both callbacks.
But I also know from experience you can not change SSL_CTX in the ALPN
callback, it's too late in the handshake process.
So if you need to change CTX, for instance for ALPN acme-tls/1 for
Let's Encrypt, you have to do it during the HELO callback.
> A useful addition to OpenSSL might be a new API to set the
> selected ALPN directly which could be called from a client_hello_cb.
Indeed, would save using two callbacks.
Angus
More information about the openssl-users
mailing list