SSL_CTX_set_alpn_select_cb and Other OpenSSL API ALPN Functions + Their Callbacks

Angus Robertson - Magenta Systems Ltd angus at
Mon Aug 1 13:17:00 UTC 2022

> While this may be reasonable advice for SNI, I'm not sure that 
> this is correct for ALPN. I don't think it is actually possible 
> to set the selected ALPN *without* using the ALPN callback. At 
> least I can't see a way.

Correct, I wondered why I still used both callbacks.  

But I also know from experience you can not change SSL_CTX in the ALPN
callback, it's too late in the handshake process.  

So if you need to change CTX, for instance for ALPN acme-tls/1 for
Let's Encrypt, you have to do it during the HELO callback. 

> A useful addition to OpenSSL might be a new API to set the
> selected ALPN directly which could be called from a client_hello_cb.

Indeed, would save using two callbacks.  


More information about the openssl-users mailing list