Browse Source

[mod_openssl] no ALPN fatal error w/ mod_sockproxy (fixes #3081)

If mod_sockproxy -- or other connection-level handler -- has been set
on the request prior to mod_openssl processing TLS Client Hello, then
failure to match ALPN protocol is no longer treated as a TLS connection
setup error.

x-ref:
  "sockproxy: Do not validate ALPN protocols"
  https://redmine.lighttpd.net/issues/3081
master
Glenn Strauss 5 months ago
parent
commit
39d399112a
  1. 4
      src/mod_openssl.c

4
src/mod_openssl.c

@ -1886,7 +1886,9 @@ mod_openssl_alpn_select_cb (SSL *ssl, const unsigned char **out, unsigned char *
#if OPENSSL_VERSION_NUMBER < 0x10100000L
return SSL_TLSEXT_ERR_NOACK;
#else
return SSL_TLSEXT_ERR_ALERT_FATAL;
return hctx->r->handler_module /*(e.g. mod_sockproxy)*/
? SSL_TLSEXT_ERR_NOACK
: SSL_TLSEXT_ERR_ALERT_FATAL;
#endif
}

Loading…
Cancel
Save