Does openssl sanity check ALPN strings?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Does openssl sanity check ALPN strings?

Hal Murray

If a client passes {99, "a", "z" } with a length of 3 to
SSL_CTX_set_alpn_protos,
does that get rejected or sent to the server?

If a somebody sends that to a server, does it get passed to the alpn callback?


--
These are my opinions.  I hate spam.



Reply | Threaded
Open this post in threaded view
|

Re: Does openssl sanity check ALPN strings?

Wim Lewis-3

On Jun 26, 2019, at 4:25 PM, Hal Murray <[hidden email]> wrote:
> If a client passes {99, "a", "z" } with a length of 3 to
> SSL_CTX_set_alpn_protos,
> does that get rejected or sent to the server?
>
> If a somebody sends that to a server, does it get passed to the alpn callback?

I don't think OpenSSL does any checking on the client side --- whatever bytes you supply get sent to the server.

On the server side it does some checking before calling the alpn callback but I don't know that it makes any guarantees of validity.


Reply | Threaded
Open this post in threaded view
|

Re: Does openssl sanity check ALPN strings?

Hal Murray
In reply to this post by Hal Murray

[hidden email] said:
> I don't think OpenSSL does any checking on the client side --- whatever bytes
> you supply get sent to the server.

> On the server side it does some checking before calling the alpn callback but
> I don't know that it makes any guarantees of validity.

Thanks.

Does out/outlen as returned by the server side alpn callback include the
length byte?

man page says:
       cb is the application defined callback. The in, inlen parameters are a
       vector in protocol-list format. The value of the out, outlen vector
       should be set to the value of a single protocol selected from the in,
       inlen vector. The out buffer may point directly into in, or to a buffer
       that outlives the handshake. The arg parameter is the pointer set via
       SSL_CTX_set_alpn_select_cb().



--
These are my opinions.  I hate spam.