Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
NPN / ALPN extensions callbacks don't allow handshake failure #188
The interface for the ALPN/NPN protocol selection callbacks and protocol selection notification callbacks do not allow for the handshake to fail. It is requested that the return value support for these methods be expanded to allow the handshake to fail. This may be desirable (and explicitly called out in the ALPN specification) in the event there are no common protocols found during the selection process, or if the select protocol is not acceptable.
The NPN specification is not as explicit about the alert to be used in this case but it could just result in a generic handshake_failure alert (if the callbacks return the new failure value)?
@richsalz - FYI this is to continue our discussion about the ALPN / NPN failure behavior. The OpenJDK based implementations (jetty-alpn and jetty-npn) have been updated to support controlling the behavior at the granularity of each handshake (so not just a compile time flag or system property). I think this is equivalent to adding an additional return value to the openssl callbacks?
In the case of ALPN we used the
changed the title from
NPN / ALPN extensions callbacks allow handshake failure
NPN / ALPN extensions callbacks don't allow handshake failure
Oct 22, 2014
referenced this issue
May 28, 2015
Question posted to mailing list http://marc.info/?l=openssl-dev&m=143285528815940&w=2
@richsalz - I checked out the patch and it looks good. The only thing from your point of view is whether you want to make the fatal alert failure behavior in s_server optional or not. This would be to preserve existing behavior, even though it goes against the spec.
What is the timeline on evaluating / merging / targeting this for a release?