Commit d1d398e4 authored by Benjamin Peterson's avatar Benjamin Peterson

prefer server alpn ordering over the client's

parent ea324584
...@@ -875,7 +875,8 @@ SSL sockets also have the following additional methods and attributes: ...@@ -875,7 +875,8 @@ SSL sockets also have the following additional methods and attributes:
Return the protocol that was selected during the TLS handshake. If Return the protocol that was selected during the TLS handshake. If
:meth:`SSLContext.set_alpn_protocols` was not called, if the other party does :meth:`SSLContext.set_alpn_protocols` was not called, if the other party does
not support ALPN, or if the handshake has not happened yet, ``None`` is not support ALPN, if this socket does not support any of the client's
proposed protocols, or if the handshake has not happened yet, ``None`` is
returned. returned.
.. versionadded:: 2.7.10 .. versionadded:: 2.7.10
......
...@@ -2819,9 +2819,9 @@ else: ...@@ -2819,9 +2819,9 @@ else:
server_protocols = ['foo', 'bar', 'milkshake'] server_protocols = ['foo', 'bar', 'milkshake']
protocol_tests = [ protocol_tests = [
(['foo', 'bar'], 'foo'), (['foo', 'bar'], 'foo'),
(['bar', 'foo'], 'bar'), (['bar', 'foo'], 'foo'),
(['milkshake'], 'milkshake'), (['milkshake'], 'milkshake'),
(['http/3.0', 'http/4.0'], 'foo') (['http/3.0', 'http/4.0'], None)
] ]
for client_protocols, expected in protocol_tests: for client_protocols, expected in protocol_tests:
server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
......
...@@ -2149,18 +2149,25 @@ set_ciphers(PySSLContext *self, PyObject *args) ...@@ -2149,18 +2149,25 @@ set_ciphers(PySSLContext *self, PyObject *args)
} }
static int static int
do_protocol_selection(unsigned char **out, unsigned char *outlen, do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
const unsigned char *remote_protocols, unsigned int remote_protocols_len, const unsigned char *server_protocols, unsigned int server_protocols_len,
unsigned char *our_protocols, unsigned int our_protocols_len) const unsigned char *client_protocols, unsigned int client_protocols_len)
{ {
if (our_protocols == NULL) { int ret;
our_protocols = (unsigned char*)""; if (client_protocols == NULL) {
our_protocols_len = 0; client_protocols = (unsigned char *)"";
client_protocols_len = 0;
}
if (server_protocols == NULL) {
server_protocols = (unsigned char *)"";
server_protocols_len = 0;
} }
SSL_select_next_proto(out, outlen, ret = SSL_select_next_proto(out, outlen,
remote_protocols, remote_protocols_len, server_protocols, server_protocols_len,
our_protocols, our_protocols_len); client_protocols, client_protocols_len);
if (alpn && ret != OPENSSL_NPN_NEGOTIATED)
return SSL_TLSEXT_ERR_NOACK;
return SSL_TLSEXT_ERR_OK; return SSL_TLSEXT_ERR_OK;
} }
...@@ -2192,7 +2199,7 @@ _selectNPN_cb(SSL *s, ...@@ -2192,7 +2199,7 @@ _selectNPN_cb(SSL *s,
void *args) void *args)
{ {
PySSLContext *ctx = (PySSLContext *)args; PySSLContext *ctx = (PySSLContext *)args;
return do_protocol_selection(out, outlen, server, server_len, return do_protocol_selection(0, out, outlen, server, server_len,
ctx->npn_protocols, ctx->npn_protocols_len); ctx->npn_protocols, ctx->npn_protocols_len);
} }
#endif #endif
...@@ -2244,9 +2251,9 @@ _selectALPN_cb(SSL *s, ...@@ -2244,9 +2251,9 @@ _selectALPN_cb(SSL *s,
void *args) void *args)
{ {
PySSLContext *ctx = (PySSLContext *)args; PySSLContext *ctx = (PySSLContext *)args;
return do_protocol_selection((unsigned char **)out, outlen, return do_protocol_selection(1, (unsigned char **)out, outlen,
client_protocols, client_protocols_len, ctx->alpn_protocols, ctx->alpn_protocols_len,
ctx->alpn_protocols, ctx->alpn_protocols_len); client_protocols, client_protocols_len);
} }
#endif #endif
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment