diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2021-07-16 20:36:33 -0400 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2021-09-04 08:08:26 -0400 |
commit | 39d399112a62fc33d19f9545361ff490d41bd34c (patch) | |
tree | d0f428cc3008c98c8945eadd684513f7114be24a /src/mod_openssl.c | |
parent | 9a2404cec66dbd4b85b18e86bf1af32d812d89e6 (diff) | |
download | lighttpd-git-39d399112a62fc33d19f9545361ff490d41bd34c.tar.gz |
[mod_openssl] no ALPN fatal error w/ mod_sockproxy (fixes #3081)
If mod_sockproxy -- or other connection-level handler -- has been set
on the request prior to mod_openssl processing TLS Client Hello, then
failure to match ALPN protocol is no longer treated as a TLS connection
setup error.
x-ref:
"sockproxy: Do not validate ALPN protocols"
https://redmine.lighttpd.net/issues/3081
Diffstat (limited to 'src/mod_openssl.c')
-rw-r--r-- | src/mod_openssl.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/mod_openssl.c b/src/mod_openssl.c index a31b57f0..6e404e96 100644 --- a/src/mod_openssl.c +++ b/src/mod_openssl.c @@ -1886,7 +1886,9 @@ mod_openssl_alpn_select_cb (SSL *ssl, const unsigned char **out, unsigned char * #if OPENSSL_VERSION_NUMBER < 0x10100000L return SSL_TLSEXT_ERR_NOACK; #else - return SSL_TLSEXT_ERR_ALERT_FATAL; + return hctx->r->handler_module /*(e.g. mod_sockproxy)*/ + ? SSL_TLSEXT_ERR_NOACK + : SSL_TLSEXT_ERR_ALERT_FATAL; #endif } |