[mod_openssl] no ALPN fatal error w/ mod_sockproxy (fixes #3081)

If mod_sockproxy -- or other connection-level handler -- has been set on the request prior to mod_openssl processing TLS Client Hello, then failure to match ALPN protocol is no longer treated as a TLS connection setup error. x-ref: "sockproxy: Do not validate ALPN protocols" https://redmine.lighttpd.net/issues/3081
author: Glenn Strauss <gstrauss@gluelogic.com> 2021-07-16 20:36:33 -0400
committer: Glenn Strauss <gstrauss@gluelogic.com> 2021-09-04 08:08:26 -0400
commit: 39d399112a62fc33d19f9545361ff490d41bd34c (patch)
tree: d0f428cc3008c98c8945eadd684513f7114be24a /src/mod_openssl.c
parent: 9a2404cec66dbd4b85b18e86bf1af32d812d89e6 (diff)
download: lighttpd-git-39d399112a62fc33d19f9545361ff490d41bd34c.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/src/mod_openssl.c b/src/mod_openssl.c
index a31b57f0..6e404e96 100644
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@@ -1886,7 +1886,9 @@ mod_openssl_alpn_select_cb (SSL *ssl, const unsigned char **out, unsigned char *
   #if OPENSSL_VERSION_NUMBER < 0x10100000L
     return SSL_TLSEXT_ERR_NOACK;
   #else
-    return SSL_TLSEXT_ERR_ALERT_FATAL;
+    return hctx->r->handler_module /*(e.g. mod_sockproxy)*/
+      ? SSL_TLSEXT_ERR_NOACK
+      : SSL_TLSEXT_ERR_ALERT_FATAL;
   #endif
 }
author	Glenn Strauss <gstrauss@gluelogic.com>	2021-07-16 20:36:33 -0400
committer	Glenn Strauss <gstrauss@gluelogic.com>	2021-09-04 08:08:26 -0400
commit	39d399112a62fc33d19f9545361ff490d41bd34c (patch)
tree	d0f428cc3008c98c8945eadd684513f7114be24a /src/mod_openssl.c
parent	9a2404cec66dbd4b85b18e86bf1af32d812d89e6 (diff)
download	lighttpd-git-39d399112a62fc33d19f9545361ff490d41bd34c.tar.gz