From 5d890a00af541abe379c2eea76ab668080eabff6 Mon Sep 17 00:00:00 2001
From: Mark Williams <mrw@enotuniq.org>
Date: Sun, 17 Nov 2019 19:56:26 -0800
Subject: ALPN: complete handshake without accepting a client's protocols.
 (#876)

* ALPN: complete handshake without accepting a client's protocols.

The callback passed to `SSL_CTX_set_alpn_select_cb` can return
`SSL_TLSEXT_ERR_NOACK` to allow the handshake to continue without
accepting any of the client's offered protocols.

This commit introduces `NO_OVERLAPPING_PROTOCOLS`, which the Python
callback passed to `Context.set_alpn_select_callback` can return to
achieve the same thing.

It does not change the previous meaning of an empty string, which
still terminates the handshake.

* Update src/OpenSSL/SSL.py

Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>

* Address @alex's review.

* Use recorded value in test, fix lint error.

* Cover TypeError branch in _ALPNHelper.callback
---
 CHANGELOG.rst | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'CHANGELOG.rst')

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index e0c034d..3b39465 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -30,6 +30,8 @@ Changes:
 
 - Support ``bytearray`` in ``SSL.Connection.send()`` by using cffi's from_buffer.
   `#852 <https://github.com/pyca/pyopenssl/pull/852>`_
+- The ``OpenSSL.SSL.Context.set_alpn_select_callback`` can return a new ``NO_OVERLAPPING_PROTOCOLS`` sentinel value
+  to allow a TLS handshake to complete without an application protocol.
 
 
 ----
-- 
cgit v1.2.1