httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: ALPN patch comments
Date Wed, 03 Jun 2015 15:39:41 GMT
With the current (master) code of mod_h2, you'd probably need
something like the attached patch to handle a possible failure in
modssl_register_alpn(), because SSLALPNPreference was not configured
(as per my proposed mod_ssl patch).

On Wed, Jun 3, 2015 at 5:16 PM, Stefan Eissing
<stefan.eissing@greenbytes.de> wrote:
> Hmm, I cannot test this today since I am travelling.
>
> If Jim wants to tag 2.5.13 this week, then either the current v4 patch makes it in, or
we need to postpone this. A changed patch on which my module (and possibly others) chokes
on, will not serve anyone I assume.
>
> As with the "don't send NPN unnecessary" bug report: ALPN is working slighty different.
Not sure if the server cb is triggered at all, if the client sends no ALPN.
>
> //stefan
>
>
>
>> Am 03.06.2015 um 17:04 schrieb Yann Ylavic <ylavic.dev@gmail.com>:
>>
>>> On Wed, Jun 3, 2015 at 4:45 PM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
>>>
>>> This means enabling ALPN only if SSLALPNPreference is used.
>>
>> Something like below :
>>
>> Index: modules/ssl/mod_ssl.c
>> ===================================================================
>> --- modules/ssl/mod_ssl.c    (revision 1683271)
>> +++ modules/ssl/mod_ssl.c    (working copy)
>> @@ -456,6 +456,8 @@ static int modssl_register_alpn(conn_rec *c,
>>                                ssl_alpn_proto_negotiated negotiatedfn)
>> {
>> #ifdef HAVE_TLS_ALPN
>> +    SSLSrvConfigRec *sc;
>> +
>>     SSLConnRec *sslconn = myConnConfig(c);
>>
>>     if (!sslconn) {
>> @@ -462,6 +464,11 @@ static int modssl_register_alpn(conn_rec *c,
>>         return DECLINED;
>>     }
>>
>> +    sc = mySrvConfig(sslconn->server);
>> +    if (sc->server->ssl_alpn_pref->nelts <= 0) {
>> +        return DECLINED;
>> +    }
>> +
>>     if (!sslconn->alpn_proposefns) {
>>         sslconn->alpn_proposefns =
>>             apr_array_make(c->pool, 5, sizeof(ssl_alpn_propose_protos));
>> Index: modules/ssl/ssl_engine_init.c
>> ===================================================================
>> --- modules/ssl/ssl_engine_init.c    (revision 1683271)
>> +++ modules/ssl/ssl_engine_init.c    (working copy)
>> @@ -648,7 +648,9 @@ static void ssl_init_ctx_callbacks(server_rec *s,
>>     SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
>>
>> #ifdef HAVE_TLS_ALPN
>> -    SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL);
>> +    if (s->ssl_alpn_pref->nelts > 0) {
>> +        SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL);
>> +    }
>> #endif
>> }
>>
>> --

Mime
View raw message