Martin Thomson wrote:
Yeah, NSS supports ALPN server side.

Just getting back to this. I don't see how this can work.

AFAICT it calls the callback function to select the protocol. The callback returns a string representing that protocol. But it has no way of setting the state of the negotiation and NSS doesn't set this either. See



    if (ex_type == ssl_app_layer_protocol_xtn &&
        ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NEGOTIATED) {
/* The callback might say OK, but then it picks a default value - one
         * that was not listed.  That's OK for NPN, but not ALPN. */
        (void)SSL3_SendAlert(ss, alert_fatal, no_application_protocol);
        return SECFailure;

The callback has no way to set ss->ssl3.nextProtoState so it remains SSL_NEXT_PROTO_NO_SUPPORT and ALPN negotiation fails.

curl sees the failure as:

* SSL received an alert record with an unknown alert description.

Is something else supposed to be setting this state?


On Tue, Dec 1, 2015 at 6:53 AM, Rob Crittenden <> wrote:
Is ALPN supported on the server side? I can't tell from
the API and Julien asked in but never got an answer.

I'm looking to add HTTP/2.0 support to mod_nss and I need ALPN to do that.


dev-tech-crypto mailing list

dev-tech-crypto mailing list

Reply via email to