On Wed, Jun 3, 2015 at 4:45 PM, Yann Ylavic <[email protected]> wrote:
>
> This means enabling ALPN only if SSLALPNPreference is used.
Something like below :
Index: modules/ssl/mod_ssl.c
===================================================================
--- modules/ssl/mod_ssl.c (revision 1683271)
+++ modules/ssl/mod_ssl.c (working copy)
@@ -456,6 +456,8 @@ static int modssl_register_alpn(conn_rec *c,
ssl_alpn_proto_negotiated negotiatedfn)
{
#ifdef HAVE_TLS_ALPN
+ SSLSrvConfigRec *sc;
+
SSLConnRec *sslconn = myConnConfig(c);
if (!sslconn) {
@@ -462,6 +464,11 @@ static int modssl_register_alpn(conn_rec *c,
return DECLINED;
}
+ sc = mySrvConfig(sslconn->server);
+ if (sc->server->ssl_alpn_pref->nelts <= 0) {
+ return DECLINED;
+ }
+
if (!sslconn->alpn_proposefns) {
sslconn->alpn_proposefns =
apr_array_make(c->pool, 5, sizeof(ssl_alpn_propose_protos));
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c (revision 1683271)
+++ modules/ssl/ssl_engine_init.c (working copy)
@@ -648,7 +648,9 @@ static void ssl_init_ctx_callbacks(server_rec *s,
SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
#ifdef HAVE_TLS_ALPN
- SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL);
+ if (s->ssl_alpn_pref->nelts > 0) {
+ SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL);
+ }
#endif
}
--
