On 14 Feb 2014, at 21:35, Lukas Tribus <[email protected]> wrote: > From the openssl source file ssl/ssl_lib.c: >> /* SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is >> called >> * during ClientHello processing in order to select an ALPN protocol from >> the >> * client's list of offered protocols. */ >> void SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx, > > SSL_CTX_set_alpn_select_cb() is supposed to select the most suitable single > protocol from the client hello. > > > Looks like we need some additional logic to implement this correctly. > > > btw: is there any way to easily test this? I don't have a spdy backend > and I didn't find anything relevant in chrome://net-internals/ for > alpn-upgraded http/1.1 connections.
I’ve updated the patch which now does actual negotiation. The logic comes from the example OpenSSL server application that also was committed in the commit that adds ALPN support to OpenSSL: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f017a8f9db3a79f3a3406cf8d493ccd346db691 The way I have tested it is to run HAProxy with a sample configuration file and use openssl s_client to verify that the negotiation happens properly. If you run use the openssl binary from the self built newer version, s_client also supports ALPN and can be used to verify the behaviour. I’ve confirmed that this will negotiate the highest preferred protocol specified on the server and if there is no compatible protocol, no ALPN protocol is negotiated. — Dirkjan
0001-Use-ALPN-support-as-it-will-be-available-in-OpenSSL-.patch
Description: Binary data
