Hello Alex, On Sat, Dec 29, 2018 at 10:22:05PM -0500, Alex Zorin wrote: > >From 59c8e558d1e46dc20bfffc683f8c89e06b0dbaef Mon Sep 17 00:00:00 2001 > From: Alex Zorin <a...@zorin.id.au> > Date: Sun, 30 Dec 2018 13:56:28 +1100 > Subject: [PATCH] MINOR: acl: add support for TLS ALPN matching > > Application-Layer Protocol Negotiation (ALPN, RFC7301) is a TLS > extension which allows a client to present the name of the protocol > it is connecting to, when a single port supports multiple application > protocols. > It allows a transparent proxy to take a decision based on the beginning > of an SSL/TLS stream without deciphering it. > > The new ACL "req.ssl_alpn" matches the protocol name extracted from the > TLS ClientHello request.
I'm seeing that you extract only the first protocol name, and since with ALPN it is possible to advertise a series of names, I think it would make sense to be able to return each of them iteratively. We already support doing this for headers or cookies for example. It requires to set the SMP_F_NOT_LAST flag when returning, and to check a context in smp->ctx (e.g. position of the next name to return in smp->ctx->i). This way you'll be able to steer incoming connections to a given destination even if the advertised protocol is not the first one, provided it's present in the list. Please have a look at smp_fetch_cookie() for example to see how to proceed. Thanks! Willy
