*NOT A SECURITY ISSUE* That our of the way: while debugging my HTTP/2 module for Apache httpd, I see that the callback for SNI seems to be invoked *after* the callback for ALPN had been called (OpenSSL 1.0.2c). Can this be correct? Is there anything to influence this ordering?
My issue is that the proposed ALPN protocols depend on the virtual host the client wants to talk to. So, the observed order poses a bit of a problem. The code *can* check the server name via SSL_get_servername() and the correct name is reported. However this is not how it is supposed to work, right? Again, if there is anything influencing the order of the callback invocation, I'd be willing to adapt. Otherwise, I think, the order needs to be defined in the OpenSSL API and it should be SNI before ALPN. Cheers, Stefan <green/>bytes GmbH Hafenweg 16, 48155 Münster, Germany Phone: +49 251 2807760. Amtsgericht Münster: HRB5782 _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
