Martin Thomson wrote:
Yeah, NSS supports ALPN server side.
Just getting back to this. I don't see how this can work.
AFAICT it calls the callback function to select the protocol. The
callback returns a string representing that protocol. But it has no way
of setting the state of the negotiation and NSS doesn't set this either. See
ssl3ext.c::ssl3_SelectAppProtocol()
...
do_callback(...)
if (ex_type == ssl_app_layer_protocol_xtn &&
ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NEGOTIATED) {
/* The callback might say OK, but then it picks a default value
- one
* that was not listed. That's OK for NPN, but not ALPN. */
(void)SSL3_SendAlert(ss, alert_fatal, no_application_protocol);
PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL);
return SECFailure;
}
The callback has no way to set ss->ssl3.nextProtoState so it remains
SSL_NEXT_PROTO_NO_SUPPORT and ALPN negotiation fails.
curl sees the failure as:
* NSS error -12231 (SSL_ERROR_RX_UNKNOWN_ALERT)
* SSL received an alert record with an unknown alert description.
Is something else supposed to be setting this state?
rob
On Tue, Dec 1, 2015 at 6:53 AM, Rob Crittenden <rcrit...@redhat.com> wrote:
Is ALPN supported on the server side? I can't tell from
the API and Julien asked in
https://bugzilla.mozilla.org/show_bug.cgi?id=959664 but never got an answer.
I'm looking to add HTTP/2.0 support to mod_nss and I need ALPN to do that.
thanks
rob
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
