dnsdist: Add an option to disable NPN support

It has been deprecated in favor of ALPN for quite a while now.

diff --git a/pdns/libssl.cc b/pdns/libssl.cc
index fe6d226b51f20c6219eff9bba04886e49a6cfa75..b8ae19423367e1155d896389024df64dd6b43597 100644 (file)
--- a/pdns/libssl.cc
+++ b/pdns/libssl.cc
@@ -913,12 +913,14 @@ std::unique_ptr<FILE, int(*)(FILE*)> libssl_set_key_log_file(std::unique_ptr<SSL
 }
 
 /* called in a client context, if the client advertised more than one ALPN values and the server returned more than one as well, to select the one to use. */
+#ifndef DISABLE_NPN
 void libssl_set_npn_select_callback(SSL_CTX* ctx, int (*cb)(SSL* s, unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen, void* arg), void* arg)
 {
 #ifdef HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB
   SSL_CTX_set_next_proto_select_cb(ctx, cb, arg);
 #endif
 }
+#endif /* DISABLE_NPN */
 
 void libssl_set_alpn_select_callback(SSL_CTX* ctx, int (*cb)(SSL* s, const unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen, void* arg), void* arg)
 {

diff --git a/pdns/libssl.hh b/pdns/libssl.hh
index 99cc5c8b380af53743e42230b5f9daf894790005..72aa1ce2f9ebfe67f0bbb5af3f3fd841dc3249e2 100644 (file)
--- a/pdns/libssl.hh
+++ b/pdns/libssl.hh
@@ -142,7 +142,10 @@ std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> libssl_init_server_context(const TLS
 std::unique_ptr<FILE, int(*)(FILE*)> libssl_set_key_log_file(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>& ctx, const std::string& logFile);
 
 /* called in a client context, if the client advertised more than one ALPN values and the server returned more than one as well, to select the one to use. */
+#ifndef DISABLE_NPN
 void libssl_set_npn_select_callback(SSL_CTX* ctx, int (*cb)(SSL* s, unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen, void* arg), void* arg);
+#endif /* DISABLE_NPN */
+
 /* called in a server context, to select an ALPN value advertised by the client if any */
 void libssl_set_alpn_select_callback(SSL_CTX* ctx, int (*cb)(SSL* s, const unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen, void* arg), void* arg);
 /* set the supported ALPN protos in client context */

diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index 7e8f6142a9623adb37baf32fc9b0deb1691214a6..79236eaeba579d72847d75728c8adfc87fcb72be 100644 (file)
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -489,14 +489,16 @@ public:
 
     const unsigned char* alpn = nullptr;
     unsigned int alpnLen  = 0;
+#ifndef DISABLE_NPN
 #ifdef HAVE_SSL_GET0_NEXT_PROTO_NEGOTIATED
     SSL_get0_next_proto_negotiated(d_conn.get(), &alpn, &alpnLen);
-#endif
+#endif /* HAVE_SSL_GET0_NEXT_PROTO_NEGOTIATED */
+#endif /* DISABLE_NPN */
 #ifdef HAVE_SSL_GET0_ALPN_SELECTED
     if (alpn == nullptr) {
       SSL_get0_alpn_selected(d_conn.get(), &alpn, &alpnLen);
     }
-#endif
+#endif /* HAVE_SSL_GET0_ALPN_SELECTED */
     if (alpn != nullptr && alpnLen > 0) {
       result.insert(result.end(), alpn, alpn + alpnLen);
     }
@@ -799,15 +801,18 @@ public:
     return false;
   }
 
+#ifndef DISABLE_NPN
   bool setNextProtocolSelectCallback(bool(*cb)(unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen)) override
   {
     d_nextProtocolSelectCallback = cb;
     libssl_set_npn_select_callback(d_tlsCtx.get(), npnSelectCallback, this);
     return true;
   }
+#endif /* DISABLE_NPN */
 
 private:
   /* called in a client context, if the client advertised more than one ALPN values and the server returned more than one as well, to select the one to use. */
+#ifndef DISABLE_NPN
   static int npnSelectCallback(SSL* s, unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen, void* arg)
   {
     if (!arg) {
@@ -820,6 +825,7 @@ private:
 
     return SSL_TLSEXT_ERR_OK;
   }
+#endif /* NPN */
 
   static int alpnServerSelectCallback(SSL*, const unsigned char** out, unsigned char* outlen, const unsigned char* in, unsigned int inlen, void* arg)
   {