daemon/io: use MANDATORY_APLN only with new gnutls

This is only needed to fail early during the handshake, if protocol
negotiation doesn't succeed. With older GnuTLS, if there's a protocol
mismatch, the data won't be understood and the connection will close
later on.

Mandatory ALPN doesn't affect clients that don't use the ALPN extension.

diff --git a/daemon/io.c b/daemon/io.c
index fda11d4f65dcd8b1877c723f1e6867f4bf2cfcf8..8de8e3e0d993c7bbb43a6f01c443fc9146598caa 100644 (file)
--- a/daemon/io.c
+++ b/daemon/io.c
@@ -437,7 +437,13 @@ static void _tcp_accept(uv_stream_t *master, int status, bool tls, bool http)
                                proto.data = (unsigned char *)"h2";
                                proto.size = 2;
                        }
-                       ret = gnutls_alpn_set_protocols(ctx->c.tls_session, &proto, 1, GNUTLS_ALPN_MANDATORY);
+                       unsigned int flags = 0;
+#if GNUTLS_VERSION_NUMBER >= 0x030500
+                       /* Mandatory ALPN means the protocol must match if and
+                        * only if ALPN extension is used by the client. */
+                       flags |= GNUTLS_ALPN_MANDATORY;
+#endif
+                       ret = gnutls_alpn_set_protocols(ctx->c.tls_session, &proto, 1, flags);
                        if (ret != GNUTLS_E_SUCCESS) {
                                session_close(s);
                                return;