From: Tomas Krizek Date: Fri, 25 Sep 2020 08:58:08 +0000 (+0200) Subject: daemon/io: use MANDATORY_APLN only with new gnutls X-Git-Tag: v5.2.0~15^2~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=81f2838929c69fdca14c13ac74bc9fabf0fc7ad6;p=thirdparty%2Fknot-resolver.git daemon/io: use MANDATORY_APLN only with new gnutls This is only needed to fail early during the handshake, if protocol negotiation doesn't succeed. With older GnuTLS, if there's a protocol mismatch, the data won't be understood and the connection will close later on. Mandatory ALPN doesn't affect clients that don't use the ALPN extension. --- diff --git a/daemon/io.c b/daemon/io.c index fda11d4f6..8de8e3e0d 100644 --- a/daemon/io.c +++ b/daemon/io.c @@ -437,7 +437,13 @@ static void _tcp_accept(uv_stream_t *master, int status, bool tls, bool http) proto.data = (unsigned char *)"h2"; proto.size = 2; } - ret = gnutls_alpn_set_protocols(ctx->c.tls_session, &proto, 1, GNUTLS_ALPN_MANDATORY); + unsigned int flags = 0; +#if GNUTLS_VERSION_NUMBER >= 0x030500 + /* Mandatory ALPN means the protocol must match if and + * only if ALPN extension is used by the client. */ + flags |= GNUTLS_ALPN_MANDATORY; +#endif + ret = gnutls_alpn_set_protocols(ctx->c.tls_session, &proto, 1, flags); if (ret != GNUTLS_E_SUCCESS) { session_close(s); return;