From 81f2838929c69fdca14c13ac74bc9fabf0fc7ad6 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Fri, 25 Sep 2020 10:58:08 +0200 Subject: [PATCH] daemon/io: use MANDATORY_APLN only with new gnutls This is only needed to fail early during the handshake, if protocol negotiation doesn't succeed. With older GnuTLS, if there's a protocol mismatch, the data won't be understood and the connection will close later on. Mandatory ALPN doesn't affect clients that don't use the ALPN extension. --- daemon/io.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/daemon/io.c b/daemon/io.c index fda11d4f6..8de8e3e0d 100644 --- a/daemon/io.c +++ b/daemon/io.c @@ -437,7 +437,13 @@ static void _tcp_accept(uv_stream_t *master, int status, bool tls, bool http) proto.data = (unsigned char *)"h2"; proto.size = 2; } - ret = gnutls_alpn_set_protocols(ctx->c.tls_session, &proto, 1, GNUTLS_ALPN_MANDATORY); + unsigned int flags = 0; +#if GNUTLS_VERSION_NUMBER >= 0x030500 + /* Mandatory ALPN means the protocol must match if and + * only if ALPN extension is used by the client. */ + flags |= GNUTLS_ALPN_MANDATORY; +#endif + ret = gnutls_alpn_set_protocols(ctx->c.tls_session, &proto, 1, flags); if (ret != GNUTLS_E_SUCCESS) { session_close(s); return; -- 2.47.2