[Python-checkins] cpython: prefer server alpn ordering over the client's
benjamin.peterson
python-checkins at python.org
Fri Jan 23 23:30:38 CET 2015
https://hg.python.org/cpython/rev/eaa38b75cc78
changeset: 94264:eaa38b75cc78
parent: 94261:be9fe0c66075
user: Benjamin Peterson <benjamin at python.org>
date: Fri Jan 23 17:30:26 2015 -0500
summary:
prefer server alpn ordering over the client's
files:
Doc/library/ssl.rst | 3 +-
Lib/test/test_ssl.py | 4 +-
Modules/_ssl.c | 35 +++++++++++++++++++------------
3 files changed, 25 insertions(+), 17 deletions(-)
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -970,7 +970,8 @@
Return the protocol that was selected during the TLS handshake. If
:meth:`SSLContext.set_alpn_protocols` was not called, if the other party does
- not support ALPN, or if the handshake has not happened yet, ``None`` is
+ not support ALPN, if this socket does not support any of the client's
+ proposed protocols, or if the handshake has not happened yet, ``None`` is
returned.
.. versionadded:: 3.5
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -3054,9 +3054,9 @@
server_protocols = ['foo', 'bar', 'milkshake']
protocol_tests = [
(['foo', 'bar'], 'foo'),
- (['bar', 'foo'], 'bar'),
+ (['bar', 'foo'], 'foo'),
(['milkshake'], 'milkshake'),
- (['http/3.0', 'http/4.0'], 'foo')
+ (['http/3.0', 'http/4.0'], None)
]
for client_protocols, expected in protocol_tests:
server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -2276,18 +2276,25 @@
}
static int
-do_protocol_selection(unsigned char **out, unsigned char *outlen,
- const unsigned char *remote_protocols, unsigned int remote_protocols_len,
- unsigned char *our_protocols, unsigned int our_protocols_len)
+do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
+ const unsigned char *server_protocols, unsigned int server_protocols_len,
+ const unsigned char *client_protocols, unsigned int client_protocols_len)
{
- if (our_protocols == NULL) {
- our_protocols = (unsigned char*)"";
- our_protocols_len = 0;
+ int ret;
+ if (client_protocols == NULL) {
+ client_protocols = (unsigned char *)"";
+ client_protocols_len = 0;
}
-
- SSL_select_next_proto(out, outlen,
- remote_protocols, remote_protocols_len,
- our_protocols, our_protocols_len);
+ if (server_protocols == NULL) {
+ server_protocols = (unsigned char *)"";
+ server_protocols_len = 0;
+ }
+
+ ret = SSL_select_next_proto(out, outlen,
+ server_protocols, server_protocols_len,
+ client_protocols, client_protocols_len);
+ if (alpn && ret != OPENSSL_NPN_NEGOTIATED)
+ return SSL_TLSEXT_ERR_NOACK;
return SSL_TLSEXT_ERR_OK;
}
@@ -2319,7 +2326,7 @@
void *args)
{
PySSLContext *ctx = (PySSLContext *)args;
- return do_protocol_selection(out, outlen, server, server_len,
+ return do_protocol_selection(0, out, outlen, server, server_len,
ctx->npn_protocols, ctx->npn_protocols_len);
}
#endif
@@ -2371,9 +2378,9 @@
void *args)
{
PySSLContext *ctx = (PySSLContext *)args;
- return do_protocol_selection((unsigned char **)out, outlen,
- client_protocols, client_protocols_len,
- ctx->alpn_protocols, ctx->alpn_protocols_len);
+ return do_protocol_selection(1, (unsigned char **)out, outlen,
+ ctx->alpn_protocols, ctx->alpn_protocols_len,
+ client_protocols, client_protocols_len);
}
#endif
--
Repository URL: https://hg.python.org/cpython
More information about the Python-checkins
mailing list