Opened 6 years ago
Closed 6 years ago
#1616 closed defect (wontfix)
ssl_preread_alpn_protocols not safe
Reported by: | James Callahan | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-module | Version: | 1.15.x |
Keywords: | ssl_preread | Cc: | |
uname -a: | |||
nginx -V: | N/A |
Description
ssl_preread_alpn_protocols is a comma separated list of ALPNs proposed by a client.
However an ALPN is allowed to contain a comma. This makes it impossible to safely know if a client proposed a given ALPN.
Change History (2)
comment:2 by , 6 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Currently there is no convenient way in nginx to check if a given value is present in a list of values. This is why we came up with the comma-separated list. As mentioned above, it is unlikely that there will be any issue with that in real life since no protocols are defined which have a comma in name.
Another example is the openssl s_client
command line tool which expects -alpn
argument value as a comma-separated list as well.
Just a note, that in the current IANA "ExtensionType Values" registry of TLS ALPN Protocol IDs [1] there are no such values.
https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids