Opened 6 years ago

Closed 6 years ago

#1616 closed defect (wontfix)

ssl_preread_alpn_protocols not safe

Reported by: James Callahan Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.15.x
Keywords: ssl_preread Cc:
uname -a:
nginx -V: N/A

Description

ssl_preread_alpn_protocols is a comma separated list of ALPNs proposed by a client.
However an ALPN is allowed to contain a comma. This makes it impossible to safely know if a client proposed a given ALPN.

Change History (2)

comment:1 by Sergey Kandaurov, 6 years ago

Just a note, that in the current IANA "ExtensionType Values" registry of TLS ALPN Protocol IDs [1] there are no such values.

https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids

Version 0, edited 6 years ago by Sergey Kandaurov (next)

comment:2 by Roman Arutyunyan, 6 years ago

Resolution: wontfix
Status: newclosed

Currently there is no convenient way in nginx to check if a given value is present in a list of values. This is why we came up with the comma-separated list. As mentioned above, it is unlikely that there will be any issue with that in real life since no protocols are defined which have a comma in name.

Another example is the openssl s_client command line tool which expects -alpn argument value as a comma-separated list as well.

Note: See TracTickets for help on using tickets.