Skip to content

Commit

Permalink
fix(tls): for incoming connection alpn negotiation should be done usi…
Browse files Browse the repository at this point in the history
…ng set_alpn_select_callback (#18843)

* set alpn callback in incoming connetion

* add formatting

* more formatting fix
  • Loading branch information
anil-db authored Oct 17, 2023
1 parent dc729f5 commit 8a5b67e
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 5 deletions.
2 changes: 1 addition & 1 deletion lib/vector-core/src/tls/incoming.rs
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ impl TlsSettings {
Some(_) => {
let mut acceptor = SslAcceptor::mozilla_intermediate(SslMethod::tls())
.context(CreateAcceptorSnafu)?;
self.apply_context(&mut acceptor)?;
self.apply_context_base(&mut acceptor, true)?;
Ok(acceptor.build())
}
}
Expand Down
23 changes: 19 additions & 4 deletions lib/vector-core/src/tls/settings.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ use lookup::lookup_v2::OptionalValuePath;
use openssl::{
pkcs12::{ParsedPkcs12_2, Pkcs12},
pkey::{PKey, Private},
ssl::{ConnectConfiguration, SslContextBuilder, SslVerifyMode},
ssl::{select_next_proto, AlpnError, ConnectConfiguration, SslContextBuilder, SslVerifyMode},
stack::Stack,
x509::{store::X509StoreBuilder, X509},
};
Expand Down Expand Up @@ -268,6 +268,14 @@ impl TlsSettings {
}

pub(super) fn apply_context(&self, context: &mut SslContextBuilder) -> Result<()> {
self.apply_context_base(context, false)
}

pub(super) fn apply_context_base(
&self,
context: &mut SslContextBuilder,
for_server: bool,
) -> Result<()> {
context.set_verify(if self.verify_certificate {
SslVerifyMode::PEER | SslVerifyMode::FAIL_IF_NO_PEER_CERT
} else {
Expand Down Expand Up @@ -310,9 +318,16 @@ impl TlsSettings {
}

if let Some(alpn) = &self.alpn_protocols {
context
.set_alpn_protos(alpn.as_slice())
.context(SetAlpnProtocolsSnafu)?;
if for_server {
let server_proto = alpn.clone();
context.set_alpn_select_callback(move |_, client_proto| {
select_next_proto(server_proto.as_slice(), client_proto).ok_or(AlpnError::NOACK)
});
} else {
context
.set_alpn_protos(alpn.as_slice())
.context(SetAlpnProtocolsSnafu)?;
}
}

Ok(())
Expand Down

0 comments on commit 8a5b67e

Please sign in to comment.