From 8a5b67e452772887d5353ff245d33bd4e2ed19ba Mon Sep 17 00:00:00 2001 From: Anil Gupta <90670783+anil-db@users.noreply.github.com> Date: Tue, 17 Oct 2023 11:30:49 -0700 Subject: [PATCH] fix(tls): for incoming connection alpn negotiation should be done using set_alpn_select_callback (#18843) * set alpn callback in incoming connetion * add formatting * more formatting fix --- lib/vector-core/src/tls/incoming.rs | 2 +- lib/vector-core/src/tls/settings.rs | 23 +++++++++++++++++++---- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/lib/vector-core/src/tls/incoming.rs b/lib/vector-core/src/tls/incoming.rs index 7992f2c2b1014..2f988fef2427c 100644 --- a/lib/vector-core/src/tls/incoming.rs +++ b/lib/vector-core/src/tls/incoming.rs @@ -32,7 +32,7 @@ impl TlsSettings { Some(_) => { let mut acceptor = SslAcceptor::mozilla_intermediate(SslMethod::tls()) .context(CreateAcceptorSnafu)?; - self.apply_context(&mut acceptor)?; + self.apply_context_base(&mut acceptor, true)?; Ok(acceptor.build()) } } diff --git a/lib/vector-core/src/tls/settings.rs b/lib/vector-core/src/tls/settings.rs index d7401049f77da..4083000ba848c 100644 --- a/lib/vector-core/src/tls/settings.rs +++ b/lib/vector-core/src/tls/settings.rs @@ -9,7 +9,7 @@ use lookup::lookup_v2::OptionalValuePath; use openssl::{ pkcs12::{ParsedPkcs12_2, Pkcs12}, pkey::{PKey, Private}, - ssl::{ConnectConfiguration, SslContextBuilder, SslVerifyMode}, + ssl::{select_next_proto, AlpnError, ConnectConfiguration, SslContextBuilder, SslVerifyMode}, stack::Stack, x509::{store::X509StoreBuilder, X509}, }; @@ -268,6 +268,14 @@ impl TlsSettings { } pub(super) fn apply_context(&self, context: &mut SslContextBuilder) -> Result<()> { + self.apply_context_base(context, false) + } + + pub(super) fn apply_context_base( + &self, + context: &mut SslContextBuilder, + for_server: bool, + ) -> Result<()> { context.set_verify(if self.verify_certificate { SslVerifyMode::PEER | SslVerifyMode::FAIL_IF_NO_PEER_CERT } else { @@ -310,9 +318,16 @@ impl TlsSettings { } if let Some(alpn) = &self.alpn_protocols { - context - .set_alpn_protos(alpn.as_slice()) - .context(SetAlpnProtocolsSnafu)?; + if for_server { + let server_proto = alpn.clone(); + context.set_alpn_select_callback(move |_, client_proto| { + select_next_proto(server_proto.as_slice(), client_proto).ok_or(AlpnError::NOACK) + }); + } else { + context + .set_alpn_protos(alpn.as_slice()) + .context(SetAlpnProtocolsSnafu)?; + } } Ok(())