Re: [PR] Server support ALPN with OpenSSL (brpc)

["old-bear (via GitHub)" <gi...@apache.org>]

old-bear commented on code in PR #2102:
URL: https://github.com/apache/brpc/pull/2102#discussion_r1114448356


##########
src/brpc/server.cpp:
##########
@@ -642,6 +642,31 @@ int Server::InitializeOnce() {
     return 0;
 }
 
+int Server::InitALPNOptions(const ServerSSLOptions* options) {
+    if (options == nullptr) {

Review Comment:
   如果openssl版本不支持，这里就直接报错？



##########
src/brpc/details/ssl_helper.cpp:
##########
@@ -441,6 +441,40 @@ static int SetSSLOptions(SSL_CTX* ctx, const std::string& ciphers,
     return 0;
 }
 
+static int ServerALPNCallback(
+        SSL* ssl, const unsigned char** out, unsigned char* outlen,
+        const unsigned char* in, unsigned int inlen, void* arg) {
+    const std::string* alpns = static_cast<const std::string*>(arg);
+    if (alpns == nullptr) {
+        return SSL_TLSEXT_ERR_NOACK;
+    }
+
+    // Use OpenSSL standard select API.
+    int select_result = SSL_select_next_proto(
+            const_cast<unsigned char**>(out), outlen, 
+            reinterpret_cast<const unsigned char*>(alpns->data()), alpns->size(),
+            in, inlen);
+    return (select_result == OPENSSL_NPN_NEGOTIATED) 

Review Comment:
   如果没选择到，返回SSL_TLSEXT_ERR_NOACK会直接断开SSL链接吗？
   和返回SSL_TLSEXT_ERR_ALERT_FATAL区别是啥？



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@brpc.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@brpc.apache.org
For additional commands, e-mail: dev-help@brpc.apache.org