SSL: reject unsupported protocols "negotiated" during handshake

Maxim Dounin mdounin at mdounin.ru
Wed Apr 3 11:02:46 UTC 2013


Hello!

On Tue, Apr 02, 2013 at 06:06:02PM -0700, Piotr Sikora wrote:

> Hey,
> OpenSSL doesn't do anything to verify that "negotiated" protocol
> was actually advertised to the client, so we have to do it ourselves.

Do we care?  I think it's ok to assume HTTP by default, even if a 
client sent something different from what we've advertised.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list