File tree 1 file changed +28
-0
lines changed
1 file changed +28
-0
lines changed Original file line number Diff line number Diff line change @@ -1585,6 +1585,34 @@ open_client_SSL(PGconn *conn)
1585
1585
}
1586
1586
}
1587
1587
1588
+ /* ALPN is mandatory with direct SSL connections */
1589
+ if (conn -> current_enc_method == ENC_DIRECT_SSL )
1590
+ {
1591
+ const unsigned char * selected ;
1592
+ unsigned int len ;
1593
+
1594
+ SSL_get0_alpn_selected (conn -> ssl , & selected , & len );
1595
+
1596
+ if (selected == NULL )
1597
+ {
1598
+ libpq_append_conn_error (conn , "direct SSL connection was established without ALPN protocol negotiation extension" );
1599
+ pgtls_close (conn );
1600
+ return PGRES_POLLING_FAILED ;
1601
+ }
1602
+
1603
+ /*
1604
+ * We only support one protocol so that's what the negotiation should
1605
+ * always choose, but doesn't hurt to check.
1606
+ */
1607
+ if (len != strlen (PG_ALPN_PROTOCOL ) ||
1608
+ memcmp (selected , PG_ALPN_PROTOCOL , strlen (PG_ALPN_PROTOCOL )) != 0 )
1609
+ {
1610
+ libpq_append_conn_error (conn , "SSL connection was established with unexpected ALPN protocol" );
1611
+ pgtls_close (conn );
1612
+ return PGRES_POLLING_FAILED ;
1613
+ }
1614
+ }
1615
+
1588
1616
/*
1589
1617
* We already checked the server certificate in initialize_SSL() using
1590
1618
* SSL_CTX_set_verify(), if root.crt exists.
You can’t perform that action at this time.
0 commit comments