tlsconfig: don't negotiate ALPN with client if server refused to do so

2024-11-22 15:37:45 +00:00 · 2021-03-29 09:01:20 +02:00 · 2021-03-29 09:01:20 +02:00 · 80f208fb2a
commit 80f208fb2a
parent c195737a0c
2 changed files with 8 additions and 0 deletions
--- a/mitmproxy/addons/tlsconfig.py
+++ b/mitmproxy/addons/tlsconfig.py
@ -34,6 +34,10 @@ def alpn_select_callback(conn: SSL.Connection, options: List[bytes]) -> Any:
    http2 = app_data["http2"]
    if server_alpn and server_alpn in options:
        return server_alpn
+    if server_alpn == b"":
+        # We do have a server connection, but the remote server refused to negotiate a protocol:
+        # We need to mirror this on the client connection.
+        return SSL.NO_OVERLAPPING_PROTOCOLS
    http_alpns = tls.HTTP_ALPNS if http2 else tls.HTTP1_ALPNS
    for alpn in options:  # client sends in order of preference, so we are nice and respect that.
        if alpn in http_alpns:
--- a/test/mitmproxy/addons/test_tlsconfig.py
+++ b/test/mitmproxy/addons/test_tlsconfig.py
@ -30,6 +30,10 @@ def test_alpn_select_callback():
    # Test no overlap
    assert tlsconfig.alpn_select_callback(conn, [b"qux", b"quux"]) == SSL.NO_OVERLAPPING_PROTOCOLS

+    # Test that we don't select an ALPN if the server refused to select one.
+    conn.set_app_data(tlsconfig.AppData(server_alpn=b"", http2=True))
+    assert tlsconfig.alpn_select_callback(conn, [b"http/1.1"]) == SSL.NO_OVERLAPPING_PROTOCOLS
+

 here = Path(__file__).parent