[gnutls-devel] GnuTLS | ALPN issue (#951)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sat Mar 7 11:21:18 CET 2020

ASoasofoFoInLoveasorr illov created an issue: https://gitlab.com/gnutls/gnutls/-/issues/951

Hi- I have one issue.

It is related to ALPN in GNUTLS. I have a restricted firewall which allows only HTTPS connection- no other SSL connection. It checks whether ALPN present in CLIENT HELLO . ( h2.http1.1)

I checked in Android using normal Java HttpsURLConnection ( which may be using OpenSSL ) and it is able to connect to HTTPS website. I found when I use HttpsURLConnection it adds ALPN in client hello.

But using GNUTLS a sample C program can not connect to that website. It says SSL negotiation failed. so I added ALPN using 

`gnutls_alpn_set_protocols()   `

Now I can see ALPN added by GNUTLS in CLIENT HELLO. h2.http1.1. But still not connecting.

I compared traffic generated by GNUTLS and java HttpsURLConnection , found both are almost same , only difference is ALPN in GNUTLS added a first portion of request but in case of HttpsURLConnection ALPN is in last portion of CLENT Hello request.

Can you please give me some light.

gnutls_init(&hostinfo->https_sess, GNUTLS_CLIENT);

                // SET ALPN
            gnutls_datum_t t[2];
        t[0].data = (void *) "h2";
        t[0].size = 2;
        t[1].data = (void *)"http/1.1";
        t[1].size = 8;
            gnutls_alpn_set_protocols(hostinfo->https_sess, t, 2, 0);

if (gtls_ver(3,2,9)/* && string_is_hostname(hostinfo->hostname)*/)
                gnutls_server_name_set(hostinfo->https_sess, GNUTLS_NAME_DNS,

        gnutls_session_set_ptr(hostinfo->https_sess, (void *) hostinfo);

    #ifdef DEFAULT_PRIO
        default_prio = DEFAULT_PRIO ":%COMPAT";
        if (gtls_ver(3,2,9)) {
            default_prio = "NORMAL:-VERS-SSL3.0:%COMPAT";
        } else if (gtls_ver(3,0,0)) {
            default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
        } else {
            default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"         \

        snprintf(hostinfo->gnutls_prio, sizeof(hostinfo->gnutls_prio), "%s%s",
             default_prio, hostinfo->pfs?":-RSA":"");

        err = gnutls_priority_set_direct(hostinfo->https_sess,
                         hostinfo->gnutls_prio, NULL);
        if (err) {
            host_progress(hostinfo, PRG_ERR,
                     _("Failed to set TLS priority string (\"%s\"): %s\n"),
                     hostinfo->gnutls_prio, gnutls_strerror(err));
            hostinfo->https_sess = NULL;
            return -EIO;

        gnutls_credentials_set(hostinfo->https_sess, GNUTLS_CRD_CERTIFICATE, hostinfo->https_cred);

        host_progress(hostinfo, PRG_INFO, _("SSL negotiation with %s\n"),


        err = cstp_handshake(hostinfo, 1);
        if (err)
            return err;

        hostinfo->cstp_cipher = get_gnutls_cipher(hostinfo->https_sess);

        hostinfo->ssl_fd = ssl_sock;

        hostinfo->ssl_read = openconnect_gnutls_read;
        hostinfo->ssl_write = openconnect_gnutls_write;
        hostinfo->ssl_gets = openconnect_gnutls_gets;

Thank you

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/951
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200307/99282532/attachment.html>

More information about the Gnutls-devel mailing list