> While this may be reasonable advice for SNI, I'm not sure that > this is correct for ALPN. I don't think it is actually possible > to set the selected ALPN *without* using the ALPN callback. At > least I can't see a way. Correct, I wondered why I still used both callbacks. But I also know from experience you can not change SSL_CTX in the ALPN callback, it's too late in the handshake process. So if you need to change CTX, for instance for ALPN acme-tls/1 for Let's Encrypt, you have to do it during the HELO callback. > A useful addition to OpenSSL might be a new API to set the > selected ALPN directly which could be called from a client_hello_cb. Indeed, would save using two callbacks. Angus
