bpo-32378: LibreSSL NPN workaround by tiran · Pull Request #5253 · python/cpython (original) (raw)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not really a LibreSSL quirk - due to various history, no one can set OPENSSL_NO_NEXTPROTONEG without breaking multiple open source projects (each in different ways). As such, I would strongly recommend conditioning on the availability of TLSEXT_TYPE_next_proto_neg, rather than trying to map this to OPENSSL_NO_NEXTPROTONEG.

If you wish to retain this approach, the comment above could at least be updated to explain why OPENSSL_NO_NEXTPROTONEG cannot be set via LibreSSL (or OpenSSL for that matter).