quic: send correct OpenSSL alert for ALPN mismatches

pimterry · web-flow · commit f190a048c34e · 2026-05-15T14:37:45.000Z
Signed-off-by: Tim Perry <pimterry@gmail.com> PR-URL: #63193 Reviewed-By: James M Snell <jasnell@gmail.com>
diff --git a/src/quic/tlscontext.cc b/src/quic/tlscontext.cc
@@ -338,7 +338,7 @@ int TLSContext::OnSelectAlpn(SSL* ssl,
           in,
           inlen) == OPENSSL_NPN_NO_OVERLAP) {
     Debug(&tls_session.session(), "ALPN negotiation failed");
-    return SSL_TLSEXT_ERR_NOACK;
+    return SSL_TLSEXT_ERR_ALERT_FATAL;
   }
 
   // ALPN negotiated successfully. *out/*outlen point to the selected
diff --git a/test/parallel/test-quic-alpn-mismatch.mjs b/test/parallel/test-quic-alpn-mismatch.mjs
@@ -2,31 +2,39 @@
 
 // Test: ALPN mismatch causes connection failure.
 // The server offers 'quic-test' but the client requests 'nonexistent'.
-// The handshake should fail.
+// The handshake should fail with a `no_application_protocol` alert.
+//
+// The QUIC transport error code for a CRYPTO_ERROR carrying a TLS alert is
+// 0x100 | <tls_alert>. For `no_application_protocol` (alert 120 / 0x78) this
+// is 0x178 == 376. ERR_QUIC_TRANSPORT_ERROR formats the wire code into its
+// message as a bigint, so we match `376n` to assert the specific alert was
+// sent rather than some other handshake failure.
 
 import { hasQuic, skip, mustCall } from '../common/index.mjs';
 import assert from 'node:assert';
 
-const { rejects, strictEqual } = assert;
+const { rejects, strictEqual, match } = assert;
 
 if (!hasQuic) {
   skip('QUIC is not enabled');
 }
 
 const { listen, connect } = await import('../common/quic.mjs');
 
+const expected = {
+  code: 'ERR_QUIC_TRANSPORT_ERROR',
+  message: /\b376n\b/,
+};
+
 const onerror = mustCall((err) => {
   strictEqual(err.code, 'ERR_QUIC_TRANSPORT_ERROR');
+  match(err.message, /\b376n\b/);
 }, 2);
 const transportParams = { maxIdleTimeout: 1 };
 
 const serverEndpoint = await listen(mustCall(async (serverSession) => {
-  await rejects(serverSession.opened, {
-    code: 'ERR_QUIC_TRANSPORT_ERROR',
-  });
-  await rejects(serverSession.closed, {
-    code: 'ERR_QUIC_TRANSPORT_ERROR',
-  });
+  await rejects(serverSession.opened, expected);
+  await rejects(serverSession.closed, expected);
 }), {
   transportParams,
   onerror,
@@ -39,12 +47,8 @@ const clientSession = await connect(serverEndpoint.address, {
   onerror,
 });
 
-await rejects(clientSession.opened, {
-  code: 'ERR_QUIC_TRANSPORT_ERROR',
-});
+await rejects(clientSession.opened, expected);
 
 // The handshake should fail — opened may reject or never resolve.
 // The session should close with an error.
-await rejects(clientSession.closed, {
-  code: 'ERR_QUIC_TRANSPORT_ERROR',
-});
+await rejects(clientSession.closed, expected);

Original file line number	Diff line number	Diff line change
`@@ -338,7 +338,7 @@ int TLSContext::OnSelectAlpn(SSL* ssl,`
`338`	`338`	`in,`
`339`	`339`	`inlen) == OPENSSL_NPN_NO_OVERLAP) {`
`340`	`340`	`Debug(&tls_session.session(), "ALPN negotiation failed");`
`341`		`- return SSL_TLSEXT_ERR_NOACK;`
	`341`	`+ return SSL_TLSEXT_ERR_ALERT_FATAL;`
`342`	`342`	`}`
`343`	`343`
`344`	`344`	`// ALPN negotiated successfully. out/outlen point to the selected`