In short: there is the possibility of a middle-man tricking a client into accepting the response from another TLS server, if it uses the same certificate. This seems to be in the open, so we can talk about it here.
People think about how to prevent this and enforce stricter ALPN negotiation. But it is hairy since ALPN has been deployed for over 5 years. Breakage may ensue. Our server is also 'relaxed' about this. If you look at ssl_engine_kernel.c#2760, if no protocol overlap was found, we continue the handshake as if no ALPN was supplied at all. I guess we can always add a "SSLStrictALPN on", but let's see where this discussion goes. - Stefan golang ticket: https://github.com/golang/go/issues/46310 Twitter thread: https://twitter.com/icing/status/1402943686619639818
