3 files changed, 11 insertions, 2 deletions

diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
index 5ff5a93b52..5ad063eb7f 100644
--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
@@ -113,9 +113,15 @@ The ALPN select callback B<cb>, must return one of the following:
 
 ALPN protocol selected.
 
+=item SSL_TLSEXT_ERR_ALERT_FATAL
+
+There was no overlap between the client's supplied list and the server
+configuration.
+
 =item SSL_TLSEXT_ERR_NOACK
 
-ALPN protocol not selected.
+ALPN protocol not selected, e.g., because no ALPN protocols are configured for
+this connection.
 
 =back
 
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index cd1d0bd3ec..7ec7128172 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -919,6 +919,9 @@ static int final_alpn(SSL *s, unsigned int context, int sent, int *al)
             /* ALPN takes precedence over NPN. */
             s->s3->npn_seen = 0;
 #endif
+        } else if (r == SSL_TLSEXT_ERR_NOACK) {
+            /* Behave as if no callback was present. */
+            return 1;
         } else {
             *al = SSL_AD_NO_APPLICATION_PROTOCOL;
             return 0;
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index 47af3fe396..94fa5c578f 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -413,7 +413,7 @@ static int server_alpn_cb(SSL *s, const unsigned char **out,
     *out = tmp_out;
     /* Unlike NPN, we don't tolerate a mismatch. */
     return ret == OPENSSL_NPN_NEGOTIATED ? SSL_TLSEXT_ERR_OK
-        : SSL_TLSEXT_ERR_NOACK;
+        : SSL_TLSEXT_ERR_ALERT_FATAL;
 }
 
 #ifndef OPENSSL_NO_SRP