diff options
| author | inoguchi <> | 2020-05-13 10:18:03 +0000 |
|---|---|---|
| committer | inoguchi <> | 2020-05-13 10:18:03 +0000 |
| commit | d44a6d684b802e01d8b30bbd1a83d4f071b901aa (patch) | |
| tree | 42f19b8ea7270653843e910cc4846714925338ea /src | |
| parent | 37de99516cfff2ab22bd94991d53517d0f510b62 (diff) | |
| download | openbsd-d44a6d684b802e01d8b30bbd1a83d4f071b901aa.tar.gz openbsd-d44a6d684b802e01d8b30bbd1a83d4f071b901aa.tar.bz2 openbsd-d44a6d684b802e01d8b30bbd1a83d4f071b901aa.zip | |
Add -tls1_3 and -no_tls1_3 options to openssl(1) s_server
- Add -tls1_3 and -no_tls1_3 to openssl(1) s_server
- Stop using version pinned methods, instead setting the min and max protocol versions
ok jsing@ tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/usr.bin/openssl/s_server.c | 34 |
1 files changed, 28 insertions, 6 deletions
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c index 8b9512fdc3..b397e6966d 100644 --- a/src/usr.bin/openssl/s_server.c +++ b/src/usr.bin/openssl/s_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s_server.c,v 1.34 2020/05/10 16:55:28 beck Exp $ */ | 1 | /* $OpenBSD: s_server.c,v 1.35 2020/05/13 10:18:03 inoguchi Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -300,6 +300,7 @@ sv_usage(void) | |||
| 300 | BIO_printf(bio_err, " -cipher arg - play with 'openssl ciphers' to see what goes here\n"); | 300 | BIO_printf(bio_err, " -cipher arg - play with 'openssl ciphers' to see what goes here\n"); |
| 301 | BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n"); | 301 | BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n"); |
| 302 | BIO_printf(bio_err, " -quiet - Inhibit printing of session and certificate information\n"); | 302 | BIO_printf(bio_err, " -quiet - Inhibit printing of session and certificate information\n"); |
| 303 | BIO_printf(bio_err, " -tls1_3 - Just talk TLSv1.3\n"); | ||
| 303 | BIO_printf(bio_err, " -tls1_2 - Just talk TLSv1.2\n"); | 304 | BIO_printf(bio_err, " -tls1_2 - Just talk TLSv1.2\n"); |
| 304 | BIO_printf(bio_err, " -tls1_1 - Just talk TLSv1.1\n"); | 305 | BIO_printf(bio_err, " -tls1_1 - Just talk TLSv1.1\n"); |
| 305 | BIO_printf(bio_err, " -tls1 - Just talk TLSv1\n"); | 306 | BIO_printf(bio_err, " -tls1 - Just talk TLSv1\n"); |
| @@ -312,6 +313,7 @@ sv_usage(void) | |||
| 312 | BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n"); | 313 | BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n"); |
| 313 | BIO_printf(bio_err, " -no_tls1_1 - Just disable TLSv1.1\n"); | 314 | BIO_printf(bio_err, " -no_tls1_1 - Just disable TLSv1.1\n"); |
| 314 | BIO_printf(bio_err, " -no_tls1_2 - Just disable TLSv1.2\n"); | 315 | BIO_printf(bio_err, " -no_tls1_2 - Just disable TLSv1.2\n"); |
| 316 | BIO_printf(bio_err, " -no_tls1_3 - Just disable TLSv1.3\n"); | ||
| 315 | #ifndef OPENSSL_NO_DH | 317 | #ifndef OPENSSL_NO_DH |
| 316 | BIO_printf(bio_err, " -no_dhe - Disable ephemeral DH\n"); | 318 | BIO_printf(bio_err, " -no_dhe - Disable ephemeral DH\n"); |
| 317 | #endif | 319 | #endif |
| @@ -581,6 +583,7 @@ s_server_main(int argc, char *argv[]) | |||
| 581 | const char *alpn_in = NULL; | 583 | const char *alpn_in = NULL; |
| 582 | const char *groups_in = NULL; | 584 | const char *groups_in = NULL; |
| 583 | tlsextalpnctx alpn_ctx = { NULL, 0 }; | 585 | tlsextalpnctx alpn_ctx = { NULL, 0 }; |
| 586 | uint16_t min_version = 0, max_version = 0; | ||
| 584 | 587 | ||
| 585 | if (single_execution) { | 588 | if (single_execution) { |
| 586 | if (pledge("stdio rpath inet dns tty", NULL) == -1) { | 589 | if (pledge("stdio rpath inet dns tty", NULL) == -1) { |
| @@ -589,7 +592,7 @@ s_server_main(int argc, char *argv[]) | |||
| 589 | } | 592 | } |
| 590 | } | 593 | } |
| 591 | 594 | ||
| 592 | meth = SSLv23_server_method(); | 595 | meth = TLS_server_method(); |
| 593 | 596 | ||
| 594 | local_argc = argc; | 597 | local_argc = argc; |
| 595 | local_argv = argv; | 598 | local_argv = argv; |
| @@ -774,20 +777,28 @@ s_server_main(int argc, char *argv[]) | |||
| 774 | off |= SSL_OP_NO_TLSv1_1; | 777 | off |= SSL_OP_NO_TLSv1_1; |
| 775 | } else if (strcmp(*argv, "-no_tls1_2") == 0) { | 778 | } else if (strcmp(*argv, "-no_tls1_2") == 0) { |
| 776 | off |= SSL_OP_NO_TLSv1_2; | 779 | off |= SSL_OP_NO_TLSv1_2; |
| 780 | } else if (strcmp(*argv, "-no_tls1_3") == 0) { | ||
| 781 | off |= SSL_OP_NO_TLSv1_3; | ||
| 777 | } else if (strcmp(*argv, "-no_comp") == 0) { | 782 | } else if (strcmp(*argv, "-no_comp") == 0) { |
| 778 | off |= SSL_OP_NO_COMPRESSION; | 783 | off |= SSL_OP_NO_COMPRESSION; |
| 779 | } else if (strcmp(*argv, "-no_ticket") == 0) { | 784 | } else if (strcmp(*argv, "-no_ticket") == 0) { |
| 780 | off |= SSL_OP_NO_TICKET; | 785 | off |= SSL_OP_NO_TICKET; |
| 781 | } else if (strcmp(*argv, "-tls1") == 0) { | 786 | } else if (strcmp(*argv, "-tls1") == 0) { |
| 782 | meth = TLSv1_server_method(); | 787 | min_version = TLS1_VERSION; |
| 788 | max_version = TLS1_VERSION; | ||
| 783 | } else if (strcmp(*argv, "-tls1_1") == 0) { | 789 | } else if (strcmp(*argv, "-tls1_1") == 0) { |
| 784 | meth = TLSv1_1_server_method(); | 790 | min_version = TLS1_1_VERSION; |
| 791 | max_version = TLS1_1_VERSION; | ||
| 785 | } else if (strcmp(*argv, "-tls1_2") == 0) { | 792 | } else if (strcmp(*argv, "-tls1_2") == 0) { |
| 786 | meth = TLSv1_2_server_method(); | 793 | min_version = TLS1_2_VERSION; |
| 794 | max_version = TLS1_2_VERSION; | ||
| 795 | } else if (strcmp(*argv, "-tls1_3") == 0) { | ||
| 796 | min_version = TLS1_3_VERSION; | ||
| 797 | max_version = TLS1_3_VERSION; | ||
| 787 | } | 798 | } |
| 788 | #ifndef OPENSSL_NO_DTLS1 | 799 | #ifndef OPENSSL_NO_DTLS1 |
| 789 | else if (strcmp(*argv, "-dtls1") == 0) { | 800 | else if (strcmp(*argv, "-dtls1") == 0) { |
| 790 | meth = DTLSv1_server_method(); | 801 | meth = DTLS_server_method(); |
| 791 | socket_type = SOCK_DGRAM; | 802 | socket_type = SOCK_DGRAM; |
| 792 | } else if (strcmp(*argv, "-timeout") == 0) | 803 | } else if (strcmp(*argv, "-timeout") == 0) |
| 793 | enable_timeouts = 1; | 804 | enable_timeouts = 1; |
| @@ -956,6 +967,12 @@ s_server_main(int argc, char *argv[]) | |||
| 956 | ERR_print_errors(bio_err); | 967 | ERR_print_errors(bio_err); |
| 957 | goto end; | 968 | goto end; |
| 958 | } | 969 | } |
| 970 | |||
| 971 | if (!SSL_CTX_set_min_proto_version(ctx, min_version)) | ||
| 972 | goto end; | ||
| 973 | if (!SSL_CTX_set_max_proto_version(ctx, max_version)) | ||
| 974 | goto end; | ||
| 975 | |||
| 959 | if (session_id_prefix) { | 976 | if (session_id_prefix) { |
| 960 | if (strlen(session_id_prefix) >= 32) | 977 | if (strlen(session_id_prefix) >= 32) |
| 961 | BIO_printf(bio_err, | 978 | BIO_printf(bio_err, |
| @@ -1009,6 +1026,11 @@ s_server_main(int argc, char *argv[]) | |||
| 1009 | ERR_print_errors(bio_err); | 1026 | ERR_print_errors(bio_err); |
| 1010 | goto end; | 1027 | goto end; |
| 1011 | } | 1028 | } |
| 1029 | |||
| 1030 | if (!SSL_CTX_set_min_proto_version(ctx2, min_version)) | ||
| 1031 | goto end; | ||
| 1032 | if (!SSL_CTX_set_max_proto_version(ctx2, max_version)) | ||
| 1033 | goto end; | ||
| 1012 | } | 1034 | } |
| 1013 | if (ctx2) { | 1035 | if (ctx2) { |
| 1014 | BIO_printf(bio_s_out, "Setting secondary ctx parameters\n"); | 1036 | BIO_printf(bio_s_out, "Setting secondary ctx parameters\n"); |