summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/usr.bin/openssl/s_server.c34
1 files changed, 28 insertions, 6 deletions
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index 8b9512fdc3..b397e6966d 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s_server.c,v 1.34 2020/05/10 16:55:28 beck Exp $ */ 1/* $OpenBSD: s_server.c,v 1.35 2020/05/13 10:18:03 inoguchi Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -300,6 +300,7 @@ sv_usage(void)
300 BIO_printf(bio_err, " -cipher arg - play with 'openssl ciphers' to see what goes here\n"); 300 BIO_printf(bio_err, " -cipher arg - play with 'openssl ciphers' to see what goes here\n");
301 BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n"); 301 BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n");
302 BIO_printf(bio_err, " -quiet - Inhibit printing of session and certificate information\n"); 302 BIO_printf(bio_err, " -quiet - Inhibit printing of session and certificate information\n");
303 BIO_printf(bio_err, " -tls1_3 - Just talk TLSv1.3\n");
303 BIO_printf(bio_err, " -tls1_2 - Just talk TLSv1.2\n"); 304 BIO_printf(bio_err, " -tls1_2 - Just talk TLSv1.2\n");
304 BIO_printf(bio_err, " -tls1_1 - Just talk TLSv1.1\n"); 305 BIO_printf(bio_err, " -tls1_1 - Just talk TLSv1.1\n");
305 BIO_printf(bio_err, " -tls1 - Just talk TLSv1\n"); 306 BIO_printf(bio_err, " -tls1 - Just talk TLSv1\n");
@@ -312,6 +313,7 @@ sv_usage(void)
312 BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n"); 313 BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n");
313 BIO_printf(bio_err, " -no_tls1_1 - Just disable TLSv1.1\n"); 314 BIO_printf(bio_err, " -no_tls1_1 - Just disable TLSv1.1\n");
314 BIO_printf(bio_err, " -no_tls1_2 - Just disable TLSv1.2\n"); 315 BIO_printf(bio_err, " -no_tls1_2 - Just disable TLSv1.2\n");
316 BIO_printf(bio_err, " -no_tls1_3 - Just disable TLSv1.3\n");
315#ifndef OPENSSL_NO_DH 317#ifndef OPENSSL_NO_DH
316 BIO_printf(bio_err, " -no_dhe - Disable ephemeral DH\n"); 318 BIO_printf(bio_err, " -no_dhe - Disable ephemeral DH\n");
317#endif 319#endif
@@ -581,6 +583,7 @@ s_server_main(int argc, char *argv[])
581 const char *alpn_in = NULL; 583 const char *alpn_in = NULL;
582 const char *groups_in = NULL; 584 const char *groups_in = NULL;
583 tlsextalpnctx alpn_ctx = { NULL, 0 }; 585 tlsextalpnctx alpn_ctx = { NULL, 0 };
586 uint16_t min_version = 0, max_version = 0;
584 587
585 if (single_execution) { 588 if (single_execution) {
586 if (pledge("stdio rpath inet dns tty", NULL) == -1) { 589 if (pledge("stdio rpath inet dns tty", NULL) == -1) {
@@ -589,7 +592,7 @@ s_server_main(int argc, char *argv[])
589 } 592 }
590 } 593 }
591 594
592 meth = SSLv23_server_method(); 595 meth = TLS_server_method();
593 596
594 local_argc = argc; 597 local_argc = argc;
595 local_argv = argv; 598 local_argv = argv;
@@ -774,20 +777,28 @@ s_server_main(int argc, char *argv[])
774 off |= SSL_OP_NO_TLSv1_1; 777 off |= SSL_OP_NO_TLSv1_1;
775 } else if (strcmp(*argv, "-no_tls1_2") == 0) { 778 } else if (strcmp(*argv, "-no_tls1_2") == 0) {
776 off |= SSL_OP_NO_TLSv1_2; 779 off |= SSL_OP_NO_TLSv1_2;
780 } else if (strcmp(*argv, "-no_tls1_3") == 0) {
781 off |= SSL_OP_NO_TLSv1_3;
777 } else if (strcmp(*argv, "-no_comp") == 0) { 782 } else if (strcmp(*argv, "-no_comp") == 0) {
778 off |= SSL_OP_NO_COMPRESSION; 783 off |= SSL_OP_NO_COMPRESSION;
779 } else if (strcmp(*argv, "-no_ticket") == 0) { 784 } else if (strcmp(*argv, "-no_ticket") == 0) {
780 off |= SSL_OP_NO_TICKET; 785 off |= SSL_OP_NO_TICKET;
781 } else if (strcmp(*argv, "-tls1") == 0) { 786 } else if (strcmp(*argv, "-tls1") == 0) {
782 meth = TLSv1_server_method(); 787 min_version = TLS1_VERSION;
788 max_version = TLS1_VERSION;
783 } else if (strcmp(*argv, "-tls1_1") == 0) { 789 } else if (strcmp(*argv, "-tls1_1") == 0) {
784 meth = TLSv1_1_server_method(); 790 min_version = TLS1_1_VERSION;
791 max_version = TLS1_1_VERSION;
785 } else if (strcmp(*argv, "-tls1_2") == 0) { 792 } else if (strcmp(*argv, "-tls1_2") == 0) {
786 meth = TLSv1_2_server_method(); 793 min_version = TLS1_2_VERSION;
794 max_version = TLS1_2_VERSION;
795 } else if (strcmp(*argv, "-tls1_3") == 0) {
796 min_version = TLS1_3_VERSION;
797 max_version = TLS1_3_VERSION;
787 } 798 }
788#ifndef OPENSSL_NO_DTLS1 799#ifndef OPENSSL_NO_DTLS1
789 else if (strcmp(*argv, "-dtls1") == 0) { 800 else if (strcmp(*argv, "-dtls1") == 0) {
790 meth = DTLSv1_server_method(); 801 meth = DTLS_server_method();
791 socket_type = SOCK_DGRAM; 802 socket_type = SOCK_DGRAM;
792 } else if (strcmp(*argv, "-timeout") == 0) 803 } else if (strcmp(*argv, "-timeout") == 0)
793 enable_timeouts = 1; 804 enable_timeouts = 1;
@@ -956,6 +967,12 @@ s_server_main(int argc, char *argv[])
956 ERR_print_errors(bio_err); 967 ERR_print_errors(bio_err);
957 goto end; 968 goto end;
958 } 969 }
970
971 if (!SSL_CTX_set_min_proto_version(ctx, min_version))
972 goto end;
973 if (!SSL_CTX_set_max_proto_version(ctx, max_version))
974 goto end;
975
959 if (session_id_prefix) { 976 if (session_id_prefix) {
960 if (strlen(session_id_prefix) >= 32) 977 if (strlen(session_id_prefix) >= 32)
961 BIO_printf(bio_err, 978 BIO_printf(bio_err,
@@ -1009,6 +1026,11 @@ s_server_main(int argc, char *argv[])
1009 ERR_print_errors(bio_err); 1026 ERR_print_errors(bio_err);
1010 goto end; 1027 goto end;
1011 } 1028 }
1029
1030 if (!SSL_CTX_set_min_proto_version(ctx2, min_version))
1031 goto end;
1032 if (!SSL_CTX_set_max_proto_version(ctx2, max_version))
1033 goto end;
1012 } 1034 }
1013 if (ctx2) { 1035 if (ctx2) {
1014 BIO_printf(bio_s_out, "Setting secondary ctx parameters\n"); 1036 BIO_printf(bio_s_out, "Setting secondary ctx parameters\n");
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-23 07:10:43 +0000