From d44a6d684b802e01d8b30bbd1a83d4f071b901aa Mon Sep 17 00:00:00 2001 From: inoguchi <> Date: Wed, 13 May 2020 10:18:03 +0000 Subject: Add -tls1_3 and -no_tls1_3 options to openssl(1) s_server - Add -tls1_3 and -no_tls1_3 to openssl(1) s_server - Stop using version pinned methods, instead setting the min and max protocol versions ok jsing@ tb@ --- src/usr.bin/openssl/s_server.c | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c index 8b9512fdc3..b397e6966d 100644 --- a/src/usr.bin/openssl/s_server.c +++ b/src/usr.bin/openssl/s_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_server.c,v 1.34 2020/05/10 16:55:28 beck Exp $ */ +/* $OpenBSD: s_server.c,v 1.35 2020/05/13 10:18:03 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -300,6 +300,7 @@ sv_usage(void) BIO_printf(bio_err, " -cipher arg - play with 'openssl ciphers' to see what goes here\n"); BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n"); BIO_printf(bio_err, " -quiet - Inhibit printing of session and certificate information\n"); + BIO_printf(bio_err, " -tls1_3 - Just talk TLSv1.3\n"); BIO_printf(bio_err, " -tls1_2 - Just talk TLSv1.2\n"); BIO_printf(bio_err, " -tls1_1 - Just talk TLSv1.1\n"); BIO_printf(bio_err, " -tls1 - Just talk TLSv1\n"); @@ -312,6 +313,7 @@ sv_usage(void) BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n"); BIO_printf(bio_err, " -no_tls1_1 - Just disable TLSv1.1\n"); BIO_printf(bio_err, " -no_tls1_2 - Just disable TLSv1.2\n"); + BIO_printf(bio_err, " -no_tls1_3 - Just disable TLSv1.3\n"); #ifndef OPENSSL_NO_DH BIO_printf(bio_err, " -no_dhe - Disable ephemeral DH\n"); #endif @@ -581,6 +583,7 @@ s_server_main(int argc, char *argv[]) const char *alpn_in = NULL; const char *groups_in = NULL; tlsextalpnctx alpn_ctx = { NULL, 0 }; + uint16_t min_version = 0, max_version = 0; if (single_execution) { if (pledge("stdio rpath inet dns tty", NULL) == -1) { @@ -589,7 +592,7 @@ s_server_main(int argc, char *argv[]) } } - meth = SSLv23_server_method(); + meth = TLS_server_method(); local_argc = argc; local_argv = argv; @@ -774,20 +777,28 @@ s_server_main(int argc, char *argv[]) off |= SSL_OP_NO_TLSv1_1; } else if (strcmp(*argv, "-no_tls1_2") == 0) { off |= SSL_OP_NO_TLSv1_2; + } else if (strcmp(*argv, "-no_tls1_3") == 0) { + off |= SSL_OP_NO_TLSv1_3; } else if (strcmp(*argv, "-no_comp") == 0) { off |= SSL_OP_NO_COMPRESSION; } else if (strcmp(*argv, "-no_ticket") == 0) { off |= SSL_OP_NO_TICKET; } else if (strcmp(*argv, "-tls1") == 0) { - meth = TLSv1_server_method(); + min_version = TLS1_VERSION; + max_version = TLS1_VERSION; } else if (strcmp(*argv, "-tls1_1") == 0) { - meth = TLSv1_1_server_method(); + min_version = TLS1_1_VERSION; + max_version = TLS1_1_VERSION; } else if (strcmp(*argv, "-tls1_2") == 0) { - meth = TLSv1_2_server_method(); + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; + } else if (strcmp(*argv, "-tls1_3") == 0) { + min_version = TLS1_3_VERSION; + max_version = TLS1_3_VERSION; } #ifndef OPENSSL_NO_DTLS1 else if (strcmp(*argv, "-dtls1") == 0) { - meth = DTLSv1_server_method(); + meth = DTLS_server_method(); socket_type = SOCK_DGRAM; } else if (strcmp(*argv, "-timeout") == 0) enable_timeouts = 1; @@ -956,6 +967,12 @@ s_server_main(int argc, char *argv[]) ERR_print_errors(bio_err); goto end; } + + if (!SSL_CTX_set_min_proto_version(ctx, min_version)) + goto end; + if (!SSL_CTX_set_max_proto_version(ctx, max_version)) + goto end; + if (session_id_prefix) { if (strlen(session_id_prefix) >= 32) BIO_printf(bio_err, @@ -1009,6 +1026,11 @@ s_server_main(int argc, char *argv[]) ERR_print_errors(bio_err); goto end; } + + if (!SSL_CTX_set_min_proto_version(ctx2, min_version)) + goto end; + if (!SSL_CTX_set_max_proto_version(ctx2, max_version)) + goto end; } if (ctx2) { BIO_printf(bio_s_out, "Setting secondary ctx parameters\n"); -- cgit v1.2.3-55-g6feb