Backport TLS v1.1 support from HEAD

diff --git a/CHANGES b/CHANGES
index d01a1bd5706e1cd836e4b68cbd6f6ac738996dfa..ccf35e4af98ad338ae570affdeddbe9760eb46b3 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,15 @@
 
  Changes between 1.0.0a and 1.0.1  [xx XXX xxxx]
 
-  *)
+  *) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only
+     a few changes are required:
+
+       Add SSL_OP_NO_TLSv1_1 flag.
+       Add TLSv1_1 methods.
+       Update version checking logic to handle version 1.1.
+       Add explicit IV handling (ported from DTLS code).
+       Add command line options to s_client/s_server.
+     [Steve Henson]
 
  Changes between 1.0.0a and 1.0.0b  [xx XXX xxxx]
 

diff --git a/apps/s_client.c b/apps/s_client.c
index 34ad2cec78e25879b7c48e56662a63173160439e..484d009987b6690291d844f7fb1b5e317fff2cb0 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -318,10 +318,11 @@ static void sc_usage(void)
 #endif
        BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
        BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
+       BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
        BIO_printf(bio_err," -tls1         - just use TLSv1\n");
        BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
        BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
-       BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
+       BIO_printf(bio_err," -no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
        BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
        BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
        BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
@@ -597,6 +598,8 @@ int MAIN(int argc, char **argv)
                        meth=SSLv3_client_method();
 #endif
 #ifndef OPENSSL_NO_TLS1
+               else if (strcmp(*argv,"-tls1_1") == 0)
+                       meth=TLSv1_1_client_method();
                else if (strcmp(*argv,"-tls1") == 0)
                        meth=TLSv1_client_method();
 #endif
@@ -645,6 +648,8 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        CAfile= *(++argv);
                        }
+               else if (strcmp(*argv,"-no_tls1_1") == 0)
+                       off|=SSL_OP_NO_TLSv1_1;
                else if (strcmp(*argv,"-no_tls1") == 0)
                        off|=SSL_OP_NO_TLSv1;
                else if (strcmp(*argv,"-no_ssl3") == 0)

diff --git a/apps/s_server.c b/apps/s_server.c
index 8a0c34cf0f08df0c2b5e72d3268265d90342c357..49bfc816a110b12c22d1693591e41e77df9642cc 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -458,6 +458,7 @@ static void sv_usage(void)
 #endif
        BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
        BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
+       BIO_printf(bio_err," -tls1_1       - Just talk TLSv1_1\n");
        BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
        BIO_printf(bio_err," -dtls1        - Just talk DTLSv1\n");
        BIO_printf(bio_err," -timeout      - Enable timeouts\n");
@@ -466,6 +467,7 @@ static void sv_usage(void)
        BIO_printf(bio_err," -no_ssl2      - Just disable SSLv2\n");
        BIO_printf(bio_err," -no_ssl3      - Just disable SSLv3\n");
        BIO_printf(bio_err," -no_tls1      - Just disable TLSv1\n");
+       BIO_printf(bio_err," -no_tls1_1    - Just disable TLSv1.1\n");
 #ifndef OPENSSL_NO_DH
        BIO_printf(bio_err," -no_dhe       - Disable ephemeral DH\n");
 #endif