"Extra certificates to provide to TLS server during TLS handshake"},
{"tls_trusted", OPT_TLS_TRUSTED, 's',
"Trusted certificates to use for verifying the TLS server certificate;"},
- {OPT_MORE_STR, 0, 0, "this implies host name validation"},
+ {OPT_MORE_STR, 0, 0, "this implies hostname validation"},
{"tls_host", OPT_TLS_HOST, 's',
- "Address to be checked (rather than -server) during TLS host name validation"},
+ "Address to be checked (rather than -server) during TLS hostname validation"},
#endif
OPT_SECTION("Client-side debugging"),
return csr;
}
-/* set expected host name/IP addr and clears the email addr in the given ts */
+/* set expected hostname/IP addr and clears the email addr in the given ts */
static int truststore_set_host_etc(X509_STORE *ts, const char *host)
{
X509_VERIFY_PARAM *ts_vpm = X509_STORE_get0_param(ts);
- /* first clear any host names, IP, and email addresses */
+ /* first clear any hostnames, IP, and email addresses */
if (!X509_VERIFY_PARAM_set1_host(ts_vpm, NULL, 0)
|| !X509_VERIFY_PARAM_set1_ip(ts_vpm, NULL, 0)
|| !X509_VERIFY_PARAM_set1_email(ts_vpm, NULL, 0))
if (trust_store == NULL)
goto err;
SSL_CTX_set_cert_store(ssl_ctx, trust_store);
+ SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
+ } else {
+ CMP_warn("-tls_used given without -tls_trusted; will not authenticate the TLS server");
}
if (opt_tls_cert != NULL && opt_tls_key != NULL) {
goto err;
}
EVP_PKEY_free(pkey); /* we do not need the handle any more */
+ } else {
+ CMP_warn("-tls_used given without -tls_key; cannot authenticate to the TLS server");
}
- if (opt_tls_trusted != NULL) {
- /* enable and parameterize server hostname/IP address check */
+ if (trust_store != NULL) {
+ /*
+ * Enable and parameterize server hostname/IP address check.
+ * If we did this before checking our own TLS cert
+ * the expected hostname would mislead the check.
+ */
if (!truststore_set_host_etc(trust_store,
opt_tls_host != NULL ? opt_tls_host : host))
goto err;
- SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
}
return ssl_ctx;
err:
int ret = 0;
char *host = NULL, *port = NULL, *path = NULL, *used_path = opt_path;
#ifndef OPENSSL_NO_SOCK
- int portnum, ssl;
+ int portnum, use_ssl;
static char server_port[32] = { '\0' };
const char *proxy_host = NULL;
#endif
}
goto set_path;
}
- if (!OSSL_HTTP_parse_url(opt_server, &ssl, NULL /* user */, &host, &port,
+ if (!OSSL_HTTP_parse_url(opt_server, &use_ssl, NULL /* user */, &host, &port,
&portnum, &path, NULL /* q */, NULL /* frag */)) {
CMP_err1("cannot parse -server URL: %s", opt_server);
goto err;
}
- if (ssl && !opt_tls_used) {
- CMP_err("missing -tls_used option since -server URL indicates https");
+ if (use_ssl && !opt_tls_used) {
+ CMP_err("missing -tls_used option since -server URL indicates HTTPS");
goto err;
}
opt_tls_used ? "s" : "", host, port,
*used_path == '/' ? used_path + 1 : used_path);
- proxy_host = OSSL_HTTP_adapt_proxy(opt_proxy, opt_no_proxy, host, ssl);
+ proxy_host = OSSL_HTTP_adapt_proxy(opt_proxy, opt_no_proxy, host, use_ssl);
if (proxy_host != NULL)
(void)BIO_snprintf(proxy_buf, sizeof(proxy_buf), " via %s", proxy_host);
}
#ifndef OPENSSL_NO_SOCK
- if ((opt_tls_cert != NULL || opt_tls_key != NULL
- || opt_tls_keypass != NULL || opt_tls_extra != NULL
- || opt_tls_trusted != NULL || opt_tls_host != NULL)
- && !opt_tls_used)
- CMP_warn("Ingnoring TLS options(s) since -tls_used is not given");
+ if (opt_tls_cert == NULL && opt_tls_key == NULL && opt_tls_keypass == NULL
+ && opt_tls_extra == NULL && opt_tls_trusted == NULL
+ && opt_tls_host == NULL) {
+ if (opt_tls_used)
+ CMP_warn("-tls_used given without any other TLS options");
+ } else if (!opt_tls_used)
+ CMP_warn("ignoring TLS options(s) since -tls_used is not given");
if (opt_port != NULL) {
if (opt_tls_used) {
CMP_err("-tls_used option not supported with -port option");
of the CMP server to connect to using HTTP(S).
This excludes I<-port> and I<-use_mock_srv> and is ignored with I<-rspin>.
-The scheme C<https> may be given only if the B<-tls_used> option is used.
+The scheme C<https> may be given only if the B<-tls_used> option is provided.
In this case the default port is 443, else 80.
The optional userinfo and fragment components are ignored.
Any given query component is handled as part of the path component.
applies, see below.
The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that
the optional C<http://> or C<https://> prefix is ignored (note that TLS may be
-selected by B<-tls_used>), as well as any path, userinfo, and query, and fragment
+enabled by B<-tls_used>), as well as any path, userinfo, and query, and fragment
components.
Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY>
in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>.
=item B<-tls_used>
-Enable using TLS (even when other TLS_related options are not set)
-when connecting to CMP server via HTTP.
+Enable using TLS (even when other TLS-related options are not set)
+for message exchange with CMP server via HTTP.
This option is not supported with the I<-port> option
and is ignored with the I<-use_mock_srv> and I<-rspin> options
or if the I<-server> option is not given.
+The following TLS-related options are ignored if B<-tls_used> is not given.
+
=item B<-tls_cert> I<filename>|I<uri>
-Client's TLS certificate.
+Client's TLS certificate to use for authenticating to the TLS server.
If the source includes further certs they are used (along with B<-untrusted>
certs) for constructing the client cert chain provided to the TLS server.
=item B<-tls_extra> I<filenames>|I<uris>
-Extra certificates to provide to TLS server during TLS handshake
+Extra certificates to provide to the TLS server during handshake.
=item B<-tls_trusted> I<filenames>|I<uris>
projects / openssl.git / commitdiff