projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
make kerberos work with OPENSSL_NO_SSL_INTERN
[openssl.git] / apps / s_server.c
diff --git a/apps/s_server.c b/apps/s_server.c
index b3ec6091bc7ab974c0ab1aafde7e879700e2e023..0a367732da42a1a7fe224b979b1f5e6d892f18f1 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -186,6 +186,9 @@ typedef unsigned int u_int;
 #ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
+#ifndef OPENSSL_NO_SRP
+#include <openssl/srp.h>
+#endif
 #include "s_apps.h"
 #include "timeouts.h"
 
@@ -298,11 +301,13 @@ static const char *session_id_prefix=NULL;
 
 static int enable_timeouts = 0;
 static long socket_mtu;
+#ifndef OPENSSL_NO_DTLS1
 static int cert_chain = 0;
+#endif
 
 #ifndef OPENSSL_NO_PSK
 static char *psk_identity="Client_identity";
-static char *psk_key=NULL; /* by default PSK is not used */
+char *psk_key=NULL; /* by default PSK is not used */
 
 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
        unsigned char *psk, unsigned int max_psk_len)
@@ -325,7 +330,9 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
        /* here we could lookup the given identity e.g. from a database */
        if (strcmp(identity, psk_identity) != 0)
                {
-                BIO_printf(bio_s_out, "PSK error: client identity not found\n");
+                BIO_printf(bio_s_out, "PSK error: client identity not found"
+                          " (got '%s' expected '%s')\n", identity,
+                          psk_identity);
                goto out_err;
                 }
        if (s_debug)
@@ -365,6 +372,40 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
         }
 #endif
 
+#ifndef OPENSSL_NO_SRP
+/* This is a context that we pass to callbacks */
+typedef struct srpsrvparm_st
+       {
+       int verbose;
+       char *login;
+       SRP_VBASE *vb;
+       } srpsrvparm;
+
+static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
+       {
+       srpsrvparm *p = (srpsrvparm *) arg;
+       SRP_user_pwd *user;
+
+       p->login = BUF_strdup(SSL_get_srp_username(s));
+       BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
+
+       user = SRP_VBASE_get_by_user(p->vb, p->login);
+       if (user == NULL)
+               {
+               BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
+               return SSL3_AL_FATAL;
+               }
+       if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
+                                    user->info) < 0)
+               {
+               *ad = SSL_AD_INTERNAL_ERROR;
+               return SSL3_AL_FATAL;
+               }
+       return SSL_ERROR_NONE;
+       }
+
+#endif
+
 #ifdef MONOLITH
 static void s_server_init(void)
        {
@@ -408,6 +449,11 @@ static void sv_usage(void)
        BIO_printf(bio_err," -Verify arg   - turn on peer certificate verification, must have a cert.\n");
        BIO_printf(bio_err," -cert arg     - certificate file to use\n");
        BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT);
+       BIO_printf(bio_err," -crl_check    - check the peer certificate has not been revoked by its CA.\n" \
+                          "                 The CRL(s) are appended to the certificate file\n");
+       BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \
+                          "                 or any other CRL in the CA chain. CRL(s) are appened to the\n" \
+                          "                 the certificate file.\n");
        BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
        BIO_printf(bio_err," -key arg      - Private Key file to use, in cert file if\n");
        BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT);
@@ -443,17 +489,28 @@ static void sv_usage(void)
 #ifndef OPENSSL_NO_PSK
        BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n");
        BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
+# ifndef OPENSSL_NO_JPAKE
+       BIO_printf(bio_err," -jpake arg    - JPAKE secret to use\n");
+# endif
+#endif
+#ifndef OPENSSL_NO_SRP
+       BIO_printf(bio_err," -srpvfile file      - The verifier file for SRP\n");
+       BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n");
 #endif
        BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
        BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
+       BIO_printf(bio_err," -tls1_2       - Just talk TLSv1.2\n");
+       BIO_printf(bio_err," -tls1_1       - Just talk TLSv1.1\n");
        BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
        BIO_printf(bio_err," -dtls1        - Just talk DTLSv1\n");
        BIO_printf(bio_err," -timeout      - Enable timeouts\n");
-       BIO_printf(bio_err," -mtu          - Set MTU\n");
+       BIO_printf(bio_err," -mtu          - Set link layer MTU\n");
        BIO_printf(bio_err," -chain        - Read a certificate chain\n");
        BIO_printf(bio_err," -no_ssl2      - Just disable SSLv2\n");
        BIO_printf(bio_err," -no_ssl3      - Just disable SSLv3\n");
        BIO_printf(bio_err," -no_tls1      - Just disable TLSv1\n");
+       BIO_printf(bio_err," -no_tls1_1    - Just disable TLSv1.1\n");
+       BIO_printf(bio_err," -no_tls1_2    - Just disable TLSv1.2\n");
 #ifndef OPENSSL_NO_DH
        BIO_printf(bio_err," -no_dhe       - Disable ephemeral DH\n");
 #endif
@@ -479,6 +536,7 @@ static void sv_usage(void)
        BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT2);
        BIO_printf(bio_err," -tlsextdebug  - hex dump of all TLS extensions received\n");
        BIO_printf(bio_err," -no_ticket    - disable use of RFC4507bis session tickets\n");
+       BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
 #endif
        }
 
@@ -661,7 +719,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
                        return p->extension_error;
                if (ctx2)
                        {
-                       BIO_printf(p->biodebug,"Swiching server context.\n");
+                       BIO_printf(p->biodebug,"Switching server context.\n");
                        SSL_set_SSL_CTX(s,ctx2);
                        }     
                }
@@ -700,7 +758,7 @@ static int cert_status_cb(SSL *s, void *arg)
        int use_ssl;
        unsigned char *rspder = NULL;
        int rspderlen;
-       STACK *aia = NULL;
+       STACK_OF(OPENSSL_STRING) *aia = NULL;
        X509 *x = NULL;
        X509_STORE_CTX inctx;
        X509_OBJECT obj;
@@ -722,7 +780,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
        aia = X509_get1_ocsp(x);
        if (aia)
                {
-               if (!OCSP_parse_url(sk_value(aia, 0),
+               if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0),
                        &host, &port, &path, &use_ssl))
                        {
                        BIO_puts(err, "cert_status: can't parse AIA URL\n");
@@ -730,7 +788,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
                        }
                if (srctx->verbose)
                        BIO_printf(err, "cert_status: AIA URL: %s\n",
-                                       sk_value(aia, 0));
+                                       sk_OPENSSL_STRING_value(aia, 0));
                }
        else
                {
@@ -775,7 +833,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
                if (!OCSP_REQUEST_add_ext(req, ext, -1))
                        goto err;
                }
-       resp = process_responder(err, req, host, path, port, use_ssl,
+       resp = process_responder(err, req, host, path, port, use_ssl, NULL,
                                        srctx->timeout);
        if (!resp)
                {
@@ -817,10 +875,14 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
 
 int MAIN(int, char **);
 
+#ifndef OPENSSL_NO_JPAKE
+static char *jpake_secret = NULL;
+#endif
+
 int MAIN(int argc, char *argv[])
        {
-       X509_STORE *store = NULL;
-       int vflags = 0;
+       X509_VERIFY_PARAM *vpm = NULL;
+       int badarg = 0;
        short port=PORT;
        char *CApath=NULL,*CAfile=NULL;
        unsigned char *context = NULL;
@@ -835,9 +897,7 @@ int MAIN(int argc, char *argv[])
        int state=0;
        const SSL_METHOD *meth=NULL;
        int socket_type=SOCK_STREAM;
-#ifndef OPENSSL_NO_ENGINE
        ENGINE *e=NULL;
-#endif
        char *inrand=NULL;
        int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
        char *passarg = NULL, *pass = NULL;
@@ -845,11 +905,11 @@ int MAIN(int argc, char *argv[])
        int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
        X509 *s_cert = NULL, *s_dcert = NULL;
        EVP_PKEY *s_key = NULL, *s_dkey = NULL;
+       int no_cache = 0;
 #ifndef OPENSSL_NO_TLSEXT
        EVP_PKEY *s_key2 = NULL;
        X509 *s_cert2 = NULL;
 #endif
-
 #ifndef OPENSSL_NO_TLSEXT
         tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
 #endif
@@ -857,12 +917,21 @@ int MAIN(int argc, char *argv[])
        /* by default do not send a PSK identity hint */
        static char *psk_identity_hint=NULL;
 #endif
+#ifndef OPENSSL_NO_SRP
+       char *srpuserseed = NULL;
+       char *srp_verifier_file = NULL;
+       srpsrvparm p;
+#endif
 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
        meth=SSLv23_server_method();
 #elif !defined(OPENSSL_NO_SSL3)
        meth=SSLv3_server_method();
 #elif !defined(OPENSSL_NO_SSL2)
        meth=SSLv2_server_method();
+#elif !defined(OPENSSL_NO_TLS1)
+       meth=TLSv1_server_method();
+#else
+  /*  #error no SSL version enabled */
 #endif
 
        local_argc=argc;
@@ -988,18 +1057,20 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        CApath= *(++argv);
                        }
-               else if (strcmp(*argv,"-crl_check") == 0)
-                       {
-                       vflags |= X509_V_FLAG_CRL_CHECK;
-                       }
-               else if (strcmp(*argv,"-crl_check") == 0)
+               else if (strcmp(*argv,"-no_cache") == 0)
+                       no_cache = 1;
+               else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
                        {
-                       vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
+                       if (badarg)
+                               goto bad;
+                       continue;
                        }
                else if (strcmp(*argv,"-verify_return_error") == 0)
                        verify_return_error = 1;
                else if (strcmp(*argv,"-serverpref") == 0)
                        { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
+               else if (strcmp(*argv,"-legacy_renegotiation") == 0)
+                       off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
                else if (strcmp(*argv,"-cipher") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -1092,6 +1163,20 @@ int MAIN(int argc, char *argv[])
                                goto bad;
                                }
                        }
+#endif
+#ifndef OPENSSL_NO_SRP
+               else if (strcmp(*argv, "-srpvfile") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       srp_verifier_file = *(++argv);
+                       meth=TLSv1_server_method();
+                       }
+               else if (strcmp(*argv, "-srpuserseed") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       srpuserseed = *(++argv);
+                       meth=TLSv1_server_method();
+                       }
 #endif
                else if (strcmp(*argv,"-www") == 0)
                        { www=1; }
@@ -1105,6 +1190,10 @@ int MAIN(int argc, char *argv[])
                        { off|=SSL_OP_NO_SSLv3; }
                else if (strcmp(*argv,"-no_tls1") == 0)
                        { off|=SSL_OP_NO_TLSv1; }
+               else if (strcmp(*argv,"-no_tls1_1") == 0)
+                       { off|=SSL_OP_NO_TLSv1_1; }
+               else if (strcmp(*argv,"-no_tls1_2") == 0)
+                       { off|=SSL_OP_NO_TLSv1_2; }
                else if (strcmp(*argv,"-no_comp") == 0)
                        { off|=SSL_OP_NO_COMPRESSION; }
 #ifndef OPENSSL_NO_TLSEXT
@@ -1122,6 +1211,10 @@ int MAIN(int argc, char *argv[])
 #ifndef OPENSSL_NO_TLS1
                else if (strcmp(*argv,"-tls1") == 0)
                        { meth=TLSv1_server_method(); }
+               else if (strcmp(*argv,"-tls1_1") == 0)
+                       { meth=TLSv1_1_server_method(); }
+               else if (strcmp(*argv,"-tls1_2") == 0)
+                       { meth=TLSv1_2_server_method(); }
 #endif
 #ifndef OPENSSL_NO_DTLS1
                else if (strcmp(*argv,"-dtls1") == 0)
@@ -1174,6 +1267,14 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        s_key_file2= *(++argv);
                        }
+                       
+#endif
+#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
+               else if (strcmp(*argv,"-jpake") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       jpake_secret = *(++argv);
+                       }
 #endif
                else
                        {
@@ -1191,6 +1292,26 @@ bad:
                goto end;
                }
 
+#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
+       if (jpake_secret)
+               {
+               if (psk_key)
+                       {
+                       BIO_printf(bio_err,
+                                  "Can't use JPAKE and PSK together\n");
+                       goto end;
+                       }
+               psk_identity = "JPAKE";
+               if (cipher)
+                       {
+                       BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
+                       goto end;
+                       }
+               cipher = "PSK";
+               }
+
+#endif
+
        SSL_load_error_strings();
        OpenSSL_add_ssl_algorithms();
 
@@ -1342,6 +1463,9 @@ bad:
        SSL_CTX_set_quiet_shutdown(ctx,1);
        if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL);
        if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
+       /* HACK while TLS v1.2 is disabled by default */
+       if (!(off & SSL_OP_NO_TLSv1_2))
+               SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2);
        SSL_CTX_set_options(ctx,off);
        /* DTLS: partial reads end up discarding unread UDP bytes :-( 
         * Setting read ahead solves this problem.
@@ -1349,8 +1473,10 @@ bad:
        if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
 
        if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
-
-       SSL_CTX_sess_set_cache_size(ctx,128);
+       if (no_cache)
+               SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+       else
+               SSL_CTX_sess_set_cache_size(ctx,128);
 
 #if 0
        if (cipher == NULL) cipher=getenv("SSL_CIPHER");
@@ -1371,8 +1497,8 @@ bad:
                ERR_print_errors(bio_err);
                /* goto end; */
                }
-       store = SSL_CTX_get_cert_store(ctx);
-       X509_STORE_set_flags(store, vflags);
+       if (vpm)
+               SSL_CTX_set1_param(ctx, vpm);
 
 #ifndef OPENSSL_NO_TLSEXT
        if (s_cert2)
@@ -1416,15 +1542,18 @@ bad:
 
                if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback);
 
-               SSL_CTX_sess_set_cache_size(ctx2,128);
+               if (no_cache)
+                       SSL_CTX_set_session_cache_mode(ctx2,SSL_SESS_CACHE_OFF);
+               else
+                       SSL_CTX_sess_set_cache_size(ctx2,128);
 
                if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
                        (!SSL_CTX_set_default_verify_paths(ctx2)))
                        {
                        ERR_print_errors(bio_err);
                        }
-               store = SSL_CTX_get_cert_store(ctx2);
-               X509_STORE_set_flags(store, vflags);
+               if (vpm)
+                       SSL_CTX_set1_param(ctx2, vpm);
                }
 #endif 
 
@@ -1575,10 +1704,14 @@ bad:
 #endif
 
 #ifndef OPENSSL_NO_PSK
+#ifdef OPENSSL_NO_JPAKE
        if (psk_key != NULL)
+#else
+       if (psk_key != NULL || jpake_secret)
+#endif
                {
                if (s_debug)
-                       BIO_printf(bio_s_out, "PSK key given, setting server callback\n");
+                       BIO_printf(bio_s_out, "PSK key given or JPAKE in use, setting server callback\n");
                SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
                }
 
@@ -1611,6 +1744,10 @@ bad:
        SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
                sizeof s_server_session_id_context);
 
+       /* Set DTLS cookie generation and verification callbacks */
+       SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
+       SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
+
 #ifndef OPENSSL_NO_TLSEXT
        if (ctx2)
                {
@@ -1626,6 +1763,23 @@ bad:
                }
 #endif
 
+#ifndef OPENSSL_NO_SRP
+       if (srp_verifier_file != NULL)
+               {
+               p.vb = SRP_VBASE_new(srpuserseed);
+               if ((ret = SRP_VBASE_init(p.vb, srp_verifier_file)) != SRP_NO_ERROR)
+                       {
+                       BIO_printf(bio_err,
+                                  "Cannot initialize SRP verifier file \"%s\":ret=%d\n",
+                                  srp_verifier_file, ret);
+                               goto end;
+                       }
+               SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE,verify_callback);
+               SSL_CTX_set_srp_cb_arg(ctx, &p);                        
+               SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb);
+               }
+       else
+#endif
        if (CAfile != NULL)
                {
                SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
@@ -1707,8 +1861,14 @@ static int sv_body(char *hostname, int s, unsigned char *context)
        unsigned long l;
        SSL *con=NULL;
        BIO *sbio;
+#ifndef OPENSSL_NO_KRB5
+       KSSL_CTX *kctx;
+#endif
+       struct timeval timeout;
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
        struct timeval tv;
+#else
+       struct timeval *timeoutp;
 #endif
 
        if ((buf=OPENSSL_malloc(bufsize)) == NULL)
@@ -1736,7 +1896,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                SSL_set_tlsext_debug_callback(con, tlsext_cb);
                SSL_set_tlsext_debug_arg(con, bio_s_out);
                }
-       if (s_tlsextstatus);
+       if (s_tlsextstatus)
                {
                SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
                tlscstatp.err = bio_err;
@@ -1744,12 +1904,11 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                }
 #endif
 #ifndef OPENSSL_NO_KRB5
-               if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
+               if ((kctx = kssl_ctx_new()) != NULL)
                         {
-                        kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE,
-                                                               KRB5SVC);
-                        kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB,
-                                                               KRB5KEYTAB);
+                       SSL_set0_kssl_ctx(con, kctx);
+                        kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
+                        kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
                         }
 #endif /* OPENSSL_NO_KRB5 */
                if(context)
@@ -1765,7 +1924,6 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 
        if (SSL_version(con) == DTLS1_VERSION)
                {
-               struct timeval timeout;
 
                sbio=BIO_new_dgram(s,BIO_NOCLOSE);
 
@@ -1780,10 +1938,10 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                        BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
                        }
 
-               if (socket_mtu > 0)
+               if (socket_mtu > 28)
                        {
                        SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
-                       SSL_set_mtu(con, socket_mtu);
+                       SSL_set_mtu(con, socket_mtu - 28);
                        }
                else
                        /* want to do MTU discovery */
@@ -1802,13 +1960,18 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                test=BIO_new(BIO_f_nbio_test());
                sbio=BIO_push(test,sbio);
                }
+#ifndef OPENSSL_NO_JPAKE
+       if(jpake_secret)
+               jpake_server_auth(bio_s_out, sbio, jpake_secret);
+#endif
+
        SSL_set_bio(con,sbio,sbio);
        SSL_set_accept_state(con);
        /* SSL_set_fd(con,s); */
 
        if (s_debug)
                {
-               con->debug=1;
+               SSL_set_debug(con, 1);
                BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
                BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out);
                }
@@ -1871,7 +2034,19 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                                read_from_terminal = 1;
                        (void)fcntl(fileno(stdin), F_SETFL, 0);
 #else
-                       i=select(width,(void *)&readfds,NULL,NULL,NULL);
+                       if ((SSL_version(con) == DTLS1_VERSION) &&
+                               DTLSv1_get_timeout(con, &timeout))
+                               timeoutp = &timeout;
+                       else
+                               timeoutp = NULL;
+
+                       i=select(width,(void *)&readfds,NULL,NULL,timeoutp);
+
+                       if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
+                               {
+                               BIO_printf(bio_err,"TIMEOUT occured\n");
+                               }
+
                        if (i <= 0) continue;
                        if (FD_ISSET(fileno(stdin),&readfds))
                                read_from_terminal = 1;
@@ -2121,17 +2296,20 @@ static int init_ssl_connection(SSL *con)
                BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
        str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
        BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
-       if (con->hit) BIO_printf(bio_s_out,"Reused session-id\n");
+       if (SSL_cache_hit(con)) BIO_printf(bio_s_out,"Reused session-id\n");
        if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
                TLS1_FLAGS_TLS_PADDING_BUG)
                BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n");
 #ifndef OPENSSL_NO_KRB5
-       if (con->kssl_ctx->client_princ != NULL)
+       client_princ = kssl_ctx_get0_client_princ(SSL_get0_kssl_ctx(con));
+       if (client_princ != NULL)
                {
                BIO_printf(bio_s_out,"Kerberos peer principal is %s\n",
-                       con->kssl_ctx->client_princ);
+                                                               client_princ);
                }
 #endif /* OPENSSL_NO_KRB5 */
+       BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
+                     SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
        return(1);
        }
 
@@ -2149,6 +2327,9 @@ err:
        return(ret);
        }
 #endif
+#ifndef OPENSSL_NO_KRB5
+       char *client_princ;
+#endif
 
 #if 0
 static int load_CA(SSL_CTX *ctx, char *file)
@@ -2175,11 +2356,13 @@ static int www_body(char *hostname, int s, unsigned char *context)
        {
        char *buf=NULL;
        int ret=1;
-       int i,j,k,blank,dot;
+       int i,j,k,dot;
        SSL *con;
-       SSL_CIPHER *c;
+       const SSL_CIPHER *c;
        BIO *io,*ssl_bio,*sbio;
-       long total_bytes;
+#ifndef OPENSSL_NO_KRB5
+       KSSL_CTX *kctx;
+#endif
 
        buf=OPENSSL_malloc(bufsize);
        if (buf == NULL) return(0);
@@ -2211,10 +2394,10 @@ static int www_body(char *hostname, int s, unsigned char *context)
                        }
 #endif
 #ifndef OPENSSL_NO_KRB5
-       if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
+       if ((kctx = kssl_ctx_new()) != NULL)
                {
-               kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);
-               kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);
+               kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
+               kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
                }
 #endif /* OPENSSL_NO_KRB5 */
        if(context) SSL_set_session_id_context(con, context,
@@ -2240,7 +2423,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
 
        if (s_debug)
                {
-               con->debug=1;
+               SSL_set_debug(con, 1);
                BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
                BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out);
                }
@@ -2250,7 +2433,6 @@ static int www_body(char *hostname, int s, unsigned char *context)
                SSL_set_msg_callback_arg(con, bio_s_out);
                }
 
-       blank=0;
        for (;;)
                {
                if (hack)
@@ -2362,7 +2544,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
                                        }
                                BIO_puts(io,"\n");
                                }
-                       BIO_printf(io,((con->hit)
+                       BIO_printf(io,(SSL_cache_hit(con)
                                ?"---\nReused, "
                                :"---\nNew, "));
                        c=SSL_get_current_cipher(con);
@@ -2480,7 +2662,6 @@ static int www_body(char *hostname, int s, unsigned char *context)
                                         BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
                                 }
                        /* send the file */
-                       total_bytes=0;
                        for (;;)
                                {
                                i=BIO_read(file,buf,bufsize);
Unnamed repository; edit this file 'description' to name the repository.