X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_client.c;h=e4281c612460ba51957639e2445db0e008d17f4b;hp=f6a28540b51e5af9ca21baf39c1a955a4e029cb2;hb=764b6a3551919e3e98b5048891688c4a615291d7;hpb=22b5d7c80b9e65c7b16277f81f7b22ff91ac4974 diff --git a/apps/s_client.c b/apps/s_client.c index f6a28540b5..e4281c6124 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -203,7 +203,6 @@ static int c_debug=0; #ifndef OPENSSL_NO_TLSEXT static int c_tlsextdebug=0; static int c_status_req=0; -static int c_proof_debug=0; #endif static int c_msg=0; static int c_showcerts=0; @@ -215,7 +214,6 @@ static void sc_usage(void); static void print_stuff(BIO *berr,SSL *con,int full); #ifndef OPENSSL_NO_TLSEXT static int ocsp_resp_cb(SSL *s, void *arg); -static int audit_proof_cb(SSL *s, void *arg); #endif static BIO *bio_c_out=NULL; static BIO *bio_c_msg=NULL; @@ -292,12 +290,10 @@ static void sc_usage(void) BIO_printf(bio_err,"\n"); BIO_printf(bio_err," -host host - use -connect instead\n"); BIO_printf(bio_err," -port port - use -connect instead\n"); - BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR); - BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n"); - BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n"); - BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n"); - + BIO_printf(bio_err," -connect host:port - connect over TCP/IP (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR); + BIO_printf(bio_err," -unix path - connect over unix domain sockets\n"); BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); + BIO_printf(bio_err," -verify_return_error - return verification errors\n"); BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n"); BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n"); BIO_printf(bio_err," -key arg - Private key file to use, in cert file if\n"); @@ -306,8 +302,10 @@ static void sc_usage(void) BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); + BIO_printf(bio_err," -trusted_first - Use local CA's first when building trust chain\n"); BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n"); BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n"); + BIO_printf(bio_err," -prexit - print session information even on connection failure\n"); BIO_printf(bio_err," -showcerts - show all certificates in the chain\n"); BIO_printf(bio_err," -debug - extra output\n"); #ifdef WATT32 @@ -338,11 +336,14 @@ static void sc_usage(void) BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N); #endif BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); +#ifndef OPENSSL_NO_SSL3_METHOD BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); +#endif BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n"); BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n"); BIO_printf(bio_err," -tls1 - just use TLSv1\n"); BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); + BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n"); BIO_printf(bio_err," -mtu - set the link layer MTU\n"); BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); @@ -354,6 +355,7 @@ static void sc_usage(void) BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n"); BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); BIO_printf(bio_err," are supported.\n"); + BIO_printf(bio_err," -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); #endif @@ -365,10 +367,11 @@ static void sc_usage(void) BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); - BIO_printf(bio_err," -proof_debug - request an audit proof and print its hex dump\n"); + BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n"); # ifndef OPENSSL_NO_NEXTPROTONEG BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); # endif + BIO_printf(bio_err," -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n"); #endif BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); @@ -546,6 +549,27 @@ static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, con return SSL_TLSEXT_ERR_OK; } # endif /* ndef OPENSSL_NO_NEXTPROTONEG */ + +static int serverinfo_cli_parse_cb(SSL* s, unsigned int ext_type, + const unsigned char* in, size_t inlen, + int* al, void* arg) + { + char pem_name[100]; + unsigned char ext_buf[4 + 65536]; + + /* Reconstruct the type/len fields prior to extension data */ + ext_buf[0] = ext_type >> 8; + ext_buf[1] = ext_type & 0xFF; + ext_buf[2] = inlen >> 8; + ext_buf[3] = inlen & 0xFF; + memcpy(ext_buf+4, in, inlen); + + BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d", + ext_type); + PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen); + return 1; + } + #endif enum @@ -575,12 +599,17 @@ int MAIN(int argc, char **argv) short port=PORT; int full_log=1; char *host=SSL_HOST_NAME; - char *cert_file=NULL,*key_file=NULL; + const char *unix_path = NULL; + char *xmpphost = NULL; + char *cert_file=NULL,*key_file=NULL,*chain_file=NULL; int cert_format = FORMAT_PEM, key_format = FORMAT_PEM; char *passarg = NULL, *pass = NULL; X509 *cert = NULL; EVP_PKEY *key = NULL; + STACK_OF(X509) *chain = NULL; char *CApath=NULL,*CAfile=NULL; + char *chCApath=NULL,*chCAfile=NULL; + char *vfyCApath=NULL,*vfyCAfile=NULL; int reconnect=0,badop=0,verify=SSL_VERIFY_NONE; int crlf=0; int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; @@ -615,15 +644,23 @@ int MAIN(int argc, char **argv) # ifndef OPENSSL_NO_NEXTPROTONEG const char *next_proto_neg_in = NULL; # endif + const char *alpn_in = NULL; +# define MAX_SI_TYPES 100 + unsigned short serverinfo_types[MAX_SI_TYPES]; + int serverinfo_types_count = 0; #endif char *sess_in = NULL; char *sess_out = NULL; struct sockaddr peer; int peerlen = sizeof(peer); + int fallback_scsv = 0; int enable_timeouts = 0 ; long socket_mtu = 0; #ifndef OPENSSL_NO_JPAKE - char *jpake_secret = NULL; +static char *jpake_secret = NULL; +#define no_jpake !jpake_secret +#else +#define no_jpake 1 #endif #ifndef OPENSSL_NO_SRP char * srppass = NULL; @@ -632,11 +669,15 @@ int MAIN(int argc, char **argv) #endif SSL_EXCERT *exc = NULL; - unsigned char *checkhost = NULL, *checkemail = NULL; - char *checkip = NULL; SSL_CONF_CTX *cctx = NULL; STACK_OF(OPENSSL_STRING) *ssl_args = NULL; + char *crl_file = NULL; + int crl_format = FORMAT_PEM; + int crl_download = 0; + STACK_OF(X509_CRL) *crls = NULL; + int sdebug = 0; + meth=SSLv23_client_method(); apps_startup(); @@ -693,6 +734,16 @@ int MAIN(int argc, char **argv) if (!extract_host_port(*(++argv),&host,NULL,&port)) goto bad; } + else if (strcmp(*argv,"-unix") == 0) + { + if (--argc < 1) goto bad; + unix_path = *(++argv); + } + else if (strcmp(*argv,"-xmpphost") == 0) + { + if (--argc < 1) goto bad; + xmpphost= *(++argv); + } else if (strcmp(*argv,"-verify") == 0) { verify=SSL_VERIFY_PEER; @@ -706,6 +757,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; cert_file= *(++argv); } + else if (strcmp(*argv,"-CRL") == 0) + { + if (--argc < 1) goto bad; + crl_file= *(++argv); + } + else if (strcmp(*argv,"-crl_download") == 0) + crl_download = 1; else if (strcmp(*argv,"-sess_out") == 0) { if (--argc < 1) goto bad; @@ -721,6 +779,11 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; cert_format = str2fmt(*(++argv)); } + else if (strcmp(*argv,"-CRLform") == 0) + { + if (--argc < 1) goto bad; + crl_format = str2fmt(*(++argv)); + } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { if (badarg) @@ -771,8 +834,6 @@ int MAIN(int argc, char **argv) c_tlsextdebug=1; else if (strcmp(*argv,"-status") == 0) c_status_req=1; - else if (strcmp(*argv,"-proof_debug") == 0) - c_proof_debug=1; #endif #ifdef WATT32 else if (strcmp(*argv,"-wdebug") == 0) @@ -789,6 +850,10 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-trace") == 0) c_msg=2; #endif + else if (strcmp(*argv,"-security_debug") == 0) + { sdebug=1; } + else if (strcmp(*argv,"-security_debug_verbose") == 0) + { sdebug=2; } else if (strcmp(*argv,"-showcerts") == 0) c_showcerts=1; else if (strcmp(*argv,"-nbio_test") == 0) @@ -851,7 +916,7 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-ssl2") == 0) meth=SSLv2_client_method(); #endif -#ifndef OPENSSL_NO_SSL3 +#ifndef OPENSSL_NO_SSL3_METHOD else if (strcmp(*argv,"-ssl3") == 0) meth=SSLv3_client_method(); #endif @@ -864,11 +929,21 @@ int MAIN(int argc, char **argv) meth=TLSv1_client_method(); #endif #ifndef OPENSSL_NO_DTLS1 + else if (strcmp(*argv,"-dtls") == 0) + { + meth=DTLS_client_method(); + socket_type=SOCK_DGRAM; + } else if (strcmp(*argv,"-dtls1") == 0) { meth=DTLSv1_client_method(); socket_type=SOCK_DGRAM; } + else if (strcmp(*argv,"-dtls1_2") == 0) + { + meth=DTLSv1_2_client_method(); + socket_type=SOCK_DGRAM; + } else if (strcmp(*argv,"-timeout") == 0) enable_timeouts=1; else if (strcmp(*argv,"-mtu") == 0) @@ -877,6 +952,10 @@ int MAIN(int argc, char **argv) socket_mtu = atol(*(++argv)); } #endif + else if (strcmp(*argv,"-fallback_scsv") == 0) + { + fallback_scsv = 1; + } else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) goto bad; @@ -887,6 +966,11 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; passarg = *(++argv); } + else if (strcmp(*argv,"-cert_chain") == 0) + { + if (--argc < 1) goto bad; + chain_file= *(++argv); + } else if (strcmp(*argv,"-key") == 0) { if (--argc < 1) goto bad; @@ -901,6 +985,16 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CApath= *(++argv); } + else if (strcmp(*argv,"-chainCApath") == 0) + { + if (--argc < 1) goto bad; + chCApath= *(++argv); + } + else if (strcmp(*argv,"-verifyCApath") == 0) + { + if (--argc < 1) goto bad; + vfyCApath= *(++argv); + } else if (strcmp(*argv,"-build_chain") == 0) build_chain = 1; else if (strcmp(*argv,"-CAfile") == 0) @@ -908,6 +1002,16 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CAfile= *(++argv); } + else if (strcmp(*argv,"-chainCAfile") == 0) + { + if (--argc < 1) goto bad; + chCAfile= *(++argv); + } + else if (strcmp(*argv,"-verifyCAfile") == 0) + { + if (--argc < 1) goto bad; + vfyCAfile= *(++argv); + } #ifndef OPENSSL_NO_TLSEXT # ifndef OPENSSL_NO_NEXTPROTONEG else if (strcmp(*argv,"-nextprotoneg") == 0) @@ -916,6 +1020,34 @@ int MAIN(int argc, char **argv) next_proto_neg_in = *(++argv); } # endif + else if (strcmp(*argv,"-alpn") == 0) + { + if (--argc < 1) goto bad; + alpn_in = *(++argv); + } + else if (strcmp(*argv,"-serverinfo") == 0) + { + char *c; + int start = 0; + int len; + + if (--argc < 1) goto bad; + c = *(++argv); + serverinfo_types_count = 0; + len = strlen(c); + for (i = 0; i <= len; ++i) + { + if (i == len || c[i] == ',') + { + serverinfo_types[serverinfo_types_count] + = atoi(c+start); + serverinfo_types_count++; + start = i+1; + } + if (serverinfo_types_count == MAX_SI_TYPES) + break; + } + } #endif #ifdef FIONBIO else if (strcmp(*argv,"-nbio") == 0) @@ -963,21 +1095,6 @@ int MAIN(int argc, char **argv) /* meth=TLSv1_client_method(); */ } #endif - else if (strcmp(*argv,"-checkhost") == 0) - { - if (--argc < 1) goto bad; - checkhost=(unsigned char *)*(++argv); - } - else if (strcmp(*argv,"-checkemail") == 0) - { - if (--argc < 1) goto bad; - checkemail=(unsigned char *)*(++argv); - } - else if (strcmp(*argv,"-checkip") == 0) - { - if (--argc < 1) goto bad; - checkip=*(++argv); - } #ifndef OPENSSL_NO_JPAKE else if (strcmp(*argv,"-jpake") == 0) { @@ -1017,6 +1134,11 @@ bad: goto end; } + if (unix_path && (socket_type != SOCK_STREAM)) + { + BIO_printf(bio_err, "Can't use unix sockets and datagrams together\n"); + goto end; + } #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) if (jpake_secret) { @@ -1028,13 +1150,6 @@ bad: } psk_identity = "JPAKE"; } - - if (cipher) - { - BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); - goto end; - } - cipher = "PSK"; #endif OpenSSL_add_ssl_algorithms(); @@ -1106,6 +1221,34 @@ bad: } } + if (chain_file) + { + chain = load_certs(bio_err, chain_file,FORMAT_PEM, + NULL, e, "client certificate chain"); + if (!chain) + goto end; + } + + if (crl_file) + { + X509_CRL *crl; + crl = load_crl(crl_file, crl_format); + if (!crl) + { + BIO_puts(bio_err, "Error loading CRL\n"); + ERR_print_errors(bio_err); + goto end; + } + crls = sk_X509_CRL_new_null(); + if (!crls || !sk_X509_CRL_push(crls, crl)) + { + BIO_puts(bio_err, "Error adding CRL\n"); + ERR_print_errors(bio_err); + X509_CRL_free(crl); + goto end; + } + } + if (!load_excert(&exc, bio_err)) goto end; @@ -1120,9 +1263,11 @@ bad: if (bio_c_out == NULL) { - if (c_quiet && !c_debug && !c_msg) + if (c_quiet && !c_debug) { bio_c_out=BIO_new(BIO_s_null()); + if (c_msg && !bio_c_msg) + bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE); } else { @@ -1146,15 +1291,26 @@ bad: goto end; } + if (sdebug) + ssl_ctx_security_debug(ctx, bio_err, sdebug); + if (vpm) SSL_CTX_set1_param(ctx, vpm); - if (!args_ssl_call(ctx, bio_err, cctx, ssl_args)) + if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake)) { ERR_print_errors(bio_err); goto end; } + if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, + crls, crl_download)) + { + BIO_printf(bio_err, "Error loading store locations\n"); + ERR_print_errors(bio_err); + goto end; + } + #ifndef OPENSSL_NO_ENGINE if (ssl_client_engine) { @@ -1189,9 +1345,34 @@ bad: */ if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_TLSEXT) +# if !defined(OPENSSL_NO_NEXTPROTONEG) if (next_proto.data) SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto); +# endif + if (alpn_in) + { + unsigned short alpn_len; + unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in); + + if (alpn == NULL) + { + BIO_printf(bio_err, "Error parsing -alpn argument\n"); + goto end; + } + SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len); + OPENSSL_free(alpn); + } +#endif +#ifndef OPENSSL_NO_TLSEXT + for (i = 0; i < serverinfo_types_count; i++) + { + SSL_CTX_add_client_custom_ext(ctx, + serverinfo_types[i], + NULL, NULL, NULL, + serverinfo_cli_parse_cb, + NULL); + } #endif if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); @@ -1210,7 +1391,9 @@ bad: /* goto end; */ } - if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain)) + ssl_ctx_add_crls(ctx, crls, crl_download); + + if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT @@ -1238,9 +1421,6 @@ bad: } #endif - if (c_proof_debug) - SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx, - audit_proof_cb); #endif con=SSL_new(ctx); @@ -1267,6 +1447,10 @@ bad: SSL_set_session(con, sess); SSL_SESSION_free(sess); } + + if (fallback_scsv) + SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV); + #ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { @@ -1293,8 +1477,12 @@ bad: #endif re_start: - +#ifdef NO_SYS_UN_H if (init_client(&s,host,port,socket_type) == 0) +#else + if ((!unix_path && (init_client(&s,host,port,socket_type) == 0)) || + (unix_path && (init_client_unix(&s,unix_path) == 0))) +#endif { BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); SHUTDOWN(s); @@ -1316,7 +1504,7 @@ re_start: #endif if (c_Pause & 0x01) SSL_set_debug(con, 1); - if ( SSL_version(con) == DTLS1_VERSION) + if (socket_type == SOCK_DGRAM) { sbio=BIO_new_dgram(s,BIO_NOCLOSE); @@ -1516,14 +1704,18 @@ SSL_set_tlsext_status_ids(con, ids); int seen = 0; BIO_printf(sbio,"", host); + "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ? + xmpphost : host); seen = BIO_read(sbio,mbuf,BUFSIZZ); mbuf[seen] = 0; - while (!strstr(mbuf, "")) - goto shut; seen = BIO_read(sbio,mbuf,BUFSIZZ); + + if (seen <= 0) + goto shut; + mbuf[seen] = 0; } BIO_printf(sbio, ""); @@ -1581,8 +1773,7 @@ SSL_set_tlsext_status_ids(con, ids); "CONNECTION ESTABLISHED\n"); print_ssl_summary(bio_err, con); } - print_ssl_cert_checks(bio_err, con, checkhost, - checkemail, checkip); + print_stuff(bio_c_out,con,full_log); if (full_log > 0) full_log--; @@ -1703,7 +1894,7 @@ SSL_set_tlsext_status_ids(con, ids); if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) { - BIO_printf(bio_err,"TIMEOUT occured\n"); + BIO_printf(bio_err,"TIMEOUT occurred\n"); } if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds)) @@ -1845,7 +2036,10 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 break; case SSL_ERROR_SYSCALL: ret=get_last_socket_error(); - BIO_printf(bio_err,"read:errno=%d\n",ret); + if (c_brief) + BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n"); + else + BIO_printf(bio_err,"read:errno=%d\n",ret); goto shut; case SSL_ERROR_ZERO_RETURN: BIO_printf(bio_c_out,"closed\n"); @@ -1952,8 +2146,12 @@ end: if (ctx != NULL) SSL_CTX_free(ctx); if (cert) X509_free(cert); + if (crls) + sk_X509_CRL_pop_free(crls, X509_CRL_free); if (key) EVP_PKEY_free(key); + if (chain) + sk_X509_pop_free(chain, X509_free); if (pass) OPENSSL_free(pass); if (vpm) @@ -1963,6 +2161,10 @@ end: sk_OPENSSL_STRING_free(ssl_args); if (cctx) SSL_CONF_CTX_free(cctx); +#ifndef OPENSSL_NO_JPAKE + if (jpake_secret && psk_key) + OPENSSL_free(psk_key); +#endif if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); } if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); } if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); } @@ -2124,7 +2326,8 @@ static void print_stuff(BIO *bio, SSL *s, int full) } #endif -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_TLSEXT) +# if !defined(OPENSSL_NO_NEXTPROTONEG) if (next_proto.status != -1) { const unsigned char *proto; unsigned int proto_len; @@ -2133,6 +2336,20 @@ static void print_stuff(BIO *bio, SSL *s, int full) BIO_write(bio, proto, proto_len); BIO_write(bio, "\n", 1); } +# endif + { + const unsigned char *proto; + unsigned int proto_len; + SSL_get0_alpn_selected(s, &proto, &proto_len); + if (proto_len > 0) + { + BIO_printf(bio, "ALPN protocol: "); + BIO_write(bio, proto, proto_len); + BIO_write(bio, "\n", 1); + } + else + BIO_printf(bio, "No ALPN negotiated\n"); + } #endif { @@ -2206,26 +2423,4 @@ static int ocsp_resp_cb(SSL *s, void *arg) return 1; } -static int audit_proof_cb(SSL *s, void *arg) - { - const unsigned char *proof; - size_t proof_len; - size_t i; - SSL_SESSION *sess = SSL_get_session(s); - - proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess, - &proof_len); - if (proof != NULL) - { - BIO_printf(bio_c_out, "Audit proof: "); - for (i = 0; i < proof_len; ++i) - BIO_printf(bio_c_out, "%02X", proof[i]); - BIO_printf(bio_c_out, "\n"); - } - else - { - BIO_printf(bio_c_out, "No audit proof found.\n"); - } - return 1; - } #endif