This applies both to s_client and s_server app.
Reaction to Issue #3665.
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3697)
if (argc != 0)
goto opthelp;
+#ifndef OPENSSL_NO_NEXTPROTONEG
+ if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
+ BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
+ goto opthelp;
+ }
+#endif
if (proxystr != NULL) {
int res;
char *tmp_host = host, *tmp_port = port;
argc = opt_num_rest();
argv = opt_rest();
+#ifndef OPENSSL_NO_NEXTPROTONEG
+ if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
+ BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
+ goto opthelp;
+ }
+#endif
#ifndef OPENSSL_NO_DTLS
if (www && socket_type == SOCK_DGRAM) {
BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");
An empty list of protocols is treated specially and will cause the
client to advertise support for the TLS extension but disconnect just
after receiving ServerHello with a list of server supported protocols.
+The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
=item B<-ct|noct>
names. The list should contain the most desirable protocols first.
Protocol names are printable ASCII strings, for example "http/1.1" or
"spdy/3".
+The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.
=item B<-engine val>
projects / openssl.git / commitdiff