### Changes between 3.0 and 3.1 [xx XXX xxxx]
+ * s_client and s_server apps now explicitly say when the TLS version
+ does not include the renegotiation mechanism. This avoids confusion
+ between that scenario versus when the TLS version includes secure
+ renegotiation but the peer lacks support for it.
+
+ *Felipe Gasper*
+
* The default SSL/TLS security level has been changed from 1 to 2. RSA,
DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys
of 160 bits and above and less than 224 bits were previously accepted by
#define PORT "4433"
#define PROTOCOL "tcp"
+#define SSL_VERSION_ALLOWS_RENEGOTIATION(s) \
+ (SSL_is_dtls(s) || (SSL_version(s) < TLS1_3_VERSION))
+
typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context);
int report_server_accept(BIO *out, int asock, int with_address, int with_pid);
int do_server(int *accept_sock, const char *host, const char *port,
void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
int set_keylog_file(SSL_CTX *ctx, const char *keylog_file);
void print_ca_names(BIO *bio, SSL *s);
+void ssl_print_secure_renegotiation_notes(BIO *bio, SSL *s);
#ifndef OPENSSL_NO_SRP
/* The client side SRP context that we pass to all SRP related callbacks */
* https://www.openssl.org/source/license.html
*/
-/* callback functions used by s_client, s_server, and s_time */
+/*
+ * callback functions used by s_client, s_server, and s_time,
+ * as well as other common logic for those apps
+ */
#include <stdio.h>
#include <stdlib.h>
#include <string.h> /* for memcpy() and strcmp() */
BIO_write(bio, "\n", 1);
}
}
+
+void ssl_print_secure_renegotiation_notes(BIO *bio, SSL *s)
+{
+ if (SSL_VERSION_ALLOWS_RENEGOTIATION(s)) {
+ BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
+ SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
+ } else {
+ BIO_printf(bio, "This TLS version forbids renegotiation.\n");
+ }
+}
BIO_printf(bio, "Server public key is %d bit\n",
EVP_PKEY_get_bits(pktmp));
}
- BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
- SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
+
+ ssl_print_secure_renegotiation_notes(bio, s);
+
#ifndef OPENSSL_NO_COMP
comp = SSL_get_current_compression(s);
expansion = SSL_get_current_expansion(s);
#endif
if (SSL_session_reused(con))
BIO_printf(bio_s_out, "Reused session-id\n");
- BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
- SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
+
+ ssl_print_secure_renegotiation_notes(bio_s_out, con);
+
if ((SSL_get_options(con) & SSL_OP_NO_RENEGOTIATION))
BIO_printf(bio_s_out, "Renegotiation is DISABLED\n");
}
BIO_puts(io, "\n");
- BIO_printf(io,
- "Secure Renegotiation IS%s supported\n",
- SSL_get_secure_renegotiation_support(con) ?
- "" : " NOT");
+ ssl_print_secure_renegotiation_notes(io, con);
/*
* The following is evil and should not really be done