Fix newly introduced typos and warnings in ./apps.
[openssl.git] / apps / s_client.c
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111
112 #include <assert.h>
113 #include <stdio.h>
114 #include <stdlib.h>
115 #include <string.h>
116 #include <openssl/e_os2.h>
117 #ifdef OPENSSL_NO_STDIO
118 #define APPS_WIN16
119 #endif
120
121 /* With IPv6, it looks like Digital has mixed up the proper order of
122    recursive header file inclusion, resulting in the compiler complaining
123    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
124    is needed to have fileno() declared correctly...  So let's define u_int */
125 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
126 #define __U_INT
127 typedef unsigned int u_int;
128 #endif
129
130 #define USE_SOCKETS
131 #include "apps.h"
132 #include <openssl/x509.h>
133 #include <openssl/ssl.h>
134 #include <openssl/err.h>
135 #include <openssl/pem.h>
136 #include <openssl/rand.h>
137 #include "s_apps.h"
138 #include "timeouts.h"
139
140 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
141 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
142 #undef FIONBIO
143 #endif
144
145 #undef PROG
146 #define PROG    s_client_main
147
148 /*#define SSL_HOST_NAME "www.netscape.com" */
149 /*#define SSL_HOST_NAME "193.118.187.102" */
150 #define SSL_HOST_NAME   "localhost"
151
152 /*#define TEST_CERT "client.pem" */ /* no default cert. */
153
154 #undef BUFSIZZ
155 #define BUFSIZZ 1024*8
156
157 extern int verify_depth;
158 extern int verify_error;
159
160 #ifdef FIONBIO
161 static int c_nbio=0;
162 #endif
163 static int c_Pause=0;
164 static int c_debug=0;
165 static int c_msg=0;
166 static int c_showcerts=0;
167
168 static void sc_usage(void);
169 static void print_stuff(BIO *berr,SSL *con,int full);
170 static BIO *bio_c_out=NULL;
171 static int c_quiet=0;
172 static int c_ign_eof=0;
173
174 static void sc_usage(void)
175         {
176         BIO_printf(bio_err,"usage: s_client args\n");
177         BIO_printf(bio_err,"\n");
178         BIO_printf(bio_err," -host host     - use -connect instead\n");
179         BIO_printf(bio_err," -port port     - use -connect instead\n");
180         BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
181
182         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
183         BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
184         BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
185         BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
186         BIO_printf(bio_err,"                 not specified but cert file is.\n");
187         BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
188         BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
189         BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
190         BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
191         BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
192         BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
193         BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
194         BIO_printf(bio_err," -debug        - extra output\n");
195 #ifdef WATT32
196         BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
197 #endif
198         BIO_printf(bio_err," -msg          - Show protocol messages\n");
199         BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
200         BIO_printf(bio_err," -state        - print the 'ssl' states\n");
201 #ifdef FIONBIO
202         BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
203 #endif
204         BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
205         BIO_printf(bio_err," -quiet        - no s_client output\n");
206         BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
207         BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
208         BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
209         BIO_printf(bio_err," -tls1         - just use TLSv1\n");
210         BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
211         BIO_printf(bio_err," -mtu          - set the MTU\n");
212         BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
213         BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
214         BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
215         BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
216         BIO_printf(bio_err,"                 command to see what is available\n");
217         BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
218         BIO_printf(bio_err,"                 for those protocols that support it, where\n");
219         BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
220         BIO_printf(bio_err,"                 only \"smtp\" and \"pop3\" are supported.\n");
221 #ifndef OPENSSL_NO_ENGINE
222         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
223 #endif
224         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
225
226         }
227
228 int MAIN(int, char **);
229
230 int MAIN(int argc, char **argv)
231         {
232         int off=0;
233         SSL *con=NULL,*con2=NULL;
234         X509_STORE *store = NULL;
235         int s,k,width,state=0;
236         char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
237         int cbuf_len,cbuf_off;
238         int sbuf_len,sbuf_off;
239         fd_set readfds,writefds;
240         short port=PORT;
241         int full_log=1;
242         char *host=SSL_HOST_NAME;
243         char *cert_file=NULL,*key_file=NULL;
244         int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
245         char *passarg = NULL, *pass = NULL;
246         X509 *cert = NULL;
247         EVP_PKEY *key = NULL;
248         char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
249         int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
250         int crlf=0;
251         int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
252         SSL_CTX *ctx=NULL;
253         int ret=1,in_init=1,i,nbio_test=0;
254         int starttls_proto = 0;
255         int prexit = 0, vflags = 0;
256         const SSL_METHOD *meth=NULL;
257 #ifdef sock_type
258 #undef sock_type
259 #endif
260         int sock_type=SOCK_STREAM;
261         BIO *sbio;
262         char *inrand=NULL;
263 #ifndef OPENSSL_NO_ENGINE
264         char *engine_id=NULL;
265         ENGINE *e=NULL;
266 #endif
267 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
268         struct timeval tv;
269 #endif
270
271         struct sockaddr peer;
272         int peerlen = sizeof(peer);
273         int enable_timeouts = 0 ;
274         long mtu = 0;
275
276 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
277         meth=SSLv23_client_method();
278 #elif !defined(OPENSSL_NO_SSL3)
279         meth=SSLv3_client_method();
280 #elif !defined(OPENSSL_NO_SSL2)
281         meth=SSLv2_client_method();
282 #endif
283
284         apps_startup();
285         c_Pause=0;
286         c_quiet=0;
287         c_ign_eof=0;
288         c_debug=0;
289         c_msg=0;
290         c_showcerts=0;
291
292         if (bio_err == NULL)
293                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
294
295         if (!load_config(bio_err, NULL))
296                 goto end;
297
298         if (    ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
299                 ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
300                 ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
301                 {
302                 BIO_printf(bio_err,"out of memory\n");
303                 goto end;
304                 }
305
306         verify_depth=0;
307         verify_error=X509_V_OK;
308 #ifdef FIONBIO
309         c_nbio=0;
310 #endif
311
312         argc--;
313         argv++;
314         while (argc >= 1)
315                 {
316                 if      (strcmp(*argv,"-host") == 0)
317                         {
318                         if (--argc < 1) goto bad;
319                         host= *(++argv);
320                         }
321                 else if (strcmp(*argv,"-port") == 0)
322                         {
323                         if (--argc < 1) goto bad;
324                         port=atoi(*(++argv));
325                         if (port == 0) goto bad;
326                         }
327                 else if (strcmp(*argv,"-connect") == 0)
328                         {
329                         if (--argc < 1) goto bad;
330                         if (!extract_host_port(*(++argv),&host,NULL,&port))
331                                 goto bad;
332                         }
333                 else if (strcmp(*argv,"-verify") == 0)
334                         {
335                         verify=SSL_VERIFY_PEER;
336                         if (--argc < 1) goto bad;
337                         verify_depth=atoi(*(++argv));
338                         BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
339                         }
340                 else if (strcmp(*argv,"-cert") == 0)
341                         {
342                         if (--argc < 1) goto bad;
343                         cert_file= *(++argv);
344                         }
345                 else if (strcmp(*argv,"-certform") == 0)
346                         {
347                         if (--argc < 1) goto bad;
348                         cert_format = str2fmt(*(++argv));
349                         }
350                 else if (strcmp(*argv,"-crl_check") == 0)
351                         vflags |= X509_V_FLAG_CRL_CHECK;
352                 else if (strcmp(*argv,"-crl_check_all") == 0)
353                         vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
354                 else if (strcmp(*argv,"-prexit") == 0)
355                         prexit=1;
356                 else if (strcmp(*argv,"-crlf") == 0)
357                         crlf=1;
358                 else if (strcmp(*argv,"-quiet") == 0)
359                         {
360                         c_quiet=1;
361                         c_ign_eof=1;
362                         }
363                 else if (strcmp(*argv,"-ign_eof") == 0)
364                         c_ign_eof=1;
365                 else if (strcmp(*argv,"-pause") == 0)
366                         c_Pause=1;
367                 else if (strcmp(*argv,"-debug") == 0)
368                         c_debug=1;
369 #ifdef WATT32
370                 else if (strcmp(*argv,"-wdebug") == 0)
371                         dbug_init();
372 #endif
373                 else if (strcmp(*argv,"-msg") == 0)
374                         c_msg=1;
375                 else if (strcmp(*argv,"-showcerts") == 0)
376                         c_showcerts=1;
377                 else if (strcmp(*argv,"-nbio_test") == 0)
378                         nbio_test=1;
379                 else if (strcmp(*argv,"-state") == 0)
380                         state=1;
381 #ifndef OPENSSL_NO_SSL2
382                 else if (strcmp(*argv,"-ssl2") == 0)
383                         meth=SSLv2_client_method();
384 #endif
385 #ifndef OPENSSL_NO_SSL3
386                 else if (strcmp(*argv,"-ssl3") == 0)
387                         meth=SSLv3_client_method();
388 #endif
389 #ifndef OPENSSL_NO_TLS1
390                 else if (strcmp(*argv,"-tls1") == 0)
391                         meth=TLSv1_client_method();
392 #endif
393 #ifndef OPENSSL_NO_DTLS1
394                 else if (strcmp(*argv,"-dtls1") == 0)
395                         {
396                         meth=DTLSv1_client_method();
397                         sock_type=SOCK_DGRAM;
398                         }
399                 else if (strcmp(*argv,"-timeout") == 0)
400                         enable_timeouts=1;
401                 else if (strcmp(*argv,"-mtu") == 0)
402                         {
403                         if (--argc < 1) goto bad;
404                         mtu = atol(*(++argv));
405                         }
406 #endif
407                 else if (strcmp(*argv,"-bugs") == 0)
408                         bugs=1;
409                 else if (strcmp(*argv,"-keyform") == 0)
410                         {
411                         if (--argc < 1) goto bad;
412                         key_format = str2fmt(*(++argv));
413                         }
414                 else if (strcmp(*argv,"-pass") == 0)
415                         {
416                         if (--argc < 1) goto bad;
417                         passarg = *(++argv);
418                         }
419                 else if (strcmp(*argv,"-key") == 0)
420                         {
421                         if (--argc < 1) goto bad;
422                         key_file= *(++argv);
423                         }
424                 else if (strcmp(*argv,"-reconnect") == 0)
425                         {
426                         reconnect=5;
427                         }
428                 else if (strcmp(*argv,"-CApath") == 0)
429                         {
430                         if (--argc < 1) goto bad;
431                         CApath= *(++argv);
432                         }
433                 else if (strcmp(*argv,"-CAfile") == 0)
434                         {
435                         if (--argc < 1) goto bad;
436                         CAfile= *(++argv);
437                         }
438                 else if (strcmp(*argv,"-no_tls1") == 0)
439                         off|=SSL_OP_NO_TLSv1;
440                 else if (strcmp(*argv,"-no_ssl3") == 0)
441                         off|=SSL_OP_NO_SSLv3;
442                 else if (strcmp(*argv,"-no_ssl2") == 0)
443                         off|=SSL_OP_NO_SSLv2;
444                 else if (strcmp(*argv,"-no_comp") == 0)
445                         { off|=SSL_OP_NO_COMPRESSION; }
446                 else if (strcmp(*argv,"-serverpref") == 0)
447                         off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
448                 else if (strcmp(*argv,"-cipher") == 0)
449                         {
450                         if (--argc < 1) goto bad;
451                         cipher= *(++argv);
452                         }
453 #ifdef FIONBIO
454                 else if (strcmp(*argv,"-nbio") == 0)
455                         { c_nbio=1; }
456 #endif
457                 else if (strcmp(*argv,"-starttls") == 0)
458                         {
459                         if (--argc < 1) goto bad;
460                         ++argv;
461                         if (strcmp(*argv,"smtp") == 0)
462                                 starttls_proto = 1;
463                         else if (strcmp(*argv,"pop3") == 0)
464                                 starttls_proto = 2;
465                         else
466                                 goto bad;
467                         }
468 #ifndef OPENSSL_NO_ENGINE
469                 else if (strcmp(*argv,"-engine") == 0)
470                         {
471                         if (--argc < 1) goto bad;
472                         engine_id = *(++argv);
473                         }
474 #endif
475                 else if (strcmp(*argv,"-rand") == 0)
476                         {
477                         if (--argc < 1) goto bad;
478                         inrand= *(++argv);
479                         }
480                 else
481                         {
482                         BIO_printf(bio_err,"unknown option %s\n",*argv);
483                         badop=1;
484                         break;
485                         }
486                 argc--;
487                 argv++;
488                 }
489         if (badop)
490                 {
491 bad:
492                 sc_usage();
493                 goto end;
494                 }
495
496         OpenSSL_add_ssl_algorithms();
497         SSL_load_error_strings();
498
499 #ifndef OPENSSL_NO_ENGINE
500         e = setup_engine(bio_err, engine_id, 1);
501 #endif
502         if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
503                 {
504                 BIO_printf(bio_err, "Error getting password\n");
505                 goto end;
506                 }
507
508         if (key_file == NULL)
509                 key_file = cert_file;
510
511
512         if (key_file)
513
514                 {
515
516                 key = load_key(bio_err, key_file, key_format, 0, pass, e,
517                                "client certificate private key file");
518                 if (!key)
519                         {
520                         ERR_print_errors(bio_err);
521                         goto end;
522                         }
523
524                 }
525
526         if (cert_file)
527
528                 {
529                 cert = load_cert(bio_err,cert_file,cert_format,
530                                 NULL, e, "client certificate file");
531
532                 if (!cert)
533                         {
534                         ERR_print_errors(bio_err);
535                         goto end;
536                         }
537                 }
538
539         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
540                 && !RAND_status())
541                 {
542                 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
543                 }
544         if (inrand != NULL)
545                 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
546                         app_RAND_load_files(inrand));
547
548         if (bio_c_out == NULL)
549                 {
550                 if (c_quiet && !c_debug && !c_msg)
551                         {
552                         bio_c_out=BIO_new(BIO_s_null());
553                         }
554                 else
555                         {
556                         if (bio_c_out == NULL)
557                                 bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
558                         }
559                 }
560
561         ctx=SSL_CTX_new(meth);
562         if (ctx == NULL)
563                 {
564                 ERR_print_errors(bio_err);
565                 goto end;
566                 }
567
568         if (bugs)
569                 SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
570         else
571                 SSL_CTX_set_options(ctx,off);
572         /* DTLS: partial reads end up discarding unread UDP bytes :-( 
573          * Setting read ahead solves this problem.
574          */
575         if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
576
577         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
578         if (cipher != NULL)
579                 if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
580                 BIO_printf(bio_err,"error setting cipher list\n");
581                 ERR_print_errors(bio_err);
582                 goto end;
583         }
584 #if 0
585         else
586                 SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
587 #endif
588
589         SSL_CTX_set_verify(ctx,verify,verify_callback);
590         if (!set_cert_key_stuff(ctx,cert,key))
591                 goto end;
592
593         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
594                 (!SSL_CTX_set_default_verify_paths(ctx)))
595                 {
596                 /* BIO_printf(bio_err,"error setting default verify locations\n"); */
597                 ERR_print_errors(bio_err);
598                 /* goto end; */
599                 }
600
601         store = SSL_CTX_get_cert_store(ctx);
602         X509_STORE_set_flags(store, vflags);
603
604         con=SSL_new(ctx);
605 #ifndef OPENSSL_NO_KRB5
606         if (con  &&  (con->kssl_ctx = kssl_ctx_new()) != NULL)
607                 {
608                 kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVER, host);
609                 }
610 #endif  /* OPENSSL_NO_KRB5  */
611 /*      SSL_set_cipher_list(con,"RC4-MD5"); */
612
613 re_start:
614
615         if (init_client(&s,host,port,sock_type) == 0)
616                 {
617                 BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
618                 SHUTDOWN(s);
619                 goto end;
620                 }
621         BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
622
623 #ifdef FIONBIO
624         if (c_nbio)
625                 {
626                 unsigned long l=1;
627                 BIO_printf(bio_c_out,"turning on non blocking io\n");
628                 if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
629                         {
630                         ERR_print_errors(bio_err);
631                         goto end;
632                         }
633                 }
634 #endif                                              
635         if (c_Pause & 0x01) con->debug=1;
636
637         if ( SSL_version(con) == DTLS1_VERSION)
638                 {
639                 struct timeval timeout;
640
641                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
642                 if (getsockname(s, &peer, (void *)&peerlen) < 0)
643                         {
644                         BIO_printf(bio_err, "getsockname:errno=%d\n",
645                                 get_last_socket_error());
646                         SHUTDOWN(s);
647                         goto end;
648                         }
649
650                 BIO_ctrl_set_connected(sbio, 1, &peer);
651
652                 if ( enable_timeouts)
653                         {
654                         timeout.tv_sec = 0;
655                         timeout.tv_usec = DGRAM_RCV_TIMEOUT;
656                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
657                         
658                         timeout.tv_sec = 0;
659                         timeout.tv_usec = DGRAM_SND_TIMEOUT;
660                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
661                         }
662
663                 if ( mtu > 0)
664                         {
665                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
666                         SSL_set_mtu(con, mtu);
667                         }
668                 else
669                         /* want to do MTU discovery */
670                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
671                 }
672         else
673                 sbio=BIO_new_socket(s,BIO_NOCLOSE);
674
675
676
677         if (nbio_test)
678                 {
679                 BIO *test;
680
681                 test=BIO_new(BIO_f_nbio_test());
682                 sbio=BIO_push(test,sbio);
683                 }
684
685         if (c_debug)
686                 {
687                 con->debug=1;
688                 BIO_set_callback(sbio,bio_dump_callback);
689                 BIO_set_callback_arg(sbio,bio_c_out);
690                 }
691         if (c_msg)
692                 {
693                 SSL_set_msg_callback(con, msg_cb);
694                 SSL_set_msg_callback_arg(con, bio_c_out);
695                 }
696
697         SSL_set_bio(con,sbio,sbio);
698         SSL_set_connect_state(con);
699
700         /* ok, lets connect */
701         width=SSL_get_fd(con)+1;
702
703         read_tty=1;
704         write_tty=0;
705         tty_on=0;
706         read_ssl=1;
707         write_ssl=1;
708         
709         cbuf_len=0;
710         cbuf_off=0;
711         sbuf_len=0;
712         sbuf_off=0;
713
714         /* This is an ugly hack that does a lot of assumptions */
715         if (starttls_proto == 1)
716                 {
717                 BIO_read(sbio,mbuf,BUFSIZZ);
718                 BIO_printf(sbio,"STARTTLS\r\n");
719                 BIO_read(sbio,sbuf,BUFSIZZ);
720                 }
721         if (starttls_proto == 2)
722                 {
723                 BIO_read(sbio,mbuf,BUFSIZZ);
724                 BIO_printf(sbio,"STLS\r\n");
725                 BIO_read(sbio,sbuf,BUFSIZZ);
726                 }
727
728         for (;;)
729                 {
730                 FD_ZERO(&readfds);
731                 FD_ZERO(&writefds);
732
733                 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
734                         {
735                         in_init=1;
736                         tty_on=0;
737                         }
738                 else
739                         {
740                         tty_on=1;
741                         if (in_init)
742                                 {
743                                 in_init=0;
744                                 print_stuff(bio_c_out,con,full_log);
745                                 if (full_log > 0) full_log--;
746
747                                 if (starttls_proto)
748                                         {
749                                         BIO_printf(bio_err,"%s",mbuf);
750                                         /* We don't need to know any more */
751                                         starttls_proto = 0;
752                                         }
753
754                                 if (reconnect)
755                                         {
756                                         reconnect--;
757                                         BIO_printf(bio_c_out,"drop connection and then reconnect\n");
758                                         SSL_shutdown(con);
759                                         SSL_set_connect_state(con);
760                                         SHUTDOWN(SSL_get_fd(con));
761                                         goto re_start;
762                                         }
763                                 }
764                         }
765
766                 ssl_pending = read_ssl && SSL_pending(con);
767
768                 if (!ssl_pending)
769                         {
770 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
771                         if (tty_on)
772                                 {
773                                 if (read_tty)  FD_SET(fileno(stdin),&readfds);
774                                 if (write_tty) FD_SET(fileno(stdout),&writefds);
775                                 }
776                         if (read_ssl)
777                                 FD_SET(SSL_get_fd(con),&readfds);
778                         if (write_ssl)
779                                 FD_SET(SSL_get_fd(con),&writefds);
780 #else
781                         if(!tty_on || !write_tty) {
782                                 if (read_ssl)
783                                         FD_SET(SSL_get_fd(con),&readfds);
784                                 if (write_ssl)
785                                         FD_SET(SSL_get_fd(con),&writefds);
786                         }
787 #endif
788 /*                      printf("mode tty(%d %d%d) ssl(%d%d)\n",
789                                 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
790
791                         /* Note: under VMS with SOCKETSHR the second parameter
792                          * is currently of type (int *) whereas under other
793                          * systems it is (void *) if you don't have a cast it
794                          * will choke the compiler: if you do have a cast then
795                          * you can either go for (int *) or (void *).
796                          */
797 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
798                         /* Under Windows/DOS we make the assumption that we can
799                          * always write to the tty: therefore if we need to
800                          * write to the tty we just fall through. Otherwise
801                          * we timeout the select every second and see if there
802                          * are any keypresses. Note: this is a hack, in a proper
803                          * Windows application we wouldn't do this.
804                          */
805                         i=0;
806                         if(!write_tty) {
807                                 if(read_tty) {
808                                         tv.tv_sec = 1;
809                                         tv.tv_usec = 0;
810                                         i=select(width,(void *)&readfds,(void *)&writefds,
811                                                  NULL,&tv);
812 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
813                                         if(!i && (!_kbhit() || !read_tty) ) continue;
814 #else
815                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
816 #endif
817                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
818                                          NULL,NULL);
819                         }
820 #elif defined(OPENSSL_SYS_NETWARE)
821                         if(!write_tty) {
822                                 if(read_tty) {
823                                         tv.tv_sec = 1;
824                                         tv.tv_usec = 0;
825                                         i=select(width,(void *)&readfds,(void *)&writefds,
826                                                 NULL,&tv);
827                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
828                                         NULL,NULL);
829                         }
830 #else
831                         i=select(width,(void *)&readfds,(void *)&writefds,
832                                  NULL,NULL);
833 #endif
834                         if ( i < 0)
835                                 {
836                                 BIO_printf(bio_err,"bad select %d\n",
837                                 get_last_socket_error());
838                                 goto shut;
839                                 /* goto end; */
840                                 }
841                         }
842
843                 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
844                         {
845                         k=SSL_write(con,&(cbuf[cbuf_off]),
846                                 (unsigned int)cbuf_len);
847                         switch (SSL_get_error(con,k))
848                                 {
849                         case SSL_ERROR_NONE:
850                                 cbuf_off+=k;
851                                 cbuf_len-=k;
852                                 if (k <= 0) goto end;
853                                 /* we have done a  write(con,NULL,0); */
854                                 if (cbuf_len <= 0)
855                                         {
856                                         read_tty=1;
857                                         write_ssl=0;
858                                         }
859                                 else /* if (cbuf_len > 0) */
860                                         {
861                                         read_tty=0;
862                                         write_ssl=1;
863                                         }
864                                 break;
865                         case SSL_ERROR_WANT_WRITE:
866                                 BIO_printf(bio_c_out,"write W BLOCK\n");
867                                 write_ssl=1;
868                                 read_tty=0;
869                                 break;
870                         case SSL_ERROR_WANT_READ:
871                                 BIO_printf(bio_c_out,"write R BLOCK\n");
872                                 write_tty=0;
873                                 read_ssl=1;
874                                 write_ssl=0;
875                                 break;
876                         case SSL_ERROR_WANT_X509_LOOKUP:
877                                 BIO_printf(bio_c_out,"write X BLOCK\n");
878                                 break;
879                         case SSL_ERROR_ZERO_RETURN:
880                                 if (cbuf_len != 0)
881                                         {
882                                         BIO_printf(bio_c_out,"shutdown\n");
883                                         goto shut;
884                                         }
885                                 else
886                                         {
887                                         read_tty=1;
888                                         write_ssl=0;
889                                         break;
890                                         }
891                                 
892                         case SSL_ERROR_SYSCALL:
893                                 if ((k != 0) || (cbuf_len != 0))
894                                         {
895                                         BIO_printf(bio_err,"write:errno=%d\n",
896                                                 get_last_socket_error());
897                                         goto shut;
898                                         }
899                                 else
900                                         {
901                                         read_tty=1;
902                                         write_ssl=0;
903                                         }
904                                 break;
905                         case SSL_ERROR_SSL:
906                                 ERR_print_errors(bio_err);
907                                 goto shut;
908                                 }
909                         }
910 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
911                 /* Assume Windows/DOS can always write */
912                 else if (!ssl_pending && write_tty)
913 #else
914                 else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
915 #endif
916                         {
917 #ifdef CHARSET_EBCDIC
918                         ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
919 #endif
920                         i=raw_write_stdout(&(sbuf[sbuf_off]),sbuf_len);
921
922                         if (i <= 0)
923                                 {
924                                 BIO_printf(bio_c_out,"DONE\n");
925                                 goto shut;
926                                 /* goto end; */
927                                 }
928
929                         sbuf_len-=i;;
930                         sbuf_off+=i;
931                         if (sbuf_len <= 0)
932                                 {
933                                 read_ssl=1;
934                                 write_tty=0;
935                                 }
936                         }
937                 else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
938                         {
939 #ifdef RENEG
940 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
941 #endif
942 #if 1
943                         k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
944 #else
945 /* Demo for pending and peek :-) */
946                         k=SSL_read(con,sbuf,16);
947 { char zbuf[10240]; 
948 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
949 }
950 #endif
951
952                         switch (SSL_get_error(con,k))
953                                 {
954                         case SSL_ERROR_NONE:
955                                 if (k <= 0)
956                                         goto end;
957                                 sbuf_off=0;
958                                 sbuf_len=k;
959
960                                 read_ssl=0;
961                                 write_tty=1;
962                                 break;
963                         case SSL_ERROR_WANT_WRITE:
964                                 BIO_printf(bio_c_out,"read W BLOCK\n");
965                                 write_ssl=1;
966                                 read_tty=0;
967                                 break;
968                         case SSL_ERROR_WANT_READ:
969                                 BIO_printf(bio_c_out,"read R BLOCK\n");
970                                 write_tty=0;
971                                 read_ssl=1;
972                                 if ((read_tty == 0) && (write_ssl == 0))
973                                         write_ssl=1;
974                                 break;
975                         case SSL_ERROR_WANT_X509_LOOKUP:
976                                 BIO_printf(bio_c_out,"read X BLOCK\n");
977                                 break;
978                         case SSL_ERROR_SYSCALL:
979                                 BIO_printf(bio_err,"read:errno=%d\n",get_last_socket_error());
980                                 goto shut;
981                         case SSL_ERROR_ZERO_RETURN:
982                                 BIO_printf(bio_c_out,"closed\n");
983                                 goto shut;
984                         case SSL_ERROR_SSL:
985                                 ERR_print_errors(bio_err);
986                                 goto shut;
987                                 /* break; */
988                                 }
989                         }
990
991 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
992 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
993                 else if (_kbhit())
994 #else
995                 else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
996 #endif
997 #elif defined (OPENSSL_SYS_NETWARE)
998                 else if (_kbhit())
999 #else
1000                 else if (FD_ISSET(fileno(stdin),&readfds))
1001 #endif
1002                         {
1003                         if (crlf)
1004                                 {
1005                                 int j, lf_num;
1006
1007                                 i=raw_read_stdin(cbuf,BUFSIZZ/2);
1008                                 lf_num = 0;
1009                                 /* both loops are skipped when i <= 0 */
1010                                 for (j = 0; j < i; j++)
1011                                         if (cbuf[j] == '\n')
1012                                                 lf_num++;
1013                                 for (j = i-1; j >= 0; j--)
1014                                         {
1015                                         cbuf[j+lf_num] = cbuf[j];
1016                                         if (cbuf[j] == '\n')
1017                                                 {
1018                                                 lf_num--;
1019                                                 i++;
1020                                                 cbuf[j+lf_num] = '\r';
1021                                                 }
1022                                         }
1023                                 assert(lf_num == 0);
1024                                 }
1025                         else
1026                                 i=raw_read_stdin(cbuf,BUFSIZZ);
1027
1028                         if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
1029                                 {
1030                                 BIO_printf(bio_err,"DONE\n");
1031                                 goto shut;
1032                                 }
1033
1034                         if ((!c_ign_eof) && (cbuf[0] == 'R'))
1035                                 {
1036                                 BIO_printf(bio_err,"RENEGOTIATING\n");
1037                                 SSL_renegotiate(con);
1038                                 cbuf_len=0;
1039                                 }
1040                         else
1041                                 {
1042                                 cbuf_len=i;
1043                                 cbuf_off=0;
1044 #ifdef CHARSET_EBCDIC
1045                                 ebcdic2ascii(cbuf, cbuf, i);
1046 #endif
1047                                 }
1048
1049                         write_ssl=1;
1050                         read_tty=0;
1051                         }
1052                 }
1053 shut:
1054         SSL_shutdown(con);
1055         SHUTDOWN(SSL_get_fd(con));
1056         ret=0;
1057 end:
1058         if(prexit) print_stuff(bio_c_out,con,1);
1059         if (con != NULL) SSL_free(con);
1060         if (con2 != NULL) SSL_free(con2);
1061         if (ctx != NULL) SSL_CTX_free(ctx);
1062         if (cert)
1063                 X509_free(cert);
1064         if (key)
1065                 EVP_PKEY_free(key);
1066         if (pass)
1067                 OPENSSL_free(pass);
1068         if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
1069         if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
1070         if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
1071         if (bio_c_out != NULL)
1072                 {
1073                 BIO_free(bio_c_out);
1074                 bio_c_out=NULL;
1075                 }
1076         apps_shutdown();
1077         OPENSSL_EXIT(ret);
1078         }
1079
1080
1081 static void print_stuff(BIO *bio, SSL *s, int full)
1082         {
1083         X509 *peer=NULL;
1084         char *p;
1085         static const char *space="                ";
1086         char buf[BUFSIZ];
1087         STACK_OF(X509) *sk;
1088         STACK_OF(X509_NAME) *sk2;
1089         SSL_CIPHER *c;
1090         X509_NAME *xn;
1091         int j,i;
1092 #ifndef OPENSSL_NO_COMP
1093         const COMP_METHOD *comp, *expansion;
1094 #endif
1095
1096         if (full)
1097                 {
1098                 int got_a_chain = 0;
1099
1100                 sk=SSL_get_peer_cert_chain(s);
1101                 if (sk != NULL)
1102                         {
1103                         got_a_chain = 1; /* we don't have it for SSL2 (yet) */
1104
1105                         BIO_printf(bio,"---\nCertificate chain\n");
1106                         for (i=0; i<sk_X509_num(sk); i++)
1107                                 {
1108                                 X509_NAME_oneline(X509_get_subject_name(
1109                                         sk_X509_value(sk,i)),buf,sizeof buf);
1110                                 BIO_printf(bio,"%2d s:%s\n",i,buf);
1111                                 X509_NAME_oneline(X509_get_issuer_name(
1112                                         sk_X509_value(sk,i)),buf,sizeof buf);
1113                                 BIO_printf(bio,"   i:%s\n",buf);
1114                                 if (c_showcerts)
1115                                         PEM_write_bio_X509(bio,sk_X509_value(sk,i));
1116                                 }
1117                         }
1118
1119                 BIO_printf(bio,"---\n");
1120                 peer=SSL_get_peer_certificate(s);
1121                 if (peer != NULL)
1122                         {
1123                         BIO_printf(bio,"Server certificate\n");
1124                         if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
1125                                 PEM_write_bio_X509(bio,peer);
1126                         X509_NAME_oneline(X509_get_subject_name(peer),
1127                                 buf,sizeof buf);
1128                         BIO_printf(bio,"subject=%s\n",buf);
1129                         X509_NAME_oneline(X509_get_issuer_name(peer),
1130                                 buf,sizeof buf);
1131                         BIO_printf(bio,"issuer=%s\n",buf);
1132                         }
1133                 else
1134                         BIO_printf(bio,"no peer certificate available\n");
1135
1136                 sk2=SSL_get_client_CA_list(s);
1137                 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
1138                         {
1139                         BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
1140                         for (i=0; i<sk_X509_NAME_num(sk2); i++)
1141                                 {
1142                                 xn=sk_X509_NAME_value(sk2,i);
1143                                 X509_NAME_oneline(xn,buf,sizeof(buf));
1144                                 BIO_write(bio,buf,strlen(buf));
1145                                 BIO_write(bio,"\n",1);
1146                                 }
1147                         }
1148                 else
1149                         {
1150                         BIO_printf(bio,"---\nNo client certificate CA names sent\n");
1151                         }
1152                 p=SSL_get_shared_ciphers(s,buf,sizeof buf);
1153                 if (p != NULL)
1154                         {
1155                         /* This works only for SSL 2.  In later protocol
1156                          * versions, the client does not know what other
1157                          * ciphers (in addition to the one to be used
1158                          * in the current connection) the server supports. */
1159
1160                         BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
1161                         j=i=0;
1162                         while (*p)
1163                                 {
1164                                 if (*p == ':')
1165                                         {
1166                                         BIO_write(bio,space,15-j%25);
1167                                         i++;
1168                                         j=0;
1169                                         BIO_write(bio,((i%3)?" ":"\n"),1);
1170                                         }
1171                                 else
1172                                         {
1173                                         BIO_write(bio,p,1);
1174                                         j++;
1175                                         }
1176                                 p++;
1177                                 }
1178                         BIO_write(bio,"\n",1);
1179                         }
1180
1181                 BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
1182                         BIO_number_read(SSL_get_rbio(s)),
1183                         BIO_number_written(SSL_get_wbio(s)));
1184                 }
1185         BIO_printf(bio,((s->hit)?"---\nReused, ":"---\nNew, "));
1186         c=SSL_get_current_cipher(s);
1187         BIO_printf(bio,"%s, Cipher is %s\n",
1188                 SSL_CIPHER_get_version(c),
1189                 SSL_CIPHER_get_name(c));
1190         if (peer != NULL) {
1191                 EVP_PKEY *pktmp;
1192                 pktmp = X509_get_pubkey(peer);
1193                 BIO_printf(bio,"Server public key is %d bit\n",
1194                                                          EVP_PKEY_bits(pktmp));
1195                 EVP_PKEY_free(pktmp);
1196         }
1197 #ifndef OPENSSL_NO_COMP
1198         comp=SSL_get_current_compression(s);
1199         expansion=SSL_get_current_expansion(s);
1200         BIO_printf(bio,"Compression: %s\n",
1201                 comp ? SSL_COMP_get_name(comp) : "NONE");
1202         BIO_printf(bio,"Expansion: %s\n",
1203                 expansion ? SSL_COMP_get_name(expansion) : "NONE");
1204 #endif
1205         SSL_SESSION_print(bio,SSL_get_session(s));
1206         BIO_printf(bio,"---\n");
1207         if (peer != NULL)
1208                 X509_free(peer);
1209         /* flush, or debugging output gets mixed with http response */
1210         BIO_flush(bio);
1211         }
1212