/* This the context that we pass to next_proto_cb */
typedef struct tlsextnextprotoctx_st {
unsigned char *data;
- unsigned short len;
+ size_t len;
int status;
} tlsextnextprotoctx;
{"async", OPT_ASYNC, '-', "Support asynchronous operation"},
{"ssl_config", OPT_SSL_CONFIG, 's', "Use specified configuration file"},
{"split_send_frag", OPT_SPLIT_SEND_FRAG, 'n',
- "Size used to split data for encrypt/decrypt pipelines"},
+ "Size used to split data for encrypt pipelines"},
{"max_pipelines", OPT_MAX_PIPELINES, 'n',
"Maximum number of encrypt/decrypt pipelines to be used"},
{"read_buf", OPT_READ_BUF, 'n',
char *ctlog_file = NULL;
ct_validation_cb ct_validation = NULL;
#endif
+ int min_version = 0, max_version = 0;
FD_ZERO(&readfds);
FD_ZERO(&writefds);
#ifndef OPENSSL_NO_SRP
case OPT_SRPUSER:
srp_arg.srplogin = opt_arg();
- meth = TLSv1_client_method();
+ if (min_version < TLS1_VERSION)
+ min_version = TLS1_VERSION;
break;
case OPT_SRPPASS:
srppass = opt_arg();
- meth = TLSv1_client_method();
+ if (min_version < TLS1_VERSION)
+ min_version = TLS1_VERSION;
break;
case OPT_SRP_STRENGTH:
srp_arg.strength = atoi(opt_arg());
BIO_printf(bio_err, "SRP minimal length for N is %d\n",
srp_arg.strength);
- meth = TLSv1_client_method();
+ if (min_version < TLS1_VERSION)
+ min_version = TLS1_VERSION;
break;
case OPT_SRP_LATEUSER:
srp_lateuser = 1;
- meth = TLSv1_client_method();
+ if (min_version < TLS1_VERSION)
+ min_version = TLS1_VERSION;
break;
case OPT_SRP_MOREGROUPS:
srp_arg.amp = 1;
- meth = TLSv1_client_method();
+ if (min_version < TLS1_VERSION)
+ min_version = TLS1_VERSION;
break;
#else
case OPT_SRPUSER:
ssl_config = opt_arg();
break;
case OPT_SSL3:
-#ifndef OPENSSL_NO_SSL3
- meth = SSLv3_client_method();
-#endif
+ min_version = SSL3_VERSION;
+ max_version = SSL3_VERSION;
break;
case OPT_TLS1_2:
-#ifndef OPENSSL_NO_TLS1_2
- meth = TLSv1_2_client_method();
-#endif
+ min_version = TLS1_2_VERSION;
+ max_version = TLS1_2_VERSION;
break;
case OPT_TLS1_1:
-#ifndef OPENSSL_NO_TLS1_1
- meth = TLSv1_1_client_method();
-#endif
+ min_version = TLS1_1_VERSION;
+ max_version = TLS1_1_VERSION;
break;
case OPT_TLS1:
-#ifndef OPENSSL_NO_TLS1
- meth = TLSv1_client_method();
-#endif
+ min_version = TLS1_VERSION;
+ max_version = TLS1_VERSION;
break;
case OPT_DTLS:
#ifndef OPENSSL_NO_DTLS
break;
case OPT_DTLS1:
#ifndef OPENSSL_NO_DTLS1
- meth = DTLSv1_client_method();
+ meth = DTLS_client_method();
+ min_version = DTLS1_VERSION;
+ max_version = DTLS1_VERSION;
socket_type = SOCK_DGRAM;
#endif
break;
case OPT_DTLS1_2:
#ifndef OPENSSL_NO_DTLS1_2
- meth = DTLSv1_2_client_method();
+ meth = DTLS_client_method();
+ min_version = DTLS1_2_VERSION;
+ max_version = DTLS1_2_VERSION;
socket_type = SOCK_DGRAM;
#endif
break;
case OPT_SPLIT_SEND_FRAG:
split_send_fragment = atoi(opt_arg());
if (split_send_fragment == 0) {
- /* Not allowed - set to a deliberately bad value */
- split_send_fragment = -1;
+ /*
+ * Not allowed - set to a deliberately bad value so we get an
+ * error message below
+ */
+ split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH + 1;
}
break;
case OPT_MAX_PIPELINES:
}
}
+ if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
+ goto end;
+ if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
+ goto end;
+
if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
BIO_printf(bio_err, "Error setting verify params\n");
ERR_print_errors(bio_err);
SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
#endif
if (alpn_in) {
- unsigned short alpn_len;
+ size_t alpn_len;
unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
if (alpn == NULL) {
goto end;
}
- if (ctx_set_ctlog_list_file(ctx, ctlog_file) <= 0) {
- ERR_print_errors(bio_err);
- goto end;
+ if (!ctx_set_ctlog_list_file(ctx, ctlog_file)) {
+ if (ct_validation != NULL) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ /*
+ * If CT validation is not enabled, the log list isn't needed so don't
+ * show errors or abort. We try to load it regardless because then we
+ * can show the names of the logs any SCTs came from (SCTs may be seen
+ * even with validation disabled).
+ */
+ ERR_clear_error();
}
#endif
unsigned char *exportedkeymat;
#ifndef OPENSSL_NO_CT
const STACK_OF(SCT) *scts;
+ const SSL_CTX *ctx = SSL_get_SSL_CTX(s);
#endif
if (full) {
#ifndef OPENSSL_NO_CT
scts = SSL_get0_peer_scts(s);
- BIO_printf(bio, "---\nSCTs present (%i)\n---\n",
- scts ? sk_SCT_num(scts) : 0);
- SCT_LIST_print(scts, bio, 0, "\n---\n");
- BIO_printf(bio, "\n");
+ BIO_printf(bio, "---\nSCTs present (%i)\n",
+ scts != NULL ? sk_SCT_num(scts) : 0);
+
if (SSL_get_ct_validation_callback(s) == NULL) {
- BIO_printf(bio, "---\nWarning: CT validation is disabled, so not all "
+ BIO_printf(bio, "Warning: CT validation is disabled, so not all "
"SCTs may be displayed. Re-run with \"-requestct\".\n");
}
+
+ if (scts != NULL && sk_SCT_num(scts) > 0) {
+ const CTLOG_STORE *log_store = SSL_CTX_get0_ctlog_store(ctx);
+
+ BIO_printf(bio, "---\n");
+ SCT_LIST_print(scts, bio, 0, "\n---\n", log_store);
+ BIO_printf(bio, "\n");
+ }
#endif
BIO_printf(bio,