#include <errno.h>
#include <openssl/e_os2.h>
+#ifndef OPENSSL_NO_SOCK
+
/*
* With IPv6, it looks like Digital has mixed up the proper order of
* recursive header file inclusion, resulting in the compiler complaining
static int c_brief = 0;
static void print_stuff(BIO *berr, SSL *con, int full);
+#ifndef OPENSSL_NO_OCSP
static int ocsp_resp_cb(SSL *s, void *arg);
+#endif
static int saved_errno;
/* This the context that we pass to next_proto_cb */
typedef struct tlsextnextprotoctx_st {
unsigned char *data;
- unsigned short len;
+ size_t len;
int status;
} tlsextnextprotoctx;
OPT_S_ENUM,
OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY, OPT_DANE_TLSA_DOMAIN,
#ifndef OPENSSL_NO_CT
- OPT_NOCT, OPT_REQUESTCT, OPT_REQUIRECT, OPT_CTLOG_FILE,
+ OPT_CT, OPT_NOCT, OPT_CTLOG_FILE,
#endif
OPT_DANE_TLSA_RRDATA
} OPTION_CHOICE;
"Set TLS extension servername in ClientHello"},
{"tlsextdebug", OPT_TLSEXTDEBUG, '-',
"Hex dump of all TLS extensions received"},
+#ifndef OPENSSL_NO_OCSP
{"status", OPT_STATUS, '-', "Request certificate status from server"},
+#endif
{"serverinfo", OPT_SERVERINFO, 's',
"types Send empty ClientHello extensions (comma-separated numbers)"},
{"alpn", OPT_ALPN, 's',
{"async", OPT_ASYNC, '-', "Support asynchronous operation"},
{"ssl_config", OPT_SSL_CONFIG, 's', "Use specified configuration file"},
{"split_send_frag", OPT_SPLIT_SEND_FRAG, 'n',
- "Size used to split data for encrypt/decrypt pipelines"},
+ "Size used to split data for encrypt pipelines"},
{"max_pipelines", OPT_MAX_PIPELINES, 'n',
"Maximum number of encrypt/decrypt pipelines to be used"},
{"read_buf", OPT_READ_BUF, 'n',
"Specify engine to be used for client certificate operations"},
#endif
#ifndef OPENSSL_NO_CT
+ {"ct", OPT_CT, '-', "Request and parse SCTs (also enables OCSP stapling)"},
{"noct", OPT_NOCT, '-', "Do not request or parse SCTs (default)"},
- {"requestct", OPT_REQUESTCT, '-', "Request SCTs (enables OCSP stapling)"},
- {"requirect", OPT_REQUIRECT, '-', "Require at least 1 SCT (enables OCSP stapling)"},
{"ctlogfile", OPT_CTLOG_FILE, '<', "CT log list CONF file"},
#endif
{NULL}
char *sess_in = NULL, *sess_out = NULL, *crl_file = NULL, *p;
char *xmpphost = NULL;
const char *ehlo = "mail.example.com";
- struct sockaddr peer;
struct timeval timeout, *timeoutp;
fd_set readfds, writefds;
int noCApath = 0, noCAfile = 0;
int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_PEM;
int key_format = FORMAT_PEM, crlf = 0, full_log = 1, mbuf_len = 0;
int prexit = 0;
- int enable_timeouts = 0, sdebug = 0, peerlen = sizeof peer;
+ int sdebug = 0;
int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0;
int ret = 1, in_init = 1, i, nbio_test = 0, s = -1, k, width, state = 0;
int sbuf_len, sbuf_off, cmdletters = 1;
int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
int read_buf_len = 0;
int fallback_scsv = 0;
- long socket_mtu = 0, randamt = 0;
+ long randamt = 0;
OPTION_CHOICE o;
+#ifndef OPENSSL_NO_DTLS
+ int enable_timeouts = 0;
+ long socket_mtu = 0;
+#endif
#ifndef OPENSSL_NO_ENGINE
ENGINE *ssl_client_engine = NULL;
#endif
ENGINE *e = NULL;
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
struct timeval tv;
#endif
char *servername = NULL;
#endif
#ifndef OPENSSL_NO_CT
char *ctlog_file = NULL;
- ct_validation_cb ct_validation = NULL;
+ int ct_validation = 0;
#endif
+ int min_version = 0, max_version = 0;
FD_ZERO(&readfds);
FD_ZERO(&writefds);
#ifndef OPENSSL_NO_SRP
case OPT_SRPUSER:
srp_arg.srplogin = opt_arg();
- meth = TLSv1_client_method();
+ if (min_version < TLS1_VERSION)
+ min_version = TLS1_VERSION;
break;
case OPT_SRPPASS:
srppass = opt_arg();
- meth = TLSv1_client_method();
+ if (min_version < TLS1_VERSION)
+ min_version = TLS1_VERSION;
break;
case OPT_SRP_STRENGTH:
srp_arg.strength = atoi(opt_arg());
BIO_printf(bio_err, "SRP minimal length for N is %d\n",
srp_arg.strength);
- meth = TLSv1_client_method();
+ if (min_version < TLS1_VERSION)
+ min_version = TLS1_VERSION;
break;
case OPT_SRP_LATEUSER:
srp_lateuser = 1;
- meth = TLSv1_client_method();
+ if (min_version < TLS1_VERSION)
+ min_version = TLS1_VERSION;
break;
case OPT_SRP_MOREGROUPS:
srp_arg.amp = 1;
- meth = TLSv1_client_method();
+ if (min_version < TLS1_VERSION)
+ min_version = TLS1_VERSION;
break;
#else
case OPT_SRPUSER:
ssl_config = opt_arg();
break;
case OPT_SSL3:
-#ifndef OPENSSL_NO_SSL3
- meth = SSLv3_client_method();
-#endif
+ min_version = SSL3_VERSION;
+ max_version = SSL3_VERSION;
break;
case OPT_TLS1_2:
-#ifndef OPENSSL_NO_TLS1_2
- meth = TLSv1_2_client_method();
-#endif
+ min_version = TLS1_2_VERSION;
+ max_version = TLS1_2_VERSION;
break;
case OPT_TLS1_1:
-#ifndef OPENSSL_NO_TLS1_1
- meth = TLSv1_1_client_method();
-#endif
+ min_version = TLS1_1_VERSION;
+ max_version = TLS1_1_VERSION;
break;
case OPT_TLS1:
-#ifndef OPENSSL_NO_TLS1
- meth = TLSv1_client_method();
-#endif
+ min_version = TLS1_VERSION;
+ max_version = TLS1_VERSION;
break;
case OPT_DTLS:
#ifndef OPENSSL_NO_DTLS
break;
case OPT_DTLS1:
#ifndef OPENSSL_NO_DTLS1
- meth = DTLSv1_client_method();
+ meth = DTLS_client_method();
+ min_version = DTLS1_VERSION;
+ max_version = DTLS1_VERSION;
socket_type = SOCK_DGRAM;
#endif
break;
case OPT_DTLS1_2:
#ifndef OPENSSL_NO_DTLS1_2
- meth = DTLSv1_2_client_method();
+ meth = DTLS_client_method();
+ min_version = DTLS1_2_VERSION;
+ max_version = DTLS1_2_VERSION;
socket_type = SOCK_DGRAM;
#endif
break;
break;
#ifndef OPENSSL_NO_CT
case OPT_NOCT:
- ct_validation = NULL;
+ ct_validation = 0;
break;
- case OPT_REQUESTCT:
- ct_validation = CT_verify_no_bad_scts;
- break;
- case OPT_REQUIRECT:
- ct_validation = CT_verify_at_least_one_good_sct;
+ case OPT_CT:
+ ct_validation = 1;
break;
case OPT_CTLOG_FILE:
ctlog_file = opt_arg();
}
break;
case OPT_NEXTPROTONEG:
+#ifndef OPENSSL_NO_NEXTPROTONEG
next_proto_neg_in = opt_arg();
+#endif
break;
case OPT_ALPN:
alpn_in = opt_arg();
case OPT_STARTTLS:
if (!opt_pair(opt_arg(), services, &starttls_proto))
goto end;
+ break;
case OPT_SERVERNAME:
servername = opt_arg();
break;
case OPT_SPLIT_SEND_FRAG:
split_send_fragment = atoi(opt_arg());
if (split_send_fragment == 0) {
- /* Not allowed - set to a deliberately bad value */
- split_send_fragment = -1;
+ /*
+ * Not allowed - set to a deliberately bad value so we get an
+ * error message below
+ */
+ split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH + 1;
}
break;
case OPT_MAX_PIPELINES:
}
}
+ if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
+ goto end;
+ if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
+ goto end;
+
if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
BIO_printf(bio_err, "Error setting verify params\n");
ERR_print_errors(bio_err);
SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
#endif
if (alpn_in) {
- unsigned short alpn_len;
+ size_t alpn_len;
unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
if (alpn == NULL) {
SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
#ifndef OPENSSL_NO_CT
- if (!SSL_CTX_set_ct_validation_callback(ctx, ct_validation, NULL)) {
+ /* Enable SCT processing, without early connection termination */
+ if (ct_validation &&
+ !SSL_CTX_enable_ct(ctx, SSL_CT_VALIDATION_PERMISSIVE)) {
ERR_print_errors(bio_err);
goto end;
}
- if (ctx_set_ctlog_list_file(ctx, ctlog_file) <= 0) {
- ERR_print_errors(bio_err);
- goto end;
+ if (!ctx_set_ctlog_list_file(ctx, ctlog_file)) {
+ if (ct_validation) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ /*
+ * If CT validation is not enabled, the log list isn't needed so don't
+ * show errors or abort. We try to load it regardless because then we
+ * can show the names of the logs any SCTs came from (SCTs may be seen
+ * even with validation disabled).
+ */
+ ERR_clear_error();
}
#endif
}
BIO_printf(bio_c_out, "Turned on non blocking io\n");
}
+#ifndef OPENSSL_NO_DTLS
if (socket_type == SOCK_DGRAM) {
+ struct sockaddr peer;
+ int peerlen = sizeof peer;
sbio = BIO_new_dgram(s, BIO_NOCLOSE);
if (getsockname(s, &peer, (void *)&peerlen) < 0) {
/* want to do MTU discovery */
BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
} else
+#endif /* OPENSSL_NO_DTLS */
sbio = BIO_new_socket(s, BIO_NOCLOSE);
if (nbio_test) {
SSL_set_tlsext_debug_callback(con, tlsext_cb);
SSL_set_tlsext_debug_arg(con, bio_c_out);
}
+#ifndef OPENSSL_NO_OCSP
if (c_status_req) {
SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
}
+#endif
SSL_set_bio(con, sbio, sbio);
SSL_set_connect_state(con);
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
- BIO_printf(fbio, "CONNECT %s\r\n\r\n", connectstr);
+ BIO_printf(fbio, "CONNECT %s HTTP/1.0\r\n\r\n", connectstr);
(void)BIO_flush(fbio);
/* wait for multi-line response to end CONNECT response */
do {
ssl_pending = read_ssl && SSL_has_pending(con);
if (!ssl_pending) {
-#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
if (tty_on) {
if (read_tty)
openssl_fdset(fileno(stdin), &readfds);
i = select(width, (void *)&readfds, (void *)&writefds,
NULL, timeoutp);
}
-#elif defined(OPENSSL_SYS_NETWARE)
- if (!write_tty) {
- if (read_tty) {
- tv.tv_sec = 1;
- tv.tv_usec = 0;
- i = select(width, (void *)&readfds, (void *)&writefds,
- NULL, &tv);
- } else
- i = select(width, (void *)&readfds, (void *)&writefds,
- NULL, timeoutp);
- }
#else
i = select(width, (void *)&readfds, (void *)&writefds,
NULL, timeoutp);
goto shut;
}
}
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
/* Assume Windows/DOS/BeOS can always write */
else if (!ssl_pending && write_tty)
#else
|| (WAIT_OBJECT_0 ==
WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
# endif
-#elif defined (OPENSSL_SYS_NETWARE)
- else if (_kbhit())
#else
else if (FD_ISSET(fileno(stdin), &readfds))
#endif
#endif
unsigned char *exportedkeymat;
#ifndef OPENSSL_NO_CT
- const STACK_OF(SCT) *scts;
+ const SSL_CTX *ctx = SSL_get_SSL_CTX(s);
#endif
if (full) {
ssl_print_tmp_key(bio, s);
#ifndef OPENSSL_NO_CT
- scts = SSL_get0_peer_scts(s);
- BIO_printf(bio, "---\nSCTs present (%i)\n---\n",
- scts ? sk_SCT_num(scts) : 0);
- SCT_LIST_print(scts, bio, 0, "\n---\n");
- BIO_printf(bio, "\n");
- if (SSL_get_ct_validation_callback(s) == NULL) {
- BIO_printf(bio, "---\nWarning: CT validation is disabled, so not all "
- "SCTs may be displayed. Re-run with \"-requestct\".\n");
+ /*
+ * When the SSL session is anonymous, or resumed via an abbreviated
+ * handshake, no SCTs are provided as part of the handshake. While in
+ * a resumed session SCTs may be present in the session's certificate,
+ * no callbacks are invoked to revalidate these, and in any case that
+ * set of SCTs may be incomplete. Thus it makes little sense to
+ * attempt to display SCTs from a resumed session's certificate, and of
+ * course none are associated with an anonymous peer.
+ */
+ if (peer != NULL && !SSL_session_reused(s) && SSL_ct_is_enabled(s)) {
+ const STACK_OF(SCT) *scts = SSL_get0_peer_scts(s);
+ int sct_count = scts != NULL ? sk_SCT_num(scts) : 0;
+
+ BIO_printf(bio, "---\nSCTs present (%i)\n", sct_count);
+ if (sct_count > 0) {
+ const CTLOG_STORE *log_store = SSL_CTX_get0_ctlog_store(ctx);
+
+ BIO_printf(bio, "---\n");
+ for (i = 0; i < sct_count; ++i) {
+ SCT *sct = sk_SCT_value(scts, i);
+
+ BIO_printf(bio, "SCT validation status: %s\n",
+ SCT_validation_status_string(sct));
+ SCT_print(sct, bio, 0, log_store);
+ if (i < sct_count - 1)
+ BIO_printf(bio, "\n---\n");
+ }
+ BIO_printf(bio, "\n");
+ }
}
#endif
(void)BIO_flush(bio);
}
+# ifndef OPENSSL_NO_OCSP
static int ocsp_resp_cb(SSL *s, void *arg)
{
const unsigned char *p;
OCSP_RESPONSE_free(rsp);
return 1;
}
+# endif
+
+#endif