BIO_printf(bio_err," -host host - use -connect instead\n");
BIO_printf(bio_err," -port port - use -connect instead\n");
BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
- BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n");
- BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n");
- BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n");
-
BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n");
BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
short port=PORT;
int full_log=1;
char *host=SSL_HOST_NAME;
- char *cert_file=NULL,*key_file=NULL;
+ char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
char *passarg = NULL, *pass = NULL;
X509 *cert = NULL;
EVP_PKEY *key = NULL;
+ STACK_OF(X509) *chain = NULL;
char *CApath=NULL,*CAfile=NULL;
+ char *chCApath=NULL,*chCAfile=NULL;
+ char *vfyCApath=NULL,*vfyCAfile=NULL;
int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
int crlf=0;
int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
#endif
SSL_EXCERT *exc = NULL;
- unsigned char *checkhost = NULL, *checkemail = NULL;
- char *checkip = NULL;
SSL_CONF_CTX *cctx = NULL;
STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
+ char *crl_file = NULL;
+ int crl_format = FORMAT_PEM;
+ int crl_download = 0;
+ STACK_OF(X509_CRL) *crls = NULL;
+
meth=SSLv23_client_method();
apps_startup();
if (--argc < 1) goto bad;
cert_file= *(++argv);
}
+ else if (strcmp(*argv,"-CRL") == 0)
+ {
+ if (--argc < 1) goto bad;
+ crl_file= *(++argv);
+ }
+ else if (strcmp(*argv,"-crl_download") == 0)
+ crl_download = 1;
else if (strcmp(*argv,"-sess_out") == 0)
{
if (--argc < 1) goto bad;
if (--argc < 1) goto bad;
cert_format = str2fmt(*(++argv));
}
+ else if (strcmp(*argv,"-CRLform") == 0)
+ {
+ if (--argc < 1) goto bad;
+ crl_format = str2fmt(*(++argv));
+ }
else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
{
if (badarg)
if (--argc < 1) goto bad;
passarg = *(++argv);
}
+ else if (strcmp(*argv,"-cert_chain") == 0)
+ {
+ if (--argc < 1) goto bad;
+ chain_file= *(++argv);
+ }
else if (strcmp(*argv,"-key") == 0)
{
if (--argc < 1) goto bad;
if (--argc < 1) goto bad;
CApath= *(++argv);
}
+ else if (strcmp(*argv,"-chainCApath") == 0)
+ {
+ if (--argc < 1) goto bad;
+ chCApath= *(++argv);
+ }
+ else if (strcmp(*argv,"-verifyCApath") == 0)
+ {
+ if (--argc < 1) goto bad;
+ vfyCApath= *(++argv);
+ }
else if (strcmp(*argv,"-build_chain") == 0)
build_chain = 1;
else if (strcmp(*argv,"-CAfile") == 0)
if (--argc < 1) goto bad;
CAfile= *(++argv);
}
+ else if (strcmp(*argv,"-chainCAfile") == 0)
+ {
+ if (--argc < 1) goto bad;
+ chCAfile= *(++argv);
+ }
+ else if (strcmp(*argv,"-verifyCAfile") == 0)
+ {
+ if (--argc < 1) goto bad;
+ vfyCAfile= *(++argv);
+ }
#ifndef OPENSSL_NO_TLSEXT
# ifndef OPENSSL_NO_NEXTPROTONEG
else if (strcmp(*argv,"-nextprotoneg") == 0)
/* meth=TLSv1_client_method(); */
}
#endif
- else if (strcmp(*argv,"-checkhost") == 0)
- {
- if (--argc < 1) goto bad;
- checkhost=(unsigned char *)*(++argv);
- }
- else if (strcmp(*argv,"-checkemail") == 0)
- {
- if (--argc < 1) goto bad;
- checkemail=(unsigned char *)*(++argv);
- }
- else if (strcmp(*argv,"-checkip") == 0)
- {
- if (--argc < 1) goto bad;
- checkip=*(++argv);
- }
#ifndef OPENSSL_NO_JPAKE
else if (strcmp(*argv,"-jpake") == 0)
{
}
}
+ if (chain_file)
+ {
+ chain = load_certs(bio_err, chain_file,FORMAT_PEM,
+ NULL, e, "client certificate chain");
+ if (!chain)
+ goto end;
+ }
+
+ if (crl_file)
+ {
+ X509_CRL *crl;
+ crl = load_crl(crl_file, crl_format);
+ if (!crl)
+ {
+ BIO_puts(bio_err, "Error loading CRL\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ crls = sk_X509_CRL_new_null();
+ if (!crls || !sk_X509_CRL_push(crls, crl))
+ {
+ BIO_puts(bio_err, "Error adding CRL\n");
+ ERR_print_errors(bio_err);
+ X509_CRL_free(crl);
+ goto end;
+ }
+ }
+
if (!load_excert(&exc, bio_err))
goto end;
goto end;
}
+ if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
+ crls, crl_download))
+ {
+ BIO_printf(bio_err, "Error loading store locations\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
#ifndef OPENSSL_NO_ENGINE
if (ssl_client_engine)
{
/* goto end; */
}
- if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain))
+ ssl_ctx_add_crls(ctx, crls, crl_download);
+
+ if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
goto end;
#ifndef OPENSSL_NO_TLSEXT
"CONNECTION ESTABLISHED\n");
print_ssl_summary(bio_err, con);
}
- print_ssl_cert_checks(bio_err, con, checkhost,
- checkemail, checkip);
print_stuff(bio_c_out,con,full_log);
if (full_log > 0) full_log--;
break;
case SSL_ERROR_SYSCALL:
ret=get_last_socket_error();
- BIO_printf(bio_err,"read:errno=%d\n",ret);
+ if (c_brief)
+ BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
+ else
+ BIO_printf(bio_err,"read:errno=%d\n",ret);
goto shut;
case SSL_ERROR_ZERO_RETURN:
BIO_printf(bio_c_out,"closed\n");
if (ctx != NULL) SSL_CTX_free(ctx);
if (cert)
X509_free(cert);
+ if (crls)
+ sk_X509_CRL_pop_free(crls, X509_CRL_free);
if (key)
EVP_PKEY_free(key);
+ if (chain)
+ sk_X509_pop_free(chain, X509_free);
if (pass)
OPENSSL_free(pass);
if (vpm)