Fix from 0.9.8-stable

[openssl.git] / apps / s_client.c

diff --git a/apps/s_client.c b/apps/s_client.c
index 5f09c3129736cec2b989d0ba436440bf91aeff18..a41a915ed4d5a8e849054e104e2cc2d968e929b7 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -320,7 +320,7 @@ static void sc_usage(void)
        BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
        BIO_printf(bio_err," -tls1         - just use TLSv1\n");
        BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
-       BIO_printf(bio_err," -mtu          - set the MTU\n");
+       BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
        BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
        BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
        BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
@@ -383,7 +383,6 @@ int MAIN(int argc, char **argv)
        {
        int off=0;
        SSL *con=NULL;
-       X509_STORE *store = NULL;
        int s,k,width,state=0;
        char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
        int cbuf_len,cbuf_off;
@@ -404,7 +403,9 @@ int MAIN(int argc, char **argv)
        SSL_CTX *ctx=NULL;
        int ret=1,in_init=1,i,nbio_test=0;
        int starttls_proto = PROTO_OFF;
-       int prexit = 0, vflags = 0;
+       int prexit = 0;
+       X509_VERIFY_PARAM *vpm = NULL;
+       int badarg = 0;
        const SSL_METHOD *meth=NULL;
        int socket_type=SOCK_STREAM;
        BIO *sbio;
@@ -521,10 +522,12 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        cert_format = str2fmt(*(++argv));
                        }
-               else if (strcmp(*argv,"-crl_check") == 0)
-                       vflags |= X509_V_FLAG_CRL_CHECK;
-               else if (strcmp(*argv,"-crl_check_all") == 0)
-                       vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
+               else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
+                       {
+                       if (badarg)
+                               goto bad;
+                       continue;
+                       }
                else if (strcmp(*argv,"-verify_return_error") == 0)
                        verify_return_error = 1;
                else if (strcmp(*argv,"-prexit") == 0)
@@ -831,6 +834,9 @@ bad:
                goto end;
                }
 
+       if (vpm)
+               SSL_CTX_set1_param(ctx, vpm);
+
 #ifndef OPENSSL_NO_ENGINE
        if (ssl_client_engine)
                {
@@ -890,8 +896,6 @@ bad:
                /* goto end; */
                }
 
-       store = SSL_CTX_get_cert_store(ctx);
-       X509_STORE_set_flags(store, vflags);
 #ifndef OPENSSL_NO_TLSEXT
        if (servername != NULL)
                {
@@ -999,10 +1003,10 @@ re_start:
                        BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
                        }
 
-               if (socket_mtu > 0)
+               if (socket_mtu > 28)
                        {
                        SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
-                       SSL_set_mtu(con, socket_mtu);
+                       SSL_set_mtu(con, socket_mtu - 28);
                        }
                else
                        /* want to do MTU discovery */