BIO_printf(bio_err," -host host - use -connect instead\n");
BIO_printf(bio_err," -port port - use -connect instead\n");
BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
- BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n");
- BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n");
- BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n");
+ BIO_printf(bio_err," -verify_host host - check peer certificate matches \"host\"\n");
+ BIO_printf(bio_err," -verify_email email - check peer certificate matches \"email\"\n");
+ BIO_printf(bio_err," -verify_ip ipaddr - check peer certificate matches \"ipaddr\"\n");
BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
BIO_printf(bio_err," -verify_return_error - return verification errors\n");
BIO_printf(bio_err," -srppass arg - password for 'user'\n");
BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
- BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
+ BIO_printf(bio_err," -srp_strength int - minimal length in bits for N (default %d).\n",SRP_MINIMAL_N);
#endif
BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
+#ifndef OPENSSL_NO_SSL3_METHOD
BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
+#endif
BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
BIO_printf(bio_err," -tls1 - just use TLSv1\n");
BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
+ BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
BIO_printf(bio_err," -mtu - set the link layer MTU\n");
BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
# endif
BIO_printf(bio_err," -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
+#ifndef OPENSSL_NO_SRTP
BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
+#endif
BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
}
}
#endif
+#ifndef OPENSSL_NO_SRTP
char *srtp_profiles = NULL;
+#endif
# ifndef OPENSSL_NO_NEXTPROTONEG
/* This the context that we pass to next_proto_cb */
}
# endif /* ndef OPENSSL_NO_NEXTPROTONEG */
-static int serverinfo_cli_cb(SSL* s, unsigned int ext_type,
- const unsigned char* in, size_t inlen,
- int* al, void* arg)
+static int serverinfo_cli_parse_cb(SSL* s, unsigned int ext_type,
+ const unsigned char* in, size_t inlen,
+ int* al, void* arg)
{
char pem_name[100];
unsigned char ext_buf[4 + 65536];
char *sess_out = NULL;
struct sockaddr peer;
int peerlen = sizeof(peer);
+ int fallback_scsv = 0;
int enable_timeouts = 0 ;
long socket_mtu = 0;
#ifndef OPENSSL_NO_JPAKE
else if (strcmp(*argv,"-ssl2") == 0)
meth=SSLv2_client_method();
#endif
-#ifndef OPENSSL_NO_SSL3
+#ifndef OPENSSL_NO_SSL3_METHOD
else if (strcmp(*argv,"-ssl3") == 0)
meth=SSLv3_client_method();
#endif
socket_mtu = atol(*(++argv));
}
#endif
+ else if (strcmp(*argv,"-fallback_scsv") == 0)
+ {
+ fallback_scsv = 1;
+ }
else if (strcmp(*argv,"-keyform") == 0)
{
if (--argc < 1) goto bad;
jpake_secret = *++argv;
}
#endif
+#ifndef OPENSSL_NO_SRTP
else if (strcmp(*argv,"-use_srtp") == 0)
{
if (--argc < 1) goto bad;
srtp_profiles = *(++argv);
}
+#endif
else if (strcmp(*argv,"-keymatexport") == 0)
{
if (--argc < 1) goto bad;
BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
}
+#endif
+#ifndef OPENSSL_NO_SRTP
if (srtp_profiles != NULL)
SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
#endif
}
#endif
#ifndef OPENSSL_NO_TLSEXT
- if (serverinfo_types_count)
+ for (i = 0; i < serverinfo_types_count; i++)
{
- for (i = 0; i < serverinfo_types_count; i++)
- {
- SSL_CTX_set_custom_cli_ext(ctx,
- serverinfo_types[i],
- NULL,
- serverinfo_cli_cb,
- NULL);
- }
+ SSL_CTX_add_client_custom_ext(ctx,
+ serverinfo_types[i],
+ NULL, NULL, NULL,
+ serverinfo_cli_parse_cb,
+ NULL);
}
#endif
SSL_set_session(con, sess);
SSL_SESSION_free(sess);
}
+
+ if (fallback_scsv)
+ SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
+
#ifndef OPENSSL_NO_TLSEXT
if (servername != NULL)
{
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
}
- if (socket_mtu > 28)
+ if (socket_mtu)
{
+ if(socket_mtu < DTLS_get_link_min_mtu(con))
+ {
+ BIO_printf(bio_err,"MTU too small. Must be at least %ld\n",
+ DTLS_get_link_min_mtu(con));
+ BIO_free(sbio);
+ goto shut;
+ }
SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
- SSL_set_mtu(con, socket_mtu - 28);
+ if(!DTLS_set_link_mtu(con, socket_mtu))
+ {
+ BIO_printf(bio_err, "Failed to set MTU\n");
+ BIO_free(sbio);
+ goto shut;
+ }
}
else
/* want to do MTU discovery */
}
#endif
+#ifndef OPENSSL_NO_SRTP
{
SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
srtp_profile->name);
}
+#endif
SSL_SESSION_print(bio,SSL_get_session(s));
if (keymatexportlabel != NULL)