X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_server.c;h=f5d313ceb52f3fa6b0620a6f20a95ba29ced14f3;hp=d33996820060524286c6fb70ccb0e46e2e9cc7d4;hb=61f477f4ab2ad9fcf072f37d9c5676a1ad03c037;hpb=ee2ffc279417f15fef3b1073c7dc81a908991516 diff --git a/apps/s_server.c b/apps/s_server.c index d339968200..f5d313ceb5 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -201,6 +201,7 @@ typedef unsigned int u_int; #ifndef OPENSSL_NO_RSA static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength); #endif +static int not_resumable_sess_cb(SSL *s, int is_forward_secure); static int sv_body(char *hostname, int s, unsigned char *context); static int www_body(char *hostname, int s, unsigned char *context); static void close_accept_socket(void ); @@ -289,6 +290,7 @@ static int s_tlsextdebug=0; static int s_tlsextstatus=0; static int cert_status_cb(SSL *s, void *arg); #endif +static int no_resume_ephemeral = 0; static int s_msg=0; static int s_quiet=0; @@ -460,7 +462,7 @@ static void sv_usage(void) #endif BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); - BIO_printf(bio_err," -tls1_1 - Just talk TLSv1_1\n"); + BIO_printf(bio_err," -tls1_1 - Just talk TLSv1.1\n"); BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); BIO_printf(bio_err," -timeout - Enable timeouts\n"); @@ -476,6 +478,7 @@ static void sv_usage(void) #ifndef OPENSSL_NO_ECDH BIO_printf(bio_err," -no_ecdhe - Disable ephemeral ECDH\n"); #endif + BIO_printf(bio_err, "-no_resume_ephemeral - Disable caching and tickets if ephemeral (EC)DH is used\n"); BIO_printf(bio_err," -bugs - Turn on SSL bug compatibility\n"); BIO_printf(bio_err," -www - Respond to a 'GET /' with a status page\n"); BIO_printf(bio_err," -WWW - Respond to a 'GET / HTTP/1.0' with file ./\n"); @@ -493,12 +496,12 @@ static void sv_usage(void) BIO_printf(bio_err," (default is %s)\n",TEST_CERT2); BIO_printf(bio_err," -key2 arg - Private Key file to use for servername, in cert file if\n"); BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2); -# ifndef OPENSSL_NO_NPN BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); -# endif BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); +# ifndef OPENSSL_NO_NEXTPROTONEG BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n"); +# endif #endif } @@ -834,7 +837,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); goto done; } -# ifndef OPENSSL_NO_NPN +# ifndef OPENSSL_NO_NEXTPROTONEG /* This is the context that we pass to next_proto_cb */ typedef struct tlsextnextprotoctx_st { unsigned char *data; @@ -853,6 +856,12 @@ static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len, # endif /* ndef OPENSSL_NO_NPN */ #endif +static int not_resumable_sess_cb(SSL *s, int is_forward_secure) + { + /* disable resumption for sessions with forward secure ciphers */ + return is_forward_secure; + } + int MAIN(int, char **); #ifndef OPENSSL_NO_JPAKE @@ -892,7 +901,7 @@ int MAIN(int argc, char *argv[]) #endif #ifndef OPENSSL_NO_TLSEXT tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; -# ifndef OPENSSL_NO_NPN +# ifndef OPENSSL_NO_NEXTPROTONEG const char *next_proto_neg_in = NULL; tlsextnextprotoctx next_proto; # endif @@ -1120,6 +1129,8 @@ int MAIN(int argc, char *argv[]) { no_dhe=1; } else if (strcmp(*argv,"-no_ecdhe") == 0) { no_ecdhe=1; } + else if (strcmp(*argv,"-no_resume_ephemeral") == 0) + { no_resume_ephemeral = 1; } #ifndef OPENSSL_NO_PSK else if (strcmp(*argv,"-psk_hint") == 0) { @@ -1174,6 +1185,8 @@ int MAIN(int argc, char *argv[]) { meth=TLSv1_1_server_method(); } else if (strcmp(*argv,"-tls1") == 0) { meth=TLSv1_server_method(); } + else if (strcmp(*argv,"-tls1_1") == 0) + { meth=TLSv1_1_server_method(); } #endif #ifndef OPENSSL_NO_DTLS1 else if (strcmp(*argv,"-dtls1") == 0) @@ -1226,7 +1239,7 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_key_file2= *(++argv); } -# ifndef OPENSSL_NO_NPN +# ifndef OPENSSL_NO_NEXTPROTONEG else if (strcmp(*argv,"-nextprotoneg") == 0) { if (--argc < 1) goto bad; @@ -1337,7 +1350,7 @@ bad: goto end; } } -# ifndef OPENSSL_NO_NPN +# ifndef OPENSSL_NO_NEXTPROTONEG if (next_proto_neg_in) { unsigned short len; @@ -1537,7 +1550,7 @@ bad: SSL_CTX_set1_param(ctx2, vpm); } -# ifndef OPENSSL_NO_NPN +# ifndef OPENSSL_NO_NEXTPROTONEG if (next_proto.data) SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto); # endif @@ -1689,6 +1702,15 @@ bad: #endif #endif + if (no_resume_ephemeral) + { + SSL_CTX_set_not_resumable_session_callback(ctx, not_resumable_sess_cb); +#ifndef OPENSSL_NO_TLSEXT + if (ctx2) + SSL_CTX_set_not_resumable_session_callback(ctx2, not_resumable_sess_cb); +#endif + } + #ifndef OPENSSL_NO_PSK #ifdef OPENSSL_NO_JPAKE if (psk_key != NULL) @@ -2225,7 +2247,7 @@ static int init_ssl_connection(SSL *con) X509 *peer; long verify_error; MS_STATIC char buf[BUFSIZ]; -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN) +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) const unsigned char *next_proto_neg; unsigned next_proto_neg_len; #endif @@ -2268,7 +2290,7 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN) +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len); if (next_proto_neg) {