Forbid to specify -nextprotoneg if -tls1_3 is enabled

This applies both to s_client and s_server app.

Reaction to Issue #3665.

Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3697)

diff --git a/apps/s_client.c b/apps/s_client.c
index 8af3853e4bd2cf9abe183be0778a12bcd167245f..ad0eaec5622a0f27877040104d082cf3ac4325dd 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1424,6 +1424,12 @@ int s_client_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
     if (argc != 0)
         goto opthelp;
 

+#ifndef OPENSSL_NO_NEXTPROTONEG
+    if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
+        BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
+        goto opthelp;
+    }
+#endif

     if (proxystr != NULL) {
         int res;
         char *tmp_host = host, *tmp_port = port;
     if (proxystr != NULL) {
         int res;
         char *tmp_host = host, *tmp_port = port;

diff --git a/apps/s_server.c b/apps/s_server.c
index 26947c31f394e7b6c8549c1d22af09f6f17c9751..930ef6e4a863bf727bbdc701270b1fb0eb2c123d 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1536,6 +1536,12 @@ int s_server_main(int argc, char *argv[])
     argc = opt_num_rest();
     argv = opt_rest();
 
     argc = opt_num_rest();
     argv = opt_rest();
 

+#ifndef OPENSSL_NO_NEXTPROTONEG
+    if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
+        BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
+        goto opthelp;
+    }
+#endif

 #ifndef OPENSSL_NO_DTLS
     if (www && socket_type == SOCK_DGRAM) {
         BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");
 #ifndef OPENSSL_NO_DTLS
     if (www && socket_type == SOCK_DGRAM) {
         BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");

diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod
index 9f6084d53ec34aaf1cd159d51e103bef5d0a045f..57fa920eb80e47bee11b20a21267785b057745f8 100644 (file)
--- a/doc/man1/s_client.pod
+++ b/doc/man1/s_client.pod
@@ -564,6 +564,7 @@ for example "http/1.1" or "spdy/3".
 An empty list of protocols is treated specially and will cause the
 client to advertise support for the TLS extension but disconnect just
 after receiving ServerHello with a list of server supported protocols.
 An empty list of protocols is treated specially and will cause the
 client to advertise support for the TLS extension but disconnect just
 after receiving ServerHello with a list of server supported protocols.

+The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.

 
 =item B<-ct|noct>
 
 
 =item B<-ct|noct>
 

diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod
index 6f22797695aa606bf53c9b57939104d899882b4a..5f6054ac83d8d7779d3248387ca231537024051a 100644 (file)
--- a/doc/man1/s_server.pod
+++ b/doc/man1/s_server.pod
@@ -609,6 +609,7 @@ The B<val> list is a comma-separated list of supported protocol
 names.  The list should contain the most desirable protocols first.
 Protocol names are printable ASCII strings, for example "http/1.1" or
 "spdy/3".
 names.  The list should contain the most desirable protocols first.
 Protocol names are printable ASCII strings, for example "http/1.1" or
 "spdy/3".

+The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.

 
 =item B<-engine val>
 
 
 =item B<-engine val>