From 837f87c217fd595c814c4e1ab47ec1842d29b60d Mon Sep 17 00:00:00 2001 From: Paul Yang Date: Fri, 16 Jun 2017 18:12:02 +0800 Subject: [PATCH] Forbid to specify -nextprotoneg if -tls1_3 is enabled This applies both to s_client and s_server app. Reaction to Issue #3665. Signed-off-by: Paul Yang Reviewed-by: Matt Caswell Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/3697) --- apps/s_client.c | 6 ++++++ apps/s_server.c | 6 ++++++ doc/man1/s_client.pod | 1 + doc/man1/s_server.pod | 1 + 4 files changed, 14 insertions(+) diff --git a/apps/s_client.c b/apps/s_client.c index 8af3853e4b..ad0eaec562 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1424,6 +1424,12 @@ int s_client_main(int argc, char **argv) if (argc != 0) goto opthelp; +#ifndef OPENSSL_NO_NEXTPROTONEG + if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) { + BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n"); + goto opthelp; + } +#endif if (proxystr != NULL) { int res; char *tmp_host = host, *tmp_port = port; diff --git a/apps/s_server.c b/apps/s_server.c index 26947c31f3..930ef6e4a8 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1536,6 +1536,12 @@ int s_server_main(int argc, char *argv[]) argc = opt_num_rest(); argv = opt_rest(); +#ifndef OPENSSL_NO_NEXTPROTONEG + if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) { + BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n"); + goto opthelp; + } +#endif #ifndef OPENSSL_NO_DTLS if (www && socket_type == SOCK_DGRAM) { BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n"); diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod index 9f6084d53e..57fa920eb8 100644 --- a/doc/man1/s_client.pod +++ b/doc/man1/s_client.pod @@ -564,6 +564,7 @@ for example "http/1.1" or "spdy/3". An empty list of protocols is treated specially and will cause the client to advertise support for the TLS extension but disconnect just after receiving ServerHello with a list of server supported protocols. +The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used. =item B<-ct|noct> diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod index 6f22797695..5f6054ac83 100644 --- a/doc/man1/s_server.pod +++ b/doc/man1/s_server.pod @@ -609,6 +609,7 @@ The B list is a comma-separated list of supported protocol names. The list should contain the most desirable protocols first. Protocol names are printable ASCII strings, for example "http/1.1" or "spdy/3". +The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used. =item B<-engine val> -- 2.34.1