diff options
| author |   jsing <jsing@openbsd.org> | 2020-02-16 16:39:01 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2020-02-16 16:39:01 +0000 |
| commit | 428703dc06bb17076ea61aa441799c32ec00d1a1 (patch) | |
| tree | 81671d359a116576f4df25dbcb831d357a5b00eb | |
| parent | Avoid potential NULL dereference when parsing a server keyshare extension. (diff) | |
| download | wireguard-openbsd-428703dc06bb17076ea61aa441799c32ec00d1a1.tar.xz wireguard-openbsd-428703dc06bb17076ea61aa441799c32ec00d1a1.zip | |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max
protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
| -rw-r--r-- | usr.bin/openssl/openssl.1 | 14 | ||||
| -rw-r--r-- | usr.bin/openssl/s_client.c | 46 |
2 files changed, 37 insertions, 23 deletions
diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1 index 598de60a30f..ffdddb7e733 100644 --- a/usr.bin/openssl/openssl.1 +++ b/usr.bin/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.118 2019/12/18 12:38:15 sthen Exp $ +.\" $OpenBSD: openssl.1,v 1.119 2020/02/16 16:39:01 jsing Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -110,7 +110,7 @@ .\" copied and put under another distribution licence .\" [including the GNU Public Licence.] .\" -.Dd $Mdocdate: December 18 2019 $ +.Dd $Mdocdate: February 16 2020 $ .Dt OPENSSL 1 .Os .Sh NAME @@ -4213,6 +4213,7 @@ Verify the input data and output the recovered data. .Op Fl no_tls1 .Op Fl no_tls1_1 .Op Fl no_tls1_2 +.Op Fl no_tls1_3 .Op Fl pass Ar arg .Op Fl pause .Op Fl policy_check @@ -4233,6 +4234,7 @@ Verify the input data and output the recovered data. .Op Fl tls1 .Op Fl tls1_1 .Op Fl tls1_2 +.Op Fl tls1_3 .Op Fl tlsextdebug .Op Fl use_srtp Ar profiles .Op Fl verify Ar depth @@ -4370,8 +4372,8 @@ Can be used to override the implicit .Fl ign_eof after .Fl quiet . -.It Fl no_tls1 | no_tls1_1 | no_tls1_2 -Disable the use of TLS1.0, 1.1, and 1.2, respectively. +.It Fl no_tls1 | no_tls1_1 | no_tls1_2 | no_tls1_3 +Disable the use of TLS1.0, 1.1, 1.2 and 1.3 respectively. .It Fl no_ticket Disable RFC 4507 session ticket support. .It Fl pass Ar arg @@ -4444,8 +4446,8 @@ Send a certificate status request to the server (OCSP stapling). The server response (if any) is printed out. .It Fl timeout Enable send/receive timeout on DTLS connections. -.It Fl tls1 | tls1_1 | tls1_2 -Permit only TLS1.0, 1.1, or 1.2, respectively. +.It Fl tls1 | tls1_1 | tls1_2 | tls1_3 +Permit only TLS1.0, 1.1, 1.2 or 1.3 respectively. .It Fl tlsextdebug Print a hex dump of any TLS extensions received from the server. .It Fl use_srtp Ar profiles diff --git a/usr.bin/openssl/s_client.c b/usr.bin/openssl/s_client.c index 1537ebcb269..443f00505ec 100644 --- a/usr.bin/openssl/s_client.c +++ b/usr.bin/openssl/s_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s_client.c,v 1.41 2020/01/23 03:35:54 beck Exp $ */ +/* $OpenBSD: s_client.c,v 1.42 2020/02/16 16:39:01 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -222,12 +222,13 @@ sc_usage(void) BIO_printf(bio_err, " -quiet - no s_client output\n"); BIO_printf(bio_err, " -ign_eof - ignore input eof (default when -quiet)\n"); BIO_printf(bio_err, " -no_ign_eof - don't ignore input eof\n"); + BIO_printf(bio_err, " -tls1_3 - just use TLSv1.3\n"); BIO_printf(bio_err, " -tls1_2 - just use TLSv1.2\n"); BIO_printf(bio_err, " -tls1_1 - just use TLSv1.1\n"); BIO_printf(bio_err, " -tls1 - just use TLSv1\n"); BIO_printf(bio_err, " -dtls1 - just use DTLSv1\n"); BIO_printf(bio_err, " -mtu - set the link layer MTU\n"); - BIO_printf(bio_err, " -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); + BIO_printf(bio_err, " -no_tls1_3/-no_tls1_2/-no_tls1_1/-no_tls1 - turn off that protocol\n"); BIO_printf(bio_err, " -bugs - Switch on all SSL implementation bug workarounds\n"); BIO_printf(bio_err, " -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); BIO_printf(bio_err, " command to see what is available\n"); @@ -334,6 +335,7 @@ s_client_main(int argc, char **argv) int peerlen = sizeof(peer); int enable_timeouts = 0; long socket_mtu = 0; + uint16_t min_version = 0, max_version = 0; if (single_execution) { if (pledge("stdio cpath wpath rpath inet dns tty", NULL) == -1) { @@ -342,7 +344,7 @@ s_client_main(int argc, char **argv) } } - meth = SSLv23_client_method(); + meth = TLS_client_method(); c_Pause = 0; c_quiet = 0; @@ -445,15 +447,21 @@ s_client_main(int argc, char **argv) nbio_test = 1; else if (strcmp(*argv, "-state") == 0) state = 1; - else if (strcmp(*argv, "-tls1_2") == 0) - meth = TLSv1_2_client_method(); - else if (strcmp(*argv, "-tls1_1") == 0) - meth = TLSv1_1_client_method(); - else if (strcmp(*argv, "-tls1") == 0) - meth = TLSv1_client_method(); + else if (strcmp(*argv, "-tls1_3") == 0) { + min_version = TLS1_3_VERSION; + max_version = TLS1_3_VERSION; + } else if (strcmp(*argv, "-tls1_2") == 0) { + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; + } else if (strcmp(*argv, "-tls1_1") == 0) { + min_version = TLS1_1_VERSION; + max_version = TLS1_1_VERSION; + } else if (strcmp(*argv, "-tls1") == 0) { + min_version = TLS1_VERSION; + max_version = TLS1_VERSION; #ifndef OPENSSL_NO_DTLS1 - else if (strcmp(*argv, "-dtls1") == 0) { - meth = DTLSv1_client_method(); + } else if (strcmp(*argv, "-dtls1") == 0) { + meth = DTLS_client_method(); socket_type = SOCK_DGRAM; } else if (strcmp(*argv, "-timeout") == 0) enable_timeouts = 1; @@ -489,7 +497,9 @@ s_client_main(int argc, char **argv) if (--argc < 1) goto bad; CAfile = *(++argv); - } else if (strcmp(*argv, "-no_tls1_2") == 0) + } else if (strcmp(*argv, "-no_tls1_3") == 0) + off |= SSL_OP_NO_TLSv1_3; + else if (strcmp(*argv, "-no_tls1_2") == 0) off |= SSL_OP_NO_TLSv1_2; else if (strcmp(*argv, "-no_tls1_1") == 0) off |= SSL_OP_NO_TLSv1_1; @@ -550,17 +560,14 @@ s_client_main(int argc, char **argv) starttls_proto = PROTO_XMPP; else goto bad; - } - else if (strcmp(*argv, "-4") == 0) { + } else if (strcmp(*argv, "-4") == 0) { af = AF_INET; } else if (strcmp(*argv, "-6") == 0) { af = AF_INET6; - } - else if (strcmp(*argv, "-servername") == 0) { + } else if (strcmp(*argv, "-servername") == 0) { if (--argc < 1) goto bad; servername = *(++argv); - /* meth=TLSv1_client_method(); */ } #ifndef OPENSSL_NO_SRTP else if (strcmp(*argv, "-use_srtp") == 0) { @@ -649,6 +656,11 @@ s_client_main(int argc, char **argv) if (vpm) SSL_CTX_set1_param(ctx, vpm); + if (!SSL_CTX_set_min_proto_version(ctx, min_version)) + goto end; + if (!SSL_CTX_set_max_proto_version(ctx, max_version)) + goto end; + #ifndef OPENSSL_NO_SRTP if (srtp_profiles != NULL) SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); |