diff options
| author |   guenther <guenther@openbsd.org> | 2014-04-18 15:39:53 +0000 |
|---|---|---|
| committer | guenther <guenther@openbsd.org> | 2014-04-18 15:39:53 +0000 |
| commit | 4a5070f579eeac314136c9f15b58ae4f9baec16d (patch) | |
| tree | f692478dd30d23b2b78aee599abbf2b2f1d7920b /lib/libssl/src/apps | |
| parent | use the portable construct around asprintf; pointed out by halex (diff) | |
| download | wireguard-openbsd-4a5070f579eeac314136c9f15b58ae4f9baec16d.tar.xz wireguard-openbsd-4a5070f579eeac314136c9f15b58ae4f9baec16d.zip | |
Finish zapping SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION usage; only keep
the #define for compat, but document that it's a no-op now. Also, neuter
the -legacy_renegotiation option to "openssl s_{client,server}"
ok beck@
Diffstat (limited to 'lib/libssl/src/apps')
| -rw-r--r-- | lib/libssl/src/apps/s_client.c | 13 | ||||
| -rw-r--r-- | lib/libssl/src/apps/s_server.c | 3 |
2 files changed, 9 insertions, 7 deletions
diff --git a/lib/libssl/src/apps/s_client.c b/lib/libssl/src/apps/s_client.c index 4290548de51..cbdba2ae520 100644 --- a/lib/libssl/src/apps/s_client.c +++ b/lib/libssl/src/apps/s_client.c @@ -334,7 +334,7 @@ sc_usage(void) BIO_printf(bio_err, " -starttls prot - use the STARTTLS command before starting TLS\n"); BIO_printf(bio_err, " for those protocols that support it, where\n"); BIO_printf(bio_err, " 'prot' defines which one to assume. Currently,\n"); - BIO_printf(bio_err, " only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); + BIO_printf(bio_err, " only \"smtp\", \"lmtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); BIO_printf(bio_err, " are supported.\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, " -engine id - Initialise and use the specified engine\n"); @@ -351,7 +351,6 @@ sc_usage(void) BIO_printf(bio_err, " -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); #endif #endif - BIO_printf(bio_err, " -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); #ifndef OPENSSL_NO_SRTP BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); #endif @@ -535,6 +534,7 @@ next_proto_cb(SSL * s, unsigned char **out, unsigned char *outlen, const unsigne enum { PROTO_OFF = 0, PROTO_SMTP, + PROTO_LMTP, PROTO_POP3, PROTO_IMAP, PROTO_FTP, @@ -832,7 +832,7 @@ s_client_main(int argc, char **argv) else if (strcmp(*argv, "-serverpref") == 0) off |= SSL_OP_CIPHER_SERVER_PREFERENCE; else if (strcmp(*argv, "-legacy_renegotiation") == 0) - off |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; + ; /* no-op */ else if (strcmp(*argv, "-legacy_server_connect") == 0) { off |= SSL_OP_LEGACY_SERVER_CONNECT; } else if (strcmp(*argv, "-no_legacy_server_connect") == 0) { @@ -853,6 +853,8 @@ s_client_main(int argc, char **argv) ++argv; if (strcmp(*argv, "smtp") == 0) starttls_proto = PROTO_SMTP; + else if (strcmp(*argv, "lmtp") == 0) + starttls_proto = PROTO_LMTP; else if (strcmp(*argv, "pop3") == 0) starttls_proto = PROTO_POP3; else if (strcmp(*argv, "imap") == 0) @@ -1287,7 +1289,7 @@ re_start: * push a buffering BIO into the chain that is removed again later on * to not disturb the rest of the s_client operation. */ - if (starttls_proto == PROTO_SMTP) { + if (starttls_proto == PROTO_SMTP || starttls_proto == PROTO_LMTP) { int foundit = 0; BIO *fbio = BIO_new(BIO_f_buffer()); BIO_push(fbio, sbio); @@ -1297,7 +1299,8 @@ re_start: } while (mbuf_len > 3 && mbuf[3] == '-'); /* STARTTLS command requires EHLO... */ - BIO_printf(fbio, "EHLO openssl.client.net\r\n"); + BIO_printf(fbio, "%cHLO openssl.client.net\r\n", + starttls_proto == PROTO_SMTP ? 'E' : 'L'); (void) BIO_flush(fbio); /* wait for multi-line response to end EHLO SMTP response */ do { diff --git a/lib/libssl/src/apps/s_server.c b/lib/libssl/src/apps/s_server.c index 27925b492d9..a84b822538a 100644 --- a/lib/libssl/src/apps/s_server.c +++ b/lib/libssl/src/apps/s_server.c @@ -525,7 +525,6 @@ sv_usage(void) BIO_printf(bio_err, " not specified (default is %s)\n", TEST_CERT2); BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n"); - BIO_printf(bio_err, " -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); #ifndef OPENSSL_NO_NEXTPROTONEG BIO_printf(bio_err, " -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n"); #endif @@ -904,7 +903,7 @@ s_server_main(int argc, char *argv[]) else if (strcmp(*argv, "-serverpref") == 0) { off |= SSL_OP_CIPHER_SERVER_PREFERENCE; } else if (strcmp(*argv, "-legacy_renegotiation") == 0) - off |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; + ; /* no-op */ else if (strcmp(*argv, "-cipher") == 0) { if (--argc < 1) goto bad; |