diff options
| author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-18 13:10:21 -0500 |
|---|---|---|
| committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-01-19 09:57:15 -0500 |
| commit | 6b01bed206156dbcb1ab150f618c8b24c01fb0d0 (patch) | |
| tree | 667ea072f731ab8904a121f5b57adb01e40df4af /apps/s_server.c | |
| parent | 6ada465fb258ae2c29668c59f3ec9b69dc38f8b3 (diff) | |
| download | openssl-6b01bed206156dbcb1ab150f618c8b24c01fb0d0.zip openssl-6b01bed206156dbcb1ab150f618c8b24c01fb0d0.tar.gz openssl-6b01bed206156dbcb1ab150f618c8b24c01fb0d0.tar.bz2 | |
Support disabling any or all TLS or DTLS versions
Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just
TLS 1.2. In the future they might want to disable TLS 1.2 and
enable just TLS 1.3, ...
This commit makes it possible to disable any or all of the TLS or
DTLS protocols. It also considerably simplifies the SSL/TLS tests,
by auto-generating the min/max version tests based on the set of
supported protocols (425 explicitly written out tests got replaced
by two loops that generate all 425 tests if all protocols are
enabled, fewer otherwise).
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'apps/s_server.c')
| -rw-r--r-- | apps/s_server.c | 71 |
1 files changed, 43 insertions, 28 deletions
diff --git a/apps/s_server.c b/apps/s_server.c index 81ee385..93f6083 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -863,9 +863,6 @@ OPTIONS s_server_options[] = { "Do not load certificates from the default certificates directory"}, {"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"}, {"quiet", OPT_QUIET, '-', "No server output"}, - {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"}, - {"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"}, - {"tls1", OPT_TLS1, '-', "Just talk TLSv1"}, {"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-', "Disable caching and tickets if ephemeral (EC)DH is used"}, {"www", OPT_WWW, '-', "Respond to a 'GET /' with a status page"}, @@ -937,16 +934,29 @@ OPTIONS s_server_options[] = { #ifndef OPENSSL_NO_SSL3 {"ssl3", OPT_SSL3, '-', "Just talk SSLv3"}, #endif +#ifndef OPENSSL_NO_TLS1 + {"tls1", OPT_TLS1, '-', "Just talk TLSv1"}, +#endif +#ifndef OPENSSL_NO_TLS1_1 + {"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"}, +#endif +#ifndef OPENSSL_NO_TLS1_2 + {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"}, +#endif #ifndef OPENSSL_NO_DTLS {"dtls", OPT_DTLS, '-'}, - {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"}, - {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"}, {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"}, {"mtu", OPT_MTU, 'p', "Set link layer MTU"}, {"chain", OPT_CHAIN, '-', "Read a certificate chain"}, {"listen", OPT_LISTEN, '-', "Listen for a DTLS ClientHello with a cookie and then connect"}, #endif +#ifndef OPENSSL_NO_DTLS1 + {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"}, +#endif +#ifndef OPENSSL_NO_DTLS1_2 + {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"}, +#endif #ifndef OPENSSL_NO_DH {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"}, #endif @@ -1039,19 +1049,6 @@ int s_server_main(int argc, char *argv[]) prog = opt_init(argc, argv, s_server_options); while ((o = opt_next()) != OPT_EOF) { switch (o) { -#ifdef OPENSSL_NO_PSK - case OPT_PSK_HINT: - case OPT_PSK: -#endif -#ifdef OPENSSL_NO_DTLS - case OPT_DTLS: - case OPT_DTLS1: - case OPT_DTLS1_2: - case OPT_TIMEOUT: - case OPT_MTU: - case OPT_CHAIN: - case OPT_LISTEN: -#endif case OPT_EOF: case OPT_ERR: opthelp: @@ -1299,33 +1296,33 @@ int s_server_main(int argc, char *argv[]) case OPT_NO_RESUME_EPHEMERAL: no_resume_ephemeral = 1; break; -#ifndef OPENSSL_NO_PSK case OPT_PSK_HINT: +#ifndef OPENSSL_NO_PSK psk_identity_hint = opt_arg(); +#endif break; case OPT_PSK: +#ifndef OPENSSL_NO_PSK for (p = psk_key = opt_arg(); *p; p++) { if (isxdigit(*p)) continue; BIO_printf(bio_err, "Not a hex number '%s'\n", *argv); goto end; } - break; #endif -#ifndef OPENSSL_NO_SRP + break; case OPT_SRPVFILE: +#ifndef OPENSSL_NO_SRP srp_verifier_file = opt_arg(); meth = TLSv1_server_method(); +#endif break; case OPT_SRPUSERSEED: +#ifndef OPENSSL_NO_SRP srpuserseed = opt_arg(); meth = TLSv1_server_method(); - break; -#else - case OPT_SRPVFILE: - case OPT_SRPUSERSEED: - break; #endif + break; case OPT_REV: rev = 1; break; @@ -1347,40 +1344,58 @@ int s_server_main(int argc, char *argv[]) #endif break; case OPT_TLS1_2: +#ifndef OPENSSL_NO_TLS1_2 meth = TLSv1_2_server_method(); +#endif break; case OPT_TLS1_1: +#ifndef OPENSSL_NO_TLS1_1 meth = TLSv1_1_server_method(); +#endif break; case OPT_TLS1: +#ifndef OPENSSL_NO_TLS1 meth = TLSv1_server_method(); +#endif break; -#ifndef OPENSSL_NO_DTLS case OPT_DTLS: +#ifndef OPENSSL_NO_DTLS meth = DTLS_server_method(); socket_type = SOCK_DGRAM; +#endif break; case OPT_DTLS1: +#ifndef OPENSSL_NO_DTLS1 meth = DTLSv1_server_method(); socket_type = SOCK_DGRAM; +#endif break; case OPT_DTLS1_2: +#ifndef OPENSSL_NO_DTLS1_2 meth = DTLSv1_2_server_method(); socket_type = SOCK_DGRAM; +#endif break; case OPT_TIMEOUT: +#ifndef OPENSSL_NO_DTLS enable_timeouts = 1; +#endif break; case OPT_MTU: +#ifndef OPENSSL_NO_DTLS socket_mtu = atol(opt_arg()); +#endif break; case OPT_CHAIN: +#ifndef OPENSSL_NO_DTLS cert_chain = 1; +#endif break; case OPT_LISTEN: +#ifndef OPENSSL_NO_DTLS dtlslisten = 1; - break; #endif + break; case OPT_ID_PREFIX: session_id_prefix = opt_arg(); break; |