Browse Source

Refactor the tls/dlts version options

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10134)
master
Rich Salz 3 years ago
committed by Dmitry Belyavskiy
parent
commit
d4bff20d55
7 changed files with 119 additions and 90 deletions
  1. +29
    -0
      .gitignore
  2. +9
    -36
      doc/man1/openssl-s_client.pod.in
  3. +9
    -40
      doc/man1/openssl-s_server.pod.in
  4. +3
    -14
      doc/man1/openssl-s_time.pod.in
  5. +29
    -0
      doc/man1/openssl.pod
  6. +32
    -0
      doc/perlvars.pm
  7. +8
    -0
      util/dofile.pl

+ 29
- 0
.gitignore View File

@ -67,6 +67,35 @@ doc/man1/openssl-verify.pod
doc/man1/openssl-x509.pod
doc/man1/openssl.pod
# Auto generated doc files
doc/man1/openssl-ca.pod
doc/man1/openssl-cms.pod
doc/man1/openssl-crl.pod
doc/man1/openssl-dgst.pod
doc/man1/openssl-dhparam.pod
doc/man1/openssl-dsaparam.pod
doc/man1/openssl-ecparam.pod
doc/man1/openssl-enc.pod
doc/man1/openssl-gendsa.pod
doc/man1/openssl-genrsa.pod
doc/man1/openssl-ocsp.pod
doc/man1/openssl-passwd.pod
doc/man1/openssl-pkcs12.pod
doc/man1/openssl-pkcs8.pod
doc/man1/openssl-pkeyutl.pod
doc/man1/openssl-rand.pod
doc/man1/openssl-req.pod
doc/man1/openssl-rsautl.pod
doc/man1/openssl-s_client.pod
doc/man1/openssl-s_server.pod
doc/man1/openssl-s_time.pod
doc/man1/openssl-smime.pod
doc/man1/openssl-speed.pod
doc/man1/openssl-srp.pod
doc/man1/openssl-ts.pod
doc/man1/openssl-verify.pod
doc/man1/openssl-x509.pod
# error code files
/crypto/err/openssl.txt.old
/engines/e_afalg.txt.old


+ 9
- 36
doc/man1/openssl-s_client.pod.in View File

@ -79,19 +79,6 @@ B<openssl> B<s_client>
[B<-psk> I<key>]
[B<-psk_session> I<file>]
[B<-quiet>]
[B<-ssl3>]
[B<-tls1>]
[B<-tls1_1>]
[B<-tls1_2>]
[B<-tls1_3>]
[B<-no_ssl3>]
[B<-no_tls1>]
[B<-no_tls1_1>]
[B<-no_tls1_2>]
[B<-no_tls1_3>]
[B<-dtls>]
[B<-dtls1>]
[B<-dtls1_2>]
[B<-sctp>]
[B<-sctp_label_bug>]
[B<-fallback_scsv>]
@ -127,6 +114,7 @@ B<openssl> B<s_client>
[B<-early_data> I<file>]
[B<-enable_pha>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_version_synopsis -}
{- $OpenSSL::safe::opt_x_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
@ -458,23 +446,6 @@ This option must be provided in order to use a PSK cipher.
Use the pem encoded SSL_SESSION data stored in I<file> as the basis of a PSK.
Note that this will only work if TLSv1.3 is negotiated.
=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
These options require or disable the use of the specified SSL or TLS protocols.
By default, this command will negotiate the highest mutually supported protocol
version.
When a specific TLS version is required, only that version will be offered to
and accepted from the server.
Note that not all protocols and flags may be available, depending on how
OpenSSL was built.
=item B<-dtls>, B<-dtls1>, B<-dtls1_2>
These options make this command use DTLS protocols instead of TLS.
With B<-dtls>, it will negotiate any supported DTLS protocol version,
whilst B<-dtls1> and B<-dtls1_2> will only support DTLS1.0 and DTLS1.2
respectively.
=item B<-sctp>
Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
@ -685,12 +656,7 @@ data and when the server accepts the early data.
For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
happen whether or not a certificate has been provided via B<-cert>.
=item I<host>:I<port>
Rather than providing B<-connect>, the target hostname and optional port may
be provided as a single positional argument after all options. If neither this
nor B<-connect> are provided, falls back to attempting to connect to
I<localhost> on port I<4433>.
{- $OpenSSL::safe::opt_version_item -}
{- $OpenSSL::safe::opt_name_item -}
@ -702,6 +668,13 @@ I<localhost> on port I<4433>.
{- $OpenSSL::safe::opt_engine_item -}
=item I<host>:I<port>
Rather than providing B<-connect>, the target hostname and optional port may
be provided as a single positional argument after all options. If neither this
nor B<-connect> are provided, falls back to attempting to connect to
I<localhost> on port I<4433>.
=back
=head1 CONNECTED COMMANDS


+ 9
- 40
doc/man1/openssl-s_server.pod.in View File

@ -83,11 +83,6 @@ B<openssl> B<s_server>
[B<-split_send_frag> I<+int>]
[B<-max_pipelines> I<+int>]
[B<-read_buf> I<+int>]
[B<-no_ssl3>]
[B<-no_tls1>]
[B<-no_tls1_1>]
[B<-no_tls1_2>]
[B<-no_tls1_3>]
[B<-bugs>]
[B<-no_comp>]
[B<-comp>]
@ -149,17 +144,9 @@ B<openssl> B<s_server>
[B<-psk_session> I<file>]
[B<-srpvfile> I<infile>]
[B<-srpuserseed> I<val>]
[B<-ssl3>]
[B<-tls1>]
[B<-tls1_1>]
[B<-tls1_2>]
[B<-tls1_3>]
[B<-dtls>]
[B<-timeout>]
[B<-mtu> I<+int>]
[B<-listen>]
[B<-dtls1>]
[B<-dtls1_2>]
[B<-sctp>]
[B<-sctp_label_bug>]
[B<-no_dhe>]
@ -173,6 +160,7 @@ B<openssl> B<s_server>
[B<-no_anti_replay>]
[B<-http_server_binmode>]
{- $OpenSSL::safe::opt_name_synopsis -}
{- $OpenSSL::safe::opt_version_synopsis -}
{- $OpenSSL::safe::opt_x_synopsis -}
{- $OpenSSL::safe::opt_trust_synopsis -}
{- $OpenSSL::safe::opt_r_synopsis -}
@ -391,22 +379,18 @@ web browser. Cannot be used in conjunction with B<-early_data>.
Emulates a simple web server. Pages will be resolved relative to the
current directory, for example if the URL https://myhost/page.html is
requested the file F<./page.html> will be loaded. Cannot be used in conjunction
requested the file F<./page.html> will be loaded.
The files loaded are
assumed to contain a complete and correct HTTP response (lines that
are part of the HTTP response line and headers must end with CRLF). Cannot be
used in conjunction with B<-early_data>.
Cannot be used in conjunction
with B<-early_data>.
=item B<-tlsextdebug>
Print a hex dump of any TLS extensions received from the server.
=item B<-HTTP>
Emulates a simple web server. Pages will be resolved relative to the
current directory, for example if the URL https://myhost/page.html is
requested the file F<./page.html> will be loaded. The files loaded are
assumed to contain a complete and correct HTTP response (lines that
are part of the HTTP response line and headers must end with CRLF). Cannot be
used in conjunction with B<-early_data>.
=item B<-id_prefix> I<val>
Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
@ -495,16 +479,6 @@ effect if the buffer size is larger than the size that would otherwise be used
and pipelining is in use (see L<SSL_CTX_set_default_read_buffer_len(3)> for
further information).
=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
These options require or disable the use of the specified SSL or TLS protocols.
By default, this command will negotiate the highest mutually supported
protocol version.
When a specific TLS version is required, only that version will be accepted
from the client.
Note that not all protocols and flags may be available, depending on how
OpenSSL was built.
=item B<-bugs>
There are several known bugs in SSL and TLS implementations. Adding this
@ -639,13 +613,6 @@ Any without a cookie will be responded to with a HelloVerifyRequest.
If a ClientHello with a cookie is received then this command will
connect to that peer and complete the handshake.
=item B<-dtls>, B<-dtls1>, B<-dtls1_2>
These options make this command use DTLS protocols instead of TLS.
With B<-dtls>, it will negotiate any supported DTLS protocol
version, whilst B<-dtls1> and B<-dtls1_2> will only support DTLSv1.0 and
DTLSv1.2 respectively.
=item B<-sctp>
Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
@ -709,6 +676,8 @@ by the client in binary mode.
{- $OpenSSL::safe::opt_name_item -}
{- $OpenSSL::safe::opt_version_item -}
{- $OpenSSL::safe::opt_x_item -}
{- $OpenSSL::safe::opt_trust_item -}


+ 3
- 14
doc/man1/openssl-s_time.pod.in View File

@ -17,11 +17,7 @@ B<openssl> B<s_time>
[B<-new>]
[B<-verify> I<depth>]
[B<-time> I<seconds>]
[B<-ssl3>]
[B<-tls1>]
[B<-tls1_1>]
[B<-tls1_2>]
[B<-tls1_3>]
{- $OpenSSL::safe::opt_versiontls_synopsis -}
[B<-bugs>]
[B<-cipher> I<cipherlist>]
[B<-ciphersuites> I<val>]
@ -94,15 +90,6 @@ Performs the timing test using the same session ID; this can be used as a test
that session caching is working. If neither B<-new> nor B<-reuse> are
specified, they are both on by default and executed in sequence.
=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>
These options enable specific SSL or TLS protocol versions for the handshake
initiated by this command.
By default, it negotiates the highest mutually supported protocol
version.
Note that not all protocols and flags may be available, depending on how
OpenSSL was built.
=item B<-bugs>
There are several known bugs in SSL and TLS implementations. Adding this
@ -136,6 +123,8 @@ can establish.
{- $OpenSSL::safe::opt_trust_item -}
{- $OpenSSL::safe::opt_versiontls_item -}
=back
=head1 NOTES


+ 29
- 0
doc/man1/openssl.pod View File

@ -931,6 +931,35 @@ B<sep_multiline>.
Places spaces round the equal sign, C<=>, character which follows the field
name.
=head2 TLS Version Options
Several commands use SSL, TLS, or DTLS. By default, the commands use TLS and
clients will offer the lowest and highest protocol version they support,
and servers will pick the highest version that the client offers that is also
supported by the server.
The options below can be used to limit which protocol versions are used,
and whether TCP (SSL and TLS) or UDP (DTLS) is used.
Note that not all protocols and flags may be available, depending on how
OpenSSL was built.
=over 4
=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
These options require or disable the use of the specified SSL or TLS protocols.
When a specific TLS version is required, only that version will be offered or
accepted.
Only one specific protocol can be given and it cannot be combined with any of
the B<no_> options.
=item B<-dtls>, B<-dtls1>, B<-dtls1_2>
These options specify to use DTLS instead of DLTS.
With B<-dtls>, clients will negotiate any supported DTLS protocol version.
Use the B<-dtls1> or B<-dtls1_2> options to support only DTLS1.0 or DTLS1.2,
respectively.
=back
=head2 Engine Options


+ 32
- 0
doc/perlvars.pm View File

@ -107,6 +107,38 @@ $OpenSSL::safe::opt_trust_item = ""
. "\n"
. "See L<openssl(1)/Trusted Certificate Options> for details.";
# TLS Version Options
$OpenSSL::safe::opt_versiontls_synopsis = ""
. "[B<-no_ssl3>]\n"
. "[B<-no_tls1>]\n"
. "[B<-no_tls1_1>]\n"
. "[B<-no_tls1_2>]\n"
. "[B<-no_tls1_3>]\n"
. "[B<-ssl3>]\n"
. "[B<-tls1>]\n"
. "[B<-tls1_1>]\n"
. "[B<-tls1_2>]\n"
. "[B<-tls1_3>]";
$OpenSSL::safe::opt_versiontls_item = ""
. "=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>,\n"
. "B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>\n"
. "\n"
. "See L<openssl(1)/TLS Version Options>.";
# TLS/DTLS Version Options
$OpenSSL::safe::opt_version_synopsis = ""
. "$OpenSSL::safe::opt_versiontls_synopsis\n"
. "[B<-dtls>]\n"
. "[B<-dtls1>]\n"
. "[B<-dtls1_2>]";
$OpenSSL::safe::opt_version_item = "\n"
. "$OpenSSL::safe::opt_versiontls_item\n"
. "\n"
. "=item B<-dtls>, B<-dtls1>, B<-dtls1_2>\n"
. "\n"
. "These specify the use of DTLS instead of TLS.\n"
. "See L<openssl(1)/TLS Version Options>.";
# SSL connection options.
# TODO(3.0) Not currently used. The refactoring needs to be done, and
# the options will probably be re-ordered.


+ 8
- 0
util/dofile.pl View File

@ -40,6 +40,14 @@ my @autowarntext = (
. (scalar(@ARGV) > 0 ? " from " .join(", ", @ARGV) : "")
);
if (defined($opts{s})) {
local $/ = undef;
open VARS, $opts{s} or die "Couldn't open $opts{s}, $!";
my $contents = <VARS>;
close VARS;
eval $contents;
die $@ if $@;
}
die "Must have input files"
if defined($opts{i}) and scalar(@ARGV) == 0;


Loading…
Cancel
Save