generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv

Browse Source 
handling out of #ifndef OPENSSL_NO_DTLS1 section.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Bodo Moeller 2014-10-15 10:43:50 +02:00
parent cf6da05304
commit fb0e87fb67
3 changed files with 20 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
apps/s_client.c
View File

@ -942,10 +942,6 @@ static char *jpake_secret = NULL;
meth=DTLSv1_2_client_method(); meth=DTLSv1_2_client_method();
socket_type=SOCK_DGRAM; socket_type=SOCK_DGRAM;
} }
else if (strcmp(*argv,"-fallback_scsv") == 0)
{
fallback_scsv = 1;
}
else if (strcmp(*argv,"-timeout") == 0) else if (strcmp(*argv,"-timeout") == 0)
enable_timeouts=1; enable_timeouts=1;
else if (strcmp(*argv,"-mtu") == 0) else if (strcmp(*argv,"-mtu") == 0)
@ -954,6 +950,10 @@ static char *jpake_secret = NULL;
socket_mtu = atol(*(++argv)); socket_mtu = atol(*(++argv));
} }
#endif #endif
else if (strcmp(*argv,"-fallback_scsv") == 0)
{
fallback_scsv = 1;
}
else if (strcmp(*argv,"-keyform") == 0) else if (strcmp(*argv,"-keyform") == 0)
{ {
if (--argc < 1) goto bad; if (--argc < 1) goto bad;

14
doc/apps/s_client.pod
View File

@ -64,6 +64,9 @@ B<openssl> B<s_client>
[B<-no_ssl2>] [B<-no_ssl2>]
[B<-no_ssl3>] [B<-no_ssl3>]
[B<-no_tls1>] [B<-no_tls1>]
[B<-no_tls1_1>]
[B<-no_tls1_2>]
[B<-fallback_scsv>]
[B<-bugs>] [B<-bugs>]
[B<-cipher cipherlist>] [B<-cipher cipherlist>]
[B<-serverpref>] [B<-serverpref>]
@ -245,16 +248,19 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d. 1a2b3c4d.
=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> =item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
these options disable the use of certain SSL or TLS protocols. By default these options disable the use of certain SSL or TLS protocols. By default
the initial handshake uses a method which should be compatible with all the initial handshake uses a method which should be compatible with all
servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
Unfortunately there are a lot of ancient and broken servers in use which Unfortunately there are still ancient and broken servers in use which
cannot handle this technique and will fail to connect. Some servers only cannot handle this technique and will fail to connect. Some servers only
work if TLS is turned off with the B<-no_tls> option others will only work if TLS is turned off.
support SSL v2 and may need the B<-ssl2> option.
=item B<-fallback_scsv>
Send TLS_FALLBACK_SCSV in the ClientHello.
=item B<-bugs> =item B<-bugs>

6
doc/ssl/SSL_CTX_set_mode.pod
View File

@ -71,6 +71,12 @@ SSL_CTX->freelist_max_len, which defaults to 32. Using this flag can
save around 34k per idle SSL connection. save around 34k per idle SSL connection.
This flag has no effect on SSL v2 connections, or on DTLS connections. This flag has no effect on SSL v2 connections, or on DTLS connections.
=item SSL_MODE_FALLBACK_SCSV
Send TLS_FALLBACK_SCSV in the ClientHello.
To be set by applications that reconnect with a downgraded protocol
version; see draft-ietf-tls-downgrade-scsv-00 for details.
=back =back
=head1 RETURN VALUES =head1 RETURN VALUES