Loading CHANGES +9 −8 Original line number Diff line number Diff line Loading @@ -26,14 +26,15 @@ - SSL_CTX_set_tlsext_servername_arg() SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_hostname() openssl s_client has a new '-servername' option. openssl s_server has new options '-servername', '-cert2', and '-key2' (subject to change); this allows testing the HostName extension for a specific single host name ('-cert' and '-key' remain fallbacks for handshakes without HostName negotiation). The option servername_warn allows to return a warning alert instead of a fatal alert in case of servername mismatch. openssl s_client has a new '-servername ...' option. openssl s_server has new options '-servername_host ...', '-cert2 ...', '-key2 ...', '-servername_fatal' (subject to change). This allows testing the HostName extension for a specific single host name ('-cert' and '-key' remain fallbacks for handshakes without HostName negotiation). If the unrecogninzed_name alert has to be sent, this by default is a warning; it becomes fatal with the '-servername_fatal' option. [Peter Sylvester, Remy Allais, Christophe Renou] Loading apps/s_cb.c +16 −1 Original line number Diff line number Diff line Loading @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions Loading Loading @@ -504,6 +504,21 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * case 100: str_details2 = " no_renegotiation"; break; case 110: str_details2 = " unsupported_extension"; break; case 111: str_details2 = " certificate_unobtainable"; break; case 112: str_details2 = " unrecognized_name"; break; case 113: str_details2 = " bad_certificate_status_response"; break; case 114: str_details2 = " bad_certificate_hash_value"; break; } } } Loading apps/s_client.c +1 −1 Original line number Diff line number Diff line Loading @@ -245,7 +245,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) else BIO_printf(bio_err,"Can't use SSL_get_servername\n"); return 1; return SSL_TLSEXT_ERR_OK; } #endif Loading apps/s_server.c +10 −9 Original line number Diff line number Diff line Loading @@ -367,7 +367,7 @@ static void sv_usage(void) BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); #ifndef OPENSSL_NO_TLSEXT BIO_printf(bio_err," -servername host - servername for HostName TLS extension\n"); BIO_printf(bio_err," -servername_warn - on mismatch send warning (default fatal alert)\n"); BIO_printf(bio_err," -servername_fatal - on mismatch send fatal alert (default warning alert)\n"); BIO_printf(bio_err," -cert2 arg - certificate file to use for servername\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT2); BIO_printf(bio_err," -key2 arg - Private Key file to use for servername, in cert file if\n"); Loading Loading @@ -534,7 +534,7 @@ static int ebcdic_puts(BIO *bp, const char *str) typedef struct tlsextctx_st { char * servername; BIO * biodebug; int servername_warn; int extension_error; } tlsextctx; Loading @@ -546,18 +546,19 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) BIO_printf(p->biodebug,"Hostname in TLS extension: \"%s\"\n",servername); if (!p->servername) return 1; return SSL_TLSEXT_ERR_NOACK; if (servername) { if (strcmp(servername,p->servername)) return p->servername_warn; if (ctx2) { return p->extension_error; if (ctx2) { BIO_printf(p->biodebug,"Swiching server context.\n"); SSL_set_SSL_CTX(s,ctx2); } } return 1; return SSL_TLSEXT_ERR_OK; } #endif Loading Loading @@ -597,7 +598,7 @@ int MAIN(int argc, char *argv[]) #endif #ifndef OPENSSL_NO_TLSEXT tlsextctx tlsextcbp = {NULL, NULL, -1}; tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; #endif #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) meth=SSLv23_server_method(); Loading Loading @@ -846,8 +847,8 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; tlsextcbp.servername= *(++argv); } else if (strcmp(*argv,"-servername_warn") == 0) { tlsextcbp.servername_warn = 0; } else if (strcmp(*argv,"-servername_fatal") == 0) { tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL; } else if (strcmp(*argv,"-cert2") == 0) { if (--argc < 1) goto bad; Loading ssl/s23_clnt.c +4 −0 Original line number Diff line number Diff line Loading @@ -565,6 +565,7 @@ static int ssl23_get_server_hello(SSL *s) (p[5] == SSL3_MT_SERVER_HELLO)) { /* we have sslv3 or tls1 */ have_sslv3_or_tls1: if (!ssl_init_wbio_buffer(s,1)) goto err; Loading Loading @@ -623,6 +624,9 @@ static int ssl23_get_server_hello(SSL *s) cb(s,SSL_CB_READ_ALERT,j); } if (p[5] == SSL3_AL_WARNING) goto have_sslv3_or_tls1; s->rwstate=SSL_NOTHING; SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]); goto err; Loading Loading
CHANGES +9 −8 Original line number Diff line number Diff line Loading @@ -26,14 +26,15 @@ - SSL_CTX_set_tlsext_servername_arg() SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_hostname() openssl s_client has a new '-servername' option. openssl s_server has new options '-servername', '-cert2', and '-key2' (subject to change); this allows testing the HostName extension for a specific single host name ('-cert' and '-key' remain fallbacks for handshakes without HostName negotiation). The option servername_warn allows to return a warning alert instead of a fatal alert in case of servername mismatch. openssl s_client has a new '-servername ...' option. openssl s_server has new options '-servername_host ...', '-cert2 ...', '-key2 ...', '-servername_fatal' (subject to change). This allows testing the HostName extension for a specific single host name ('-cert' and '-key' remain fallbacks for handshakes without HostName negotiation). If the unrecogninzed_name alert has to be sent, this by default is a warning; it becomes fatal with the '-servername_fatal' option. [Peter Sylvester, Remy Allais, Christophe Renou] Loading
apps/s_cb.c +16 −1 Original line number Diff line number Diff line Loading @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions Loading Loading @@ -504,6 +504,21 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * case 100: str_details2 = " no_renegotiation"; break; case 110: str_details2 = " unsupported_extension"; break; case 111: str_details2 = " certificate_unobtainable"; break; case 112: str_details2 = " unrecognized_name"; break; case 113: str_details2 = " bad_certificate_status_response"; break; case 114: str_details2 = " bad_certificate_hash_value"; break; } } } Loading
apps/s_client.c +1 −1 Original line number Diff line number Diff line Loading @@ -245,7 +245,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) else BIO_printf(bio_err,"Can't use SSL_get_servername\n"); return 1; return SSL_TLSEXT_ERR_OK; } #endif Loading
apps/s_server.c +10 −9 Original line number Diff line number Diff line Loading @@ -367,7 +367,7 @@ static void sv_usage(void) BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); #ifndef OPENSSL_NO_TLSEXT BIO_printf(bio_err," -servername host - servername for HostName TLS extension\n"); BIO_printf(bio_err," -servername_warn - on mismatch send warning (default fatal alert)\n"); BIO_printf(bio_err," -servername_fatal - on mismatch send fatal alert (default warning alert)\n"); BIO_printf(bio_err," -cert2 arg - certificate file to use for servername\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT2); BIO_printf(bio_err," -key2 arg - Private Key file to use for servername, in cert file if\n"); Loading Loading @@ -534,7 +534,7 @@ static int ebcdic_puts(BIO *bp, const char *str) typedef struct tlsextctx_st { char * servername; BIO * biodebug; int servername_warn; int extension_error; } tlsextctx; Loading @@ -546,18 +546,19 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) BIO_printf(p->biodebug,"Hostname in TLS extension: \"%s\"\n",servername); if (!p->servername) return 1; return SSL_TLSEXT_ERR_NOACK; if (servername) { if (strcmp(servername,p->servername)) return p->servername_warn; if (ctx2) { return p->extension_error; if (ctx2) { BIO_printf(p->biodebug,"Swiching server context.\n"); SSL_set_SSL_CTX(s,ctx2); } } return 1; return SSL_TLSEXT_ERR_OK; } #endif Loading Loading @@ -597,7 +598,7 @@ int MAIN(int argc, char *argv[]) #endif #ifndef OPENSSL_NO_TLSEXT tlsextctx tlsextcbp = {NULL, NULL, -1}; tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; #endif #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) meth=SSLv23_server_method(); Loading Loading @@ -846,8 +847,8 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; tlsextcbp.servername= *(++argv); } else if (strcmp(*argv,"-servername_warn") == 0) { tlsextcbp.servername_warn = 0; } else if (strcmp(*argv,"-servername_fatal") == 0) { tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL; } else if (strcmp(*argv,"-cert2") == 0) { if (--argc < 1) goto bad; Loading
ssl/s23_clnt.c +4 −0 Original line number Diff line number Diff line Loading @@ -565,6 +565,7 @@ static int ssl23_get_server_hello(SSL *s) (p[5] == SSL3_MT_SERVER_HELLO)) { /* we have sslv3 or tls1 */ have_sslv3_or_tls1: if (!ssl_init_wbio_buffer(s,1)) goto err; Loading Loading @@ -623,6 +624,9 @@ static int ssl23_get_server_hello(SSL *s) cb(s,SSL_CB_READ_ALERT,j); } if (p[5] == SSL3_AL_WARNING) goto have_sslv3_or_tls1; s->rwstate=SSL_NOTHING; SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]); goto err; Loading
