Commit 837f87c2 authored by Paul Yang's avatar Paul Yang Committed by Rich Salz
Browse files

Forbid to specify -nextprotoneg if -tls1_3 is enabled 



This applies both to s_client and s_server app.

Reaction to Issue #3665.

Signed-off-by: default avatarPaul Yang <paulyang.inf@gmail.com>

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3697)
parent 6ea3bca4

apps/s_client.c

+6 −0
Original line number Diff line number Diff line
@@ -1424,6 +1424,12 @@ int s_client_main(int argc, char **argv) 
    if (argc != 0)

        goto opthelp;



#ifndef OPENSSL_NO_NEXTPROTONEG

    if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {

        BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");

        goto opthelp;

    }

#endif

    if (proxystr != NULL) {

        int res;

        char *tmp_host = host, *tmp_port = port;

apps/s_server.c

+6 −0
Original line number Diff line number Diff line
@@ -1536,6 +1536,12 @@ int s_server_main(int argc, char *argv[]) 
    argc = opt_num_rest();

    argv = opt_rest();



#ifndef OPENSSL_NO_NEXTPROTONEG

    if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {

        BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");

        goto opthelp;

    }

#endif

#ifndef OPENSSL_NO_DTLS

    if (www && socket_type == SOCK_DGRAM) {

        BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");

doc/man1/s_client.pod

+1 −0
Original line number Diff line number Diff line
@@ -564,6 +564,7 @@ for example "http/1.1" or "spdy/3". 
An empty list of protocols is treated specially and will cause the

client to advertise support for the TLS extension but disconnect just

after receiving ServerHello with a list of server supported protocols.

The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.



=item B<-ct|noct>

doc/man1/s_server.pod

+1 −0
Original line number Diff line number Diff line
@@ -609,6 +609,7 @@ The B<val> list is a comma-separated list of supported protocol 
names.  The list should contain the most desirable protocols first.

Protocol names are printable ASCII strings, for example "http/1.1" or

"spdy/3".

The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.



=item B<-engine val>