WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.

Commit 837f87c2 authored Jun 16, 2017 by Paul Yang Committed by Rich Salz Jun 16, 2017

Forbid to specify -nextprotoneg if -tls1_3 is enabled



This applies both to s_client and s_server app.

Reaction to Issue #3665.

Signed-off-by: Paul Yang <paulyang.inf@gmail.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3697)

parent 6ea3bca4

apps/s_client.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -1424,6 +1424,12 @@ int s_client_main(int argc, char **argv)
		if (argc != 0)
		goto opthelp;

		#ifndef OPENSSL_NO_NEXTPROTONEG
		if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
		BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
		goto opthelp;
		}
		#endif
		if (proxystr != NULL) {
		int res;
		char tmp_host = host, tmp_port = port;

apps/s_server.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -1536,6 +1536,12 @@ int s_server_main(int argc, char *argv[])
		argc = opt_num_rest();
		argv = opt_rest();

		#ifndef OPENSSL_NO_NEXTPROTONEG
		if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
		BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
		goto opthelp;
		}
		#endif
		#ifndef OPENSSL_NO_DTLS
		if (www && socket_type == SOCK_DGRAM) {
		BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");

doc/man1/s_client.pod

+1 −0

Original line number	Diff line number	Diff line
		@@ -564,6 +564,7 @@ for example "http/1.1" or "spdy/3".
		An empty list of protocols is treated specially and will cause the
		client to advertise support for the TLS extension but disconnect just
		after receiving ServerHello with a list of server supported protocols.
		The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.

		=item B<-ct\|noct>

doc/man1/s_server.pod

+1 −0

Original line number	Diff line number	Diff line
		@@ -609,6 +609,7 @@ The B<val> list is a comma-separated list of supported protocol
		names. The list should contain the most desirable protocols first.
		Protocol names are printable ASCII strings, for example "http/1.1" or
		"spdy/3".
		The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used.

		=item B<-engine val>