int MAIN(int argc, char **argv)
{
unsigned int off=0, clr=0;
+ unsigned int cert_flags=0;
+ int build_chain = 0;
SSL *con=NULL;
#ifndef OPENSSL_NO_KRB5
KSSL_CTX *kctx;
#ifndef OPENSSL_NO_TLSEXT
char *servername = NULL;
char *curves=NULL;
+ char *sigalgs=NULL;
+ char *client_sigalgs=NULL;
tlsextctx tlsextcbp =
{NULL,0};
# ifndef OPENSSL_NO_NEXTPROTONEG
int srp_lateuser = 0;
SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
#endif
+ SSL_EXCERT *exc = NULL;
meth=SSLv23_client_method();
}
else if (strcmp(*argv,"-verify_return_error") == 0)
verify_return_error = 1;
+ else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
+ {
+ if (badarg)
+ goto bad;
+ continue;
+ }
else if (strcmp(*argv,"-prexit") == 0)
prexit=1;
else if (strcmp(*argv,"-crlf") == 0)
if (--argc < 1) goto bad;
CApath= *(++argv);
}
+ else if (strcmp(*argv,"-build_chain") == 0)
+ build_chain = 1;
else if (strcmp(*argv,"-CAfile") == 0)
{
if (--argc < 1) goto bad;
if (--argc < 1) goto bad;
curves= *(++argv);
}
+ else if (strcmp(*argv,"-sigalgs") == 0)
+ {
+ if (--argc < 1) goto bad;
+ sigalgs= *(++argv);
+ }
+ else if (strcmp(*argv,"-client_sigalgs") == 0)
+ {
+ if (--argc < 1) goto bad;
+ client_sigalgs= *(++argv);
+ }
#endif
#ifndef OPENSSL_NO_JPAKE
else if (strcmp(*argv,"-jpake") == 0)
keymatexportlen=atoi(*(++argv));
if (keymatexportlen == 0) goto bad;
}
+ else if (strcmp(*argv, "-cert_strict") == 0)
+ cert_flags |= SSL_CERT_FLAG_TLS_STRICT;
else
{
BIO_printf(bio_err,"unknown option %s\n",*argv);
}
}
+ if (!load_excert(&exc, bio_err))
+ goto end;
+
if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
&& !RAND_status())
{
if (clr)
SSL_CTX_clear_options(ctx, clr);
+ if (cert_flags) SSL_CTX_set_cert_flags(ctx, cert_flags);
+ if (exc) ssl_ctx_set_excert(ctx, exc);
/* DTLS: partial reads end up discarding unread UDP bytes :-(
* Setting read ahead solves this problem.
*/
#endif
SSL_CTX_set_verify(ctx,verify,verify_callback);
- if (!set_cert_key_stuff(ctx,cert,key, NULL))
- goto end;
if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx)))
/* goto end; */
}
+ if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain))
+ goto end;
+
#ifndef OPENSSL_NO_TLSEXT
if (curves != NULL)
if(!SSL_CTX_set1_curves_list(ctx,curves)) {
ERR_print_errors(bio_err);
goto end;
}
+ if (sigalgs != NULL)
+ if(!SSL_CTX_set1_sigalgs_list(ctx,sigalgs)) {
+ BIO_printf(bio_err,"error setting signature algorithms list\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ if (client_sigalgs != NULL)
+ if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs)) {
+ BIO_printf(bio_err,"error setting client signature algorithms list\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
if (servername != NULL)
{
tlsextcbp.biodebug = bio_err;
print_stuff(bio_c_out,con,1);
SSL_free(con);
}
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+ if (next_proto.data)
+ OPENSSL_free(next_proto.data);
+#endif
if (ctx != NULL) SSL_CTX_free(ctx);
if (cert)
X509_free(cert);
EVP_PKEY_free(key);
if (pass)
OPENSSL_free(pass);
+ ssl_excert_free(exc);
if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }