Add TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv
authorBodo Moeller <bodo@openssl.org>
Wed, 15 Oct 2014 09:15:58 +0000 (11:15 +0200)
committerBodo Moeller <bodo@openssl.org>
Wed, 15 Oct 2014 09:15:58 +0000 (11:15 +0200)
handling out of #ifndef OPENSSL_NO_DTLS1 section.

Reviewed-by: Rich Salz <rsalz@openssl.org>
apps/s_client.c
doc/apps/s_client.pod
doc/ssl/SSL_CTX_set_mode.pod

index 2a343ffc250afce1cc5791701f64a70eb074c875..74790f48aac4ed6adfa6582829e1d908af439a92 100644 (file)
@@ -482,10 +482,6 @@ int MAIN(int argc, char **argv)
                        meth=DTLSv1_client_method();
                        sock_type=SOCK_DGRAM;
                        }
-               else if (strcmp(*argv,"-fallback_scsv") == 0)
-                       {
-                       fallback_scsv = 1;
-                       }
                else if (strcmp(*argv,"-timeout") == 0)
                        enable_timeouts=1;
                else if (strcmp(*argv,"-mtu") == 0)
@@ -494,6 +490,10 @@ int MAIN(int argc, char **argv)
                        socket_mtu = atol(*(++argv));
                        }
 #endif
+               else if (strcmp(*argv,"-fallback_scsv") == 0)
+                       {
+                       fallback_scsv = 1;
+                       }
                else if (strcmp(*argv,"-bugs") == 0)
                        bugs=1;
                else if (strcmp(*argv,"-keyform") == 0)
index 96307a9dfef64c06a7786ab3baf9ebaf42903896..5736e28cbbf3cb614c48967b892109d1b02ff192 100644 (file)
@@ -50,6 +50,7 @@ B<openssl> B<s_client>
 [B<-no_ssl2>]
 [B<-no_ssl3>]
 [B<-no_tls1>]
+[B<-fallback_scsv>]
 [B<-bugs>]
 [B<-cipher cipherlist>]
 [B<-starttls protocol>]
@@ -198,10 +199,13 @@ these options disable the use of certain SSL or TLS protocols. By default
 the initial handshake uses a method which should be compatible with all
 servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
 
-Unfortunately there are a lot of ancient and broken servers in use which
+Unfortunately there are still ancient and broken servers in use which
 cannot handle this technique and will fail to connect. Some servers only
-work if TLS is turned off with the B<-no_tls> option others will only
-support SSL v2 and may need the B<-ssl2> option.
+work if TLS is turned off.
+
+=item B<-fallback_scsv>
+
+Send TLS_FALLBACK_SCSV in the ClientHello.
 
 =item B<-bugs>
 
index 9822544e5e2d8feb37be9bc584a75e2df6776317..0ee23433ba7e66f3c5cfccb6fe9ad9a93b2cd116 100644 (file)
@@ -61,6 +61,12 @@ deal with read/write operations returning without success report. The
 flag SSL_MODE_AUTO_RETRY will cause read/write operations to only
 return after the handshake and successful completion.
 
+=item SSL_MODE_FALLBACK_SCSV
+
+Send TLS_FALLBACK_SCSV in the ClientHello.
+To be set by applications that reconnect with a downgraded protocol
+version; see draft-ietf-tls-downgrade-scsv-00 for details.
+
 =back
 
 =head1 RETURN VALUES