OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,
- OPT_HTTP_SERVER_BINMODE,
+ OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES,
OPT_R_ENUM,
OPT_S_ENUM,
OPT_V_ENUM,
{"anti_replay", OPT_ANTI_REPLAY, '-', "Switch on anti-replay protection (default)"},
{"no_anti_replay", OPT_NO_ANTI_REPLAY, '-', "Switch off anti-replay protection"},
{"http_server_binmode", OPT_HTTP_SERVER_BINMODE, '-', "opening files in binary mode when acting as http server (-WWW and -HTTP)"},
+ {"no_ca_names", OPT_NOCANAMES, '-',
+ "Disable TLS Extension CA Names"},
{"stateless", OPT_STATELESS, '-', "Require TLSv1.3 cookies"},
#ifndef OPENSSL_NO_SSL3
{"ssl3", OPT_SSL3, '-', "Just talk SSLv3"},
const char *keylog_file = NULL;
int max_early_data = -1, recv_max_early_data = -1;
char *psksessf = NULL;
+ int no_ca_names = 0;
#ifndef OPENSSL_NO_SCTP
int sctp_label_bug = 0;
#endif
case OPT_HTTP_SERVER_BINMODE:
http_server_binmode = 1;
break;
+ case OPT_NOCANAMES:
+ no_ca_names = 1;
+ break;
case OPT_SENDFILE:
#ifndef OPENSSL_NO_KTLS
use_sendfile = 1;
SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
}
+ if (no_ca_names) {
+ SSL_CTX_set_options(ctx, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
+ }
+
if (max_send_fragment > 0
&& !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) {
BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
[B<-www>]
[B<-WWW>]
[B<-http_server_binmode>]
+[B<-no_ca_names>]
[B<-servername>]
[B<-servername_fatal>]
[B<-tlsextdebug>]
When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
by the client in binary mode.
+=item B<-no_ca_names>
+
+Disable TLS Extension CA Names. You may want to disable it for security reasons
+or for compatibility with some Windows TLS implementations crashing when this
+extension is larger than 1024 bytes.
+
=item B<-id_prefix> I<val>
Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
+B<CANames>: use CA names extension, enabled by
+default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
+B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
+
=item B<VerifyMode>
The B<value> argument is a comma separated list of flags to set.
Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
+=item SSL_OP_DISABLE_TLSEXT_CA_NAMES
+
+Disable TLS Extension CA Names. You may want to disable it for security reasons
+or for compatibility with some Windows TLS implementations crashing when this
+extension is larger than 1024 bytes.
+
=item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol
=head1 COPYRIGHT
-Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
/*
* Reserved value (until OpenSSL 3.0.0) 0x00000080U
* Reserved value (until OpenSSL 3.0.0) 0x00000100U
- * Reserved value (until OpenSSL 3.0.0) 0x00000200U
*/
+# define SSL_OP_DISABLE_TLSEXT_CA_NAMES 0x00000200U
+
/* In TLSv1.3 allow a non-(ec)dhe based kex_mode */
# define SSL_OP_ALLOW_NO_DHE_KEX 0x00000400U
/*
- * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT),
SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY),
- SSL_FLAG_TBL_INV("ExtendedMasterSecret", SSL_OP_NO_EXTENDED_MASTER_SECRET)
+ SSL_FLAG_TBL_INV("ExtendedMasterSecret", SSL_OP_NO_EXTENDED_MASTER_SECRET),
+ SSL_FLAG_TBL_INV("CANames", SSL_OP_DISABLE_TLSEXT_CA_NAMES)
};
if (value == NULL)
return -3;
return 0;
}
- if (ca_sk != NULL) {
+ if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
int i;
for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
}
static int execute_test_session(int maxprot, int use_int_cache,
- int use_ext_cache)
+ int use_ext_cache, long s_options)
{
SSL_CTX *sctx = NULL, *cctx = NULL;
SSL *serverssl1 = NULL, *clientssl1 = NULL;
| SSL_SESS_CACHE_NO_INTERNAL_STORE);
}
+ if (s_options) {
+ SSL_CTX_set_options(sctx, s_options);
+ }
+
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
NULL, NULL))
|| !TEST_true(create_ssl_connection(serverssl1, clientssl1,
static int test_session_with_only_int_cache(void)
{
#ifndef OPENSSL_NO_TLS1_3
- if (!execute_test_session(TLS1_3_VERSION, 1, 0))
+ if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
return 0;
#endif
#ifndef OPENSSL_NO_TLS1_2
- return execute_test_session(TLS1_2_VERSION, 1, 0);
+ return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
#else
return 1;
#endif
static int test_session_with_only_ext_cache(void)
{
#ifndef OPENSSL_NO_TLS1_3
- if (!execute_test_session(TLS1_3_VERSION, 0, 1))
+ if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
return 0;
#endif
#ifndef OPENSSL_NO_TLS1_2
- return execute_test_session(TLS1_2_VERSION, 0, 1);
+ return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
#else
return 1;
#endif
static int test_session_with_both_cache(void)
{
#ifndef OPENSSL_NO_TLS1_3
- if (!execute_test_session(TLS1_3_VERSION, 1, 1))
+ if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
+ return 0;
+#endif
+
+#ifndef OPENSSL_NO_TLS1_2
+ return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
+#else
+ return 1;
+#endif
+}
+
+static int test_session_wo_ca_names(void)
+{
+#ifndef OPENSSL_NO_TLS1_3
+ if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
return 0;
#endif
#ifndef OPENSSL_NO_TLS1_2
- return execute_test_session(TLS1_2_VERSION, 1, 1);
+ return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
#else
return 1;
#endif
}
+
#ifndef OPENSSL_NO_TLS1_3
static SSL_SESSION *sesscache[6];
static int do_cache;
ADD_TEST(test_session_with_only_int_cache);
ADD_TEST(test_session_with_only_ext_cache);
ADD_TEST(test_session_with_both_cache);
+ ADD_TEST(test_session_wo_ca_names);
#ifndef OPENSSL_NO_TLS1_3
ADD_ALL_TESTS(test_stateful_tickets, 3);
ADD_ALL_TESTS(test_stateless_tickets, 3);
projects / oweals / openssl.git / commitdiff