From: Rich Salz Date: Sat, 12 Oct 2019 21:45:56 +0000 (-0400) Subject: Refactor the tls/dlts version options X-Git-Tag: openssl-3.0.0-alpha1~689 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=d4bff20d55b7ab7b4dd43ada28372efb90942dfd;p=oweals%2Fopenssl.git Refactor the tls/dlts version options Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/10134) --- diff --git a/.gitignore b/.gitignore index 26bba646d7..bdcfc0795b 100644 --- a/.gitignore +++ b/.gitignore @@ -67,6 +67,35 @@ doc/man1/openssl-verify.pod doc/man1/openssl-x509.pod doc/man1/openssl.pod +# Auto generated doc files +doc/man1/openssl-ca.pod +doc/man1/openssl-cms.pod +doc/man1/openssl-crl.pod +doc/man1/openssl-dgst.pod +doc/man1/openssl-dhparam.pod +doc/man1/openssl-dsaparam.pod +doc/man1/openssl-ecparam.pod +doc/man1/openssl-enc.pod +doc/man1/openssl-gendsa.pod +doc/man1/openssl-genrsa.pod +doc/man1/openssl-ocsp.pod +doc/man1/openssl-passwd.pod +doc/man1/openssl-pkcs12.pod +doc/man1/openssl-pkcs8.pod +doc/man1/openssl-pkeyutl.pod +doc/man1/openssl-rand.pod +doc/man1/openssl-req.pod +doc/man1/openssl-rsautl.pod +doc/man1/openssl-s_client.pod +doc/man1/openssl-s_server.pod +doc/man1/openssl-s_time.pod +doc/man1/openssl-smime.pod +doc/man1/openssl-speed.pod +doc/man1/openssl-srp.pod +doc/man1/openssl-ts.pod +doc/man1/openssl-verify.pod +doc/man1/openssl-x509.pod + # error code files /crypto/err/openssl.txt.old /engines/e_afalg.txt.old diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 8bd6c9eec1..779f91700f 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -79,19 +79,6 @@ B B [B<-psk> I] [B<-psk_session> I] [B<-quiet>] -[B<-ssl3>] -[B<-tls1>] -[B<-tls1_1>] -[B<-tls1_2>] -[B<-tls1_3>] -[B<-no_ssl3>] -[B<-no_tls1>] -[B<-no_tls1_1>] -[B<-no_tls1_2>] -[B<-no_tls1_3>] -[B<-dtls>] -[B<-dtls1>] -[B<-dtls1_2>] [B<-sctp>] [B<-sctp_label_bug>] [B<-fallback_scsv>] @@ -127,6 +114,7 @@ B B [B<-early_data> I] [B<-enable_pha>] {- $OpenSSL::safe::opt_name_synopsis -} +{- $OpenSSL::safe::opt_version_synopsis -} {- $OpenSSL::safe::opt_x_synopsis -} {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} @@ -458,23 +446,6 @@ This option must be provided in order to use a PSK cipher. Use the pem encoded SSL_SESSION data stored in I as the basis of a PSK. Note that this will only work if TLSv1.3 is negotiated. -=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> - -These options require or disable the use of the specified SSL or TLS protocols. -By default, this command will negotiate the highest mutually supported protocol -version. -When a specific TLS version is required, only that version will be offered to -and accepted from the server. -Note that not all protocols and flags may be available, depending on how -OpenSSL was built. - -=item B<-dtls>, B<-dtls1>, B<-dtls1_2> - -These options make this command use DTLS protocols instead of TLS. -With B<-dtls>, it will negotiate any supported DTLS protocol version, -whilst B<-dtls1> and B<-dtls1_2> will only support DTLS1.0 and DTLS1.2 -respectively. - =item B<-sctp> Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in @@ -685,12 +656,7 @@ data and when the server accepts the early data. For TLSv1.3 only, send the Post-Handshake Authentication extension. This will happen whether or not a certificate has been provided via B<-cert>. -=item I:I - -Rather than providing B<-connect>, the target hostname and optional port may -be provided as a single positional argument after all options. If neither this -nor B<-connect> are provided, falls back to attempting to connect to -I on port I<4433>. +{- $OpenSSL::safe::opt_version_item -} {- $OpenSSL::safe::opt_name_item -} @@ -702,6 +668,13 @@ I on port I<4433>. {- $OpenSSL::safe::opt_engine_item -} +=item I:I + +Rather than providing B<-connect>, the target hostname and optional port may +be provided as a single positional argument after all options. If neither this +nor B<-connect> are provided, falls back to attempting to connect to +I on port I<4433>. + =back =head1 CONNECTED COMMANDS diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 743ad616d5..a4bc020c39 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -83,11 +83,6 @@ B B [B<-split_send_frag> I<+int>] [B<-max_pipelines> I<+int>] [B<-read_buf> I<+int>] -[B<-no_ssl3>] -[B<-no_tls1>] -[B<-no_tls1_1>] -[B<-no_tls1_2>] -[B<-no_tls1_3>] [B<-bugs>] [B<-no_comp>] [B<-comp>] @@ -149,17 +144,9 @@ B B [B<-psk_session> I] [B<-srpvfile> I] [B<-srpuserseed> I] -[B<-ssl3>] -[B<-tls1>] -[B<-tls1_1>] -[B<-tls1_2>] -[B<-tls1_3>] -[B<-dtls>] [B<-timeout>] [B<-mtu> I<+int>] [B<-listen>] -[B<-dtls1>] -[B<-dtls1_2>] [B<-sctp>] [B<-sctp_label_bug>] [B<-no_dhe>] @@ -173,6 +160,7 @@ B B [B<-no_anti_replay>] [B<-http_server_binmode>] {- $OpenSSL::safe::opt_name_synopsis -} +{- $OpenSSL::safe::opt_version_synopsis -} {- $OpenSSL::safe::opt_x_synopsis -} {- $OpenSSL::safe::opt_trust_synopsis -} {- $OpenSSL::safe::opt_r_synopsis -} @@ -391,22 +379,18 @@ web browser. Cannot be used in conjunction with B<-early_data>. Emulates a simple web server. Pages will be resolved relative to the current directory, for example if the URL https://myhost/page.html is -requested the file F<./page.html> will be loaded. Cannot be used in conjunction +requested the file F<./page.html> will be loaded. +The files loaded are +assumed to contain a complete and correct HTTP response (lines that +are part of the HTTP response line and headers must end with CRLF). Cannot be +used in conjunction with B<-early_data>. +Cannot be used in conjunction with B<-early_data>. =item B<-tlsextdebug> Print a hex dump of any TLS extensions received from the server. -=item B<-HTTP> - -Emulates a simple web server. Pages will be resolved relative to the -current directory, for example if the URL https://myhost/page.html is -requested the file F<./page.html> will be loaded. The files loaded are -assumed to contain a complete and correct HTTP response (lines that -are part of the HTTP response line and headers must end with CRLF). Cannot be -used in conjunction with B<-early_data>. - =item B<-id_prefix> I Generate SSL/TLS session IDs prefixed by I. This is mostly useful @@ -495,16 +479,6 @@ effect if the buffer size is larger than the size that would otherwise be used and pipelining is in use (see L for further information). -=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> - -These options require or disable the use of the specified SSL or TLS protocols. -By default, this command will negotiate the highest mutually supported -protocol version. -When a specific TLS version is required, only that version will be accepted -from the client. -Note that not all protocols and flags may be available, depending on how -OpenSSL was built. - =item B<-bugs> There are several known bugs in SSL and TLS implementations. Adding this @@ -639,13 +613,6 @@ Any without a cookie will be responded to with a HelloVerifyRequest. If a ClientHello with a cookie is received then this command will connect to that peer and complete the handshake. -=item B<-dtls>, B<-dtls1>, B<-dtls1_2> - -These options make this command use DTLS protocols instead of TLS. -With B<-dtls>, it will negotiate any supported DTLS protocol -version, whilst B<-dtls1> and B<-dtls1_2> will only support DTLSv1.0 and -DTLSv1.2 respectively. - =item B<-sctp> Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in @@ -709,6 +676,8 @@ by the client in binary mode. {- $OpenSSL::safe::opt_name_item -} +{- $OpenSSL::safe::opt_version_item -} + {- $OpenSSL::safe::opt_x_item -} {- $OpenSSL::safe::opt_trust_item -} diff --git a/doc/man1/openssl-s_time.pod.in b/doc/man1/openssl-s_time.pod.in index 01707324db..ed1c012f8e 100644 --- a/doc/man1/openssl-s_time.pod.in +++ b/doc/man1/openssl-s_time.pod.in @@ -17,11 +17,7 @@ B B [B<-new>] [B<-verify> I] [B<-time> I] -[B<-ssl3>] -[B<-tls1>] -[B<-tls1_1>] -[B<-tls1_2>] -[B<-tls1_3>] +{- $OpenSSL::safe::opt_versiontls_synopsis -} [B<-bugs>] [B<-cipher> I] [B<-ciphersuites> I] @@ -94,15 +90,6 @@ Performs the timing test using the same session ID; this can be used as a test that session caching is working. If neither B<-new> nor B<-reuse> are specified, they are both on by default and executed in sequence. -=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3> - -These options enable specific SSL or TLS protocol versions for the handshake -initiated by this command. -By default, it negotiates the highest mutually supported protocol -version. -Note that not all protocols and flags may be available, depending on how -OpenSSL was built. - =item B<-bugs> There are several known bugs in SSL and TLS implementations. Adding this @@ -136,6 +123,8 @@ can establish. {- $OpenSSL::safe::opt_trust_item -} +{- $OpenSSL::safe::opt_versiontls_item -} + =back =head1 NOTES diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index 5ef537434c..a3f7353a43 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -931,6 +931,35 @@ B. Places spaces round the equal sign, C<=>, character which follows the field name. +=head2 TLS Version Options + +Several commands use SSL, TLS, or DTLS. By default, the commands use TLS and +clients will offer the lowest and highest protocol version they support, +and servers will pick the highest version that the client offers that is also +supported by the server. + +The options below can be used to limit which protocol versions are used, +and whether TCP (SSL and TLS) or UDP (DTLS) is used. +Note that not all protocols and flags may be available, depending on how +OpenSSL was built. + +=over 4 + +=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> + +These options require or disable the use of the specified SSL or TLS protocols. +When a specific TLS version is required, only that version will be offered or +accepted. +Only one specific protocol can be given and it cannot be combined with any of +the B options. + +=item B<-dtls>, B<-dtls1>, B<-dtls1_2> + +These options specify to use DTLS instead of DLTS. +With B<-dtls>, clients will negotiate any supported DTLS protocol version. +Use the B<-dtls1> or B<-dtls1_2> options to support only DTLS1.0 or DTLS1.2, +respectively. + =back =head2 Engine Options diff --git a/doc/perlvars.pm b/doc/perlvars.pm index 4e9dc31ac2..7f0cf167d3 100644 --- a/doc/perlvars.pm +++ b/doc/perlvars.pm @@ -107,6 +107,38 @@ $OpenSSL::safe::opt_trust_item = "" . "\n" . "See L for details."; +# TLS Version Options +$OpenSSL::safe::opt_versiontls_synopsis = "" +. "[B<-no_ssl3>]\n" +. "[B<-no_tls1>]\n" +. "[B<-no_tls1_1>]\n" +. "[B<-no_tls1_2>]\n" +. "[B<-no_tls1_3>]\n" +. "[B<-ssl3>]\n" +. "[B<-tls1>]\n" +. "[B<-tls1_1>]\n" +. "[B<-tls1_2>]\n" +. "[B<-tls1_3>]"; +$OpenSSL::safe::opt_versiontls_item = "" +. "=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>,\n" +. "B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3>\n" +. "\n" +. "See L."; + +# TLS/DTLS Version Options +$OpenSSL::safe::opt_version_synopsis = "" +. "$OpenSSL::safe::opt_versiontls_synopsis\n" +. "[B<-dtls>]\n" +. "[B<-dtls1>]\n" +. "[B<-dtls1_2>]"; +$OpenSSL::safe::opt_version_item = "\n" +. "$OpenSSL::safe::opt_versiontls_item\n" +. "\n" +. "=item B<-dtls>, B<-dtls1>, B<-dtls1_2>\n" +. "\n" +. "These specify the use of DTLS instead of TLS.\n" +. "See L."; + # SSL connection options. # TODO(3.0) Not currently used. The refactoring needs to be done, and # the options will probably be re-ordered. diff --git a/util/dofile.pl b/util/dofile.pl index 57243880d4..6d4ffa4abd 100644 --- a/util/dofile.pl +++ b/util/dofile.pl @@ -40,6 +40,14 @@ my @autowarntext = ( . (scalar(@ARGV) > 0 ? " from " .join(", ", @ARGV) : "") ); +if (defined($opts{s})) { + local $/ = undef; + open VARS, $opts{s} or die "Couldn't open $opts{s}, $!"; + my $contents = ; + close VARS; + eval $contents; + die $@ if $@; +} die "Must have input files" if defined($opts{i}) and scalar(@ARGV) == 0;