diff options
| author | Matt Caswell <matt@openssl.org> | 2018-02-16 11:26:02 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-03-14 10:15:50 +0000 |
| commit | f865b08143b453962ad4afccd69e698d13c60f77 (patch) | |
| tree | 9d1a2ae3fabc63589815a2426456417ec1d14f33 /test/ssltest_old.c | |
| parent | 5b68d1792021463b7cd5d76c82b251d61a56d869 (diff) | |
| download | openssl-f865b08143b453962ad4afccd69e698d13c60f77.tar.gz | |
Split configuration of TLSv1.3 ciphers from older ciphers
With the current mechanism, old cipher strings that used to work in 1.1.0,
may inadvertently disable all TLSv1.3 ciphersuites causing connections to
fail. This is confusing for users.
In reality TLSv1.3 are quite different to older ciphers. They are much
simpler and there are only a small number of them so, arguably, they don't
need the same level of control that the older ciphers have.
This change splits the configuration of TLSv1.3 ciphers from older ones.
By default the TLSv1.3 ciphers are on, so you cannot inadvertently disable
them through your existing config.
Fixes #5359
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5392)
Diffstat (limited to 'test/ssltest_old.c')
| -rw-r--r-- | test/ssltest_old.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/test/ssltest_old.c b/test/ssltest_old.c index 349d30a325..7d31d368c7 100644 --- a/test/ssltest_old.c +++ b/test/ssltest_old.c @@ -612,6 +612,7 @@ static int custom_ext_3_srv_add_cb(SSL *s, unsigned int ext_type, } static char *cipher = NULL; +static char *ciphersuites = NULL; static int verbose = 0; static int debug = 0; @@ -671,7 +672,8 @@ static void sv_usage(void) fprintf(stderr, " -c_cert arg - Client certificate file\n"); fprintf(stderr, " -c_key arg - Client key file (default: same as -c_cert)\n"); - fprintf(stderr, " -cipher arg - The cipher list\n"); + fprintf(stderr, " -cipher arg - The TLSv1.2 and below cipher list\n"); + fprintf(stderr, " -ciphersuites arg - The TLSv1.3 ciphersuites\n"); fprintf(stderr, " -bio_pair - Use BIO pairs\n"); fprintf(stderr, " -ipv4 - Use IPv4 connection on localhost\n"); fprintf(stderr, " -ipv6 - Use IPv6 connection on localhost\n"); @@ -918,7 +920,6 @@ int main(int argc, char *argv[]) verbose = 0; debug = 0; - cipher = 0; bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); @@ -1046,6 +1047,10 @@ int main(int argc, char *argv[]) if (--argc < 1) goto bad; cipher = *(++argv); + } else if (strcmp(*argv, "-ciphersuites") == 0) { + if (--argc < 1) + goto bad; + ciphersuites = *(++argv); } else if (strcmp(*argv, "-CApath") == 0) { if (--argc < 1) goto bad; @@ -1377,6 +1382,14 @@ int main(int argc, char *argv[]) goto end; } } + if (ciphersuites != NULL) { + if (!SSL_CTX_set_ciphersuites(c_ctx, ciphersuites) + || !SSL_CTX_set_ciphersuites(s_ctx, ciphersuites) + || !SSL_CTX_set_ciphersuites(s_ctx2, ciphersuites)) { + ERR_print_errors(bio_err); + goto end; + } + } #ifndef OPENSSL_NO_CT if (ct_validation && |