|
|
b37108 |
diff --git a/cmd/ssltap/ssltap.c b/cmd/ssltap/ssltap.c
|
|
|
b37108 |
--- a/cmd/ssltap/ssltap.c
|
|
|
b37108 |
+++ b/cmd/ssltap/ssltap.c
|
|
|
b37108 |
@@ -398,16 +398,17 @@ const char * V2CipherString(int cs_int)
|
|
|
b37108 |
case 0x000098: cs_str = "TLS/DH-RSA/SEED-CBC/SHA"; break;
|
|
|
b37108 |
case 0x000099: cs_str = "TLS/DHE-DSS/SEED-CBC/SHA"; break;
|
|
|
b37108 |
case 0x00009A: cs_str = "TLS/DHE-RSA/SEED-CBC/SHA"; break;
|
|
|
b37108 |
case 0x00009B: cs_str = "TLS/DH-ANON/SEED-CBC/SHA"; break;
|
|
|
b37108 |
case 0x00009C: cs_str = "TLS/RSA/AES128-GCM/SHA256"; break;
|
|
|
b37108 |
case 0x00009E: cs_str = "TLS/DHE-RSA/AES128-GCM/SHA256"; break;
|
|
|
b37108 |
|
|
|
b37108 |
case 0x0000FF: cs_str = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; break;
|
|
|
b37108 |
+ case 0x005600: cs_str = "TLS_FALLBACK_SCSV"; break;
|
|
|
b37108 |
|
|
|
b37108 |
case 0x00C001: cs_str = "TLS/ECDH-ECDSA/NULL/SHA"; break;
|
|
|
b37108 |
case 0x00C002: cs_str = "TLS/ECDH-ECDSA/RC4-128/SHA"; break;
|
|
|
b37108 |
case 0x00C003: cs_str = "TLS/ECDH-ECDSA/3DES-EDE-CBC/SHA"; break;
|
|
|
b37108 |
case 0x00C004: cs_str = "TLS/ECDH-ECDSA/AES128-CBC/SHA"; break;
|
|
|
b37108 |
case 0x00C005: cs_str = "TLS/ECDH-ECDSA/AES256-CBC/SHA"; break;
|
|
|
b37108 |
case 0x00C006: cs_str = "TLS/ECDHE-ECDSA/NULL/SHA"; break;
|
|
|
b37108 |
case 0x00C007: cs_str = "TLS/ECDHE-ECDSA/RC4-128/SHA"; break;
|
|
|
b37108 |
diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c
|
|
|
b37108 |
--- a/cmd/tstclnt/tstclnt.c
|
|
|
b37108 |
+++ b/cmd/tstclnt/tstclnt.c
|
|
|
b37108 |
@@ -175,17 +175,17 @@ handshakeCallback(PRFileDesc *fd, void *
|
|
|
b37108 |
}
|
|
|
b37108 |
}
|
|
|
b37108 |
|
|
|
b37108 |
static void PrintUsageHeader(const char *progName)
|
|
|
b37108 |
{
|
|
|
b37108 |
fprintf(stderr,
|
|
|
b37108 |
"Usage: %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
|
|
|
b37108 |
"[-d certdir] [-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
|
|
|
b37108 |
- "[-V [min-version]:[max-version]] [-T]\n"
|
|
|
b37108 |
+ "[-V [min-version]:[max-version]] [-K] [-T]\n"
|
|
|
b37108 |
"[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n",
|
|
|
b37108 |
progName);
|
|
|
b37108 |
}
|
|
|
b37108 |
|
|
|
b37108 |
static void PrintParameterUsage(void)
|
|
|
b37108 |
{
|
|
|
b37108 |
fprintf(stderr, "%-20s Send different SNI name. 1st_hs_name - at first\n"
|
|
|
b37108 |
"%-20s handshake, 2nd_hs_name - at second handshake.\n"
|
|
|
b37108 |
@@ -201,16 +201,17 @@ static void PrintParameterUsage(void)
|
|
|
b37108 |
fprintf(stderr,
|
|
|
b37108 |
"%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B");
|
|
|
b37108 |
fprintf(stderr,
|
|
|
b37108 |
"%-20s Restricts the set of enabled SSL/TLS protocols versions.\n"
|
|
|
b37108 |
"%-20s All versions are enabled by default.\n"
|
|
|
b37108 |
"%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
|
|
|
b37108 |
"%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n",
|
|
|
b37108 |
"-V [min]:[max]", "", "", "");
|
|
|
b37108 |
+ fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K");
|
|
|
b37108 |
fprintf(stderr, "%-20s Prints only payload data. Skips HTTP header.\n", "-S");
|
|
|
b37108 |
fprintf(stderr, "%-20s Client speaks first. \n", "-f");
|
|
|
b37108 |
fprintf(stderr, "%-20s Use synchronous certificate validation "
|
|
|
b37108 |
"(required for SSL2)\n", "-O");
|
|
|
b37108 |
fprintf(stderr, "%-20s Override bad server cert. Make it OK.\n", "-o");
|
|
|
b37108 |
fprintf(stderr, "%-20s Disable SSL socket locking.\n", "-s");
|
|
|
b37108 |
fprintf(stderr, "%-20s Verbose progress reporting.\n", "-v");
|
|
|
b37108 |
fprintf(stderr, "%-20s Use export policy.\n", "-x");
|
|
|
b37108 |
@@ -802,16 +803,17 @@ int main(int argc, char **argv)
|
|
|
b37108 |
PRBool enableSSL2 = PR_TRUE;
|
|
|
b37108 |
int bypassPKCS11 = 0;
|
|
|
b37108 |
int disableLocking = 0;
|
|
|
b37108 |
int useExportPolicy = 0;
|
|
|
b37108 |
int enableSessionTickets = 0;
|
|
|
b37108 |
int enableCompression = 0;
|
|
|
b37108 |
int enableFalseStart = 0;
|
|
|
b37108 |
int enableCertStatus = 0;
|
|
|
b37108 |
+ int forceFallbackSCSV = 0;
|
|
|
b37108 |
PRSocketOptionData opt;
|
|
|
b37108 |
PRNetAddr addr;
|
|
|
b37108 |
PRPollDesc pollset[2];
|
|
|
b37108 |
PRBool allowIPv4 = PR_TRUE;
|
|
|
b37108 |
PRBool allowIPv6 = PR_TRUE;
|
|
|
b37108 |
PRBool pingServerFirst = PR_FALSE;
|
|
|
b37108 |
int pingTimeoutSeconds = -1;
|
|
|
b37108 |
PRBool clientSpeaksFirst = PR_FALSE;
|
|
|
b37108 |
@@ -847,17 +849,17 @@ int main(int argc, char **argv)
|
|
|
b37108 |
if (sec > 0) {
|
|
|
b37108 |
maxInterval = PR_SecondsToInterval(sec);
|
|
|
b37108 |
}
|
|
|
b37108 |
}
|
|
|
b37108 |
|
|
|
b37108 |
SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions);
|
|
|
b37108 |
|
|
|
b37108 |
optstate = PL_CreateOptState(argc, argv,
|
|
|
b37108 |
- "46BFM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
|
|
|
b37108 |
+ "46BFKM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
|
|
|
b37108 |
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
|
|
|
b37108 |
switch (optstate->option) {
|
|
|
b37108 |
case '?':
|
|
|
b37108 |
default : Usage(progName); break;
|
|
|
b37108 |
|
|
|
b37108 |
case '4': allowIPv6 = PR_FALSE; if (!allowIPv4) Usage(progName); break;
|
|
|
b37108 |
case '6': allowIPv4 = PR_FALSE; if (!allowIPv6) Usage(progName); break;
|
|
|
b37108 |
|
|
|
b37108 |
@@ -869,16 +871,18 @@ int main(int argc, char **argv)
|
|
|
b37108 |
}
|
|
|
b37108 |
serverCertAuth.testFreshStatusFromSideChannel = PR_TRUE;
|
|
|
b37108 |
break;
|
|
|
b37108 |
|
|
|
b37108 |
case 'I': /* reserved for OCSP multi-stapling */ break;
|
|
|
b37108 |
|
|
|
b37108 |
case 'O': serverCertAuth.shouldPause = PR_FALSE; break;
|
|
|
b37108 |
|
|
|
b37108 |
+ case 'K': forceFallbackSCSV = PR_TRUE; break;
|
|
|
b37108 |
+
|
|
|
b37108 |
case 'M': switch (atoi(optstate->value)) {
|
|
|
b37108 |
case 1:
|
|
|
b37108 |
serverCertAuth.allowOCSPSideChannelData = PR_TRUE;
|
|
|
b37108 |
serverCertAuth.allowCRLSideChannelData = PR_FALSE;
|
|
|
b37108 |
break;
|
|
|
b37108 |
case 2:
|
|
|
b37108 |
serverCertAuth.allowOCSPSideChannelData = PR_FALSE;
|
|
|
b37108 |
serverCertAuth.allowCRLSideChannelData = PR_TRUE;
|
|
|
b37108 |
@@ -1213,16 +1216,24 @@ int main(int argc, char **argv)
|
|
|
b37108 |
|
|
|
b37108 |
/* enable false start. */
|
|
|
b37108 |
rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart);
|
|
|
b37108 |
if (rv != SECSuccess) {
|
|
|
b37108 |
SECU_PrintError(progName, "error enabling false start");
|
|
|
b37108 |
return 1;
|
|
|
b37108 |
}
|
|
|
b37108 |
|
|
|
b37108 |
+ if (forceFallbackSCSV) {
|
|
|
b37108 |
+ rv = SSL_OptionSet(s, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
|
|
|
b37108 |
+ if (rv != SECSuccess) {
|
|
|
b37108 |
+ SECU_PrintError(progName, "error forcing fallback scsv");
|
|
|
b37108 |
+ return 1;
|
|
|
b37108 |
+ }
|
|
|
b37108 |
+ }
|
|
|
b37108 |
+
|
|
|
b37108 |
/* enable cert status (OCSP stapling). */
|
|
|
b37108 |
rv = SSL_OptionSet(s, SSL_ENABLE_OCSP_STAPLING, enableCertStatus);
|
|
|
b37108 |
if (rv != SECSuccess) {
|
|
|
b37108 |
SECU_PrintError(progName, "error enabling cert status (OCSP stapling)");
|
|
|
b37108 |
return 1;
|
|
|
b37108 |
}
|
|
|
b37108 |
|
|
|
b37108 |
SSL_SetPKCS11PinArg(s, &pwdata);
|