diff --git a/cmd/ssltap/ssltap.c b/cmd/ssltap/ssltap.c
--- a/cmd/ssltap/ssltap.c
+++ b/cmd/ssltap/ssltap.c
@@ -398,16 +398,17 @@ const char * V2CipherString(int cs_int)
case 0x000098: cs_str = "TLS/DH-RSA/SEED-CBC/SHA"; break;
case 0x000099: cs_str = "TLS/DHE-DSS/SEED-CBC/SHA"; break;
case 0x00009A: cs_str = "TLS/DHE-RSA/SEED-CBC/SHA"; break;
case 0x00009B: cs_str = "TLS/DH-ANON/SEED-CBC/SHA"; break;
case 0x00009C: cs_str = "TLS/RSA/AES128-GCM/SHA256"; break;
case 0x00009E: cs_str = "TLS/DHE-RSA/AES128-GCM/SHA256"; break;
case 0x0000FF: cs_str = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; break;
+ case 0x005600: cs_str = "TLS_FALLBACK_SCSV"; break;
case 0x00C001: cs_str = "TLS/ECDH-ECDSA/NULL/SHA"; break;
case 0x00C002: cs_str = "TLS/ECDH-ECDSA/RC4-128/SHA"; break;
case 0x00C003: cs_str = "TLS/ECDH-ECDSA/3DES-EDE-CBC/SHA"; break;
case 0x00C004: cs_str = "TLS/ECDH-ECDSA/AES128-CBC/SHA"; break;
case 0x00C005: cs_str = "TLS/ECDH-ECDSA/AES256-CBC/SHA"; break;
case 0x00C006: cs_str = "TLS/ECDHE-ECDSA/NULL/SHA"; break;
case 0x00C007: cs_str = "TLS/ECDHE-ECDSA/RC4-128/SHA"; break;
diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c
--- a/cmd/tstclnt/tstclnt.c
+++ b/cmd/tstclnt/tstclnt.c
@@ -175,17 +175,17 @@ handshakeCallback(PRFileDesc *fd, void *
}
}
static void PrintUsageHeader(const char *progName)
{
fprintf(stderr,
"Usage: %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
"[-d certdir] [-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
- "[-V [min-version]:[max-version]] [-T]\n"
+ "[-V [min-version]:[max-version]] [-K] [-T]\n"
"[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n",
progName);
}
static void PrintParameterUsage(void)
{
fprintf(stderr, "%-20s Send different SNI name. 1st_hs_name - at first\n"
"%-20s handshake, 2nd_hs_name - at second handshake.\n"
@@ -201,16 +201,17 @@ static void PrintParameterUsage(void)
fprintf(stderr,
"%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B");
fprintf(stderr,
"%-20s Restricts the set of enabled SSL/TLS protocols versions.\n"
"%-20s All versions are enabled by default.\n"
"%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
"%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n",
"-V [min]:[max]", "", "", "");
+ fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K");
fprintf(stderr, "%-20s Prints only payload data. Skips HTTP header.\n", "-S");
fprintf(stderr, "%-20s Client speaks first. \n", "-f");
fprintf(stderr, "%-20s Use synchronous certificate validation "
"(required for SSL2)\n", "-O");
fprintf(stderr, "%-20s Override bad server cert. Make it OK.\n", "-o");
fprintf(stderr, "%-20s Disable SSL socket locking.\n", "-s");
fprintf(stderr, "%-20s Verbose progress reporting.\n", "-v");
fprintf(stderr, "%-20s Use export policy.\n", "-x");
@@ -802,16 +803,17 @@ int main(int argc, char **argv)
PRBool enableSSL2 = PR_TRUE;
int bypassPKCS11 = 0;
int disableLocking = 0;
int useExportPolicy = 0;
int enableSessionTickets = 0;
int enableCompression = 0;
int enableFalseStart = 0;
int enableCertStatus = 0;
+ int forceFallbackSCSV = 0;
PRSocketOptionData opt;
PRNetAddr addr;
PRPollDesc pollset[2];
PRBool allowIPv4 = PR_TRUE;
PRBool allowIPv6 = PR_TRUE;
PRBool pingServerFirst = PR_FALSE;
int pingTimeoutSeconds = -1;
PRBool clientSpeaksFirst = PR_FALSE;
@@ -847,17 +849,17 @@ int main(int argc, char **argv)
if (sec > 0) {
maxInterval = PR_SecondsToInterval(sec);
}
}
SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions);
optstate = PL_CreateOptState(argc, argv,
- "46BFM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
+ "46BFKM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
default : Usage(progName); break;
case '4': allowIPv6 = PR_FALSE; if (!allowIPv4) Usage(progName); break;
case '6': allowIPv4 = PR_FALSE; if (!allowIPv6) Usage(progName); break;
@@ -869,16 +871,18 @@ int main(int argc, char **argv)
}
serverCertAuth.testFreshStatusFromSideChannel = PR_TRUE;
break;
case 'I': /* reserved for OCSP multi-stapling */ break;
case 'O': serverCertAuth.shouldPause = PR_FALSE; break;
+ case 'K': forceFallbackSCSV = PR_TRUE; break;
+
case 'M': switch (atoi(optstate->value)) {
case 1:
serverCertAuth.allowOCSPSideChannelData = PR_TRUE;
serverCertAuth.allowCRLSideChannelData = PR_FALSE;
break;
case 2:
serverCertAuth.allowOCSPSideChannelData = PR_FALSE;
serverCertAuth.allowCRLSideChannelData = PR_TRUE;
@@ -1213,16 +1216,24 @@ int main(int argc, char **argv)
/* enable false start. */
rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart);
if (rv != SECSuccess) {
SECU_PrintError(progName, "error enabling false start");
return 1;
}
+ if (forceFallbackSCSV) {
+ rv = SSL_OptionSet(s, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName, "error forcing fallback scsv");
+ return 1;
+ }
+ }
+
/* enable cert status (OCSP stapling). */
rv = SSL_OptionSet(s, SSL_ENABLE_OCSP_STAPLING, enableCertStatus);
if (rv != SECSuccess) {
SECU_PrintError(progName, "error enabling cert status (OCSP stapling)");
return 1;
}
SSL_SetPKCS11PinArg(s, &pwdata);