The branch master has been updated via f9e57a28886fe29bc49d3c89a1cc4e53ee4896d6 (commit) via 7757a90e263da73542f9b12c4061af81812367bf (commit) from 320408382046db015c9a9cc04ae91c2bcd0e5c4c (commit)
- Log ----------------------------------------------------------------- commit f9e57a28886fe29bc49d3c89a1cc4e53ee4896d6 Author: raja-ashok <rashok.s...@gmail.com> Date: Thu Sep 19 16:42:42 2019 +0530 Update new TLS version options to s_time man page Reviewed-by: Paul Yang <kaishen...@antfin.com> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9947) commit 7757a90e263da73542f9b12c4061af81812367bf Author: raja-ashok <rashok.s...@gmail.com> Date: Thu Sep 19 16:07:21 2019 +0530 Add TLS version options to s_time Reviewed-by: Paul Yang <kaishen...@antfin.com> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9947) ----------------------------------------------------------------------- Summary of changes: apps/s_time.c | 35 +++++++++++++++++++++++++++++++++-- doc/man1/openssl-s_time.pod | 22 ++++++++++------------ 2 files changed, 43 insertions(+), 14 deletions(-) diff --git a/apps/s_time.c b/apps/s_time.c index 39e3d4bb48..f6dbfa0462 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -47,7 +47,7 @@ typedef enum OPTION_choice { OPT_CONNECT, OPT_CIPHER, OPT_CIPHERSUITES, OPT_CERT, OPT_NAMEOPT, OPT_KEY, OPT_CAPATH, OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NEW, OPT_REUSE, OPT_BUGS, OPT_VERIFY, OPT_TIME, OPT_SSL3, - OPT_WWW + OPT_WWW, OPT_TLS1, OPT_TLS1_1, OPT_TLS1_2, OPT_TLS1_3 } OPTION_CHOICE; const OPTIONS s_time_options[] = { @@ -75,6 +75,18 @@ const OPTIONS s_time_options[] = { {"www", OPT_WWW, 's', "Fetch specified page from the site"}, #ifndef OPENSSL_NO_SSL3 {"ssl3", OPT_SSL3, '-', "Just use SSLv3"}, +#endif +#ifndef OPENSSL_NO_TLS1 + {"tls1", OPT_TLS1, '-', "Just use TLSv1.0"}, +#endif +#ifndef OPENSSL_NO_TLS1_1 + {"tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1"}, +#endif +#ifndef OPENSSL_NO_TLS1_2 + {"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"}, +#endif +#ifndef OPENSSL_NO_TLS1_3 + {"tls1_3", OPT_TLS1_3, '-', "Just use TLSv1.3"}, #endif {NULL} }; @@ -101,7 +113,7 @@ int s_time_main(int argc, char **argv) int maxtime = SECONDS, nConn = 0, perform = 3, ret = 1, i, st_bugs = 0; long bytes_read = 0, finishtime = 0; OPTION_CHOICE o; - int max_version = 0, ver, buf_len; + int min_version = 0, max_version = 0, ver, buf_len; size_t buf_size; meth = TLS_client_method(); @@ -177,8 +189,25 @@ int s_time_main(int argc, char **argv) } break; case OPT_SSL3: + min_version = SSL3_VERSION; max_version = SSL3_VERSION; break; + case OPT_TLS1: + min_version = TLS1_VERSION; + max_version = TLS1_VERSION; + break; + case OPT_TLS1_1: + min_version = TLS1_1_VERSION; + max_version = TLS1_1_VERSION; + break; + case OPT_TLS1_2: + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; + break; + case OPT_TLS1_3: + min_version = TLS1_3_VERSION; + max_version = TLS1_3_VERSION; + break; } } argc = opt_num_rest(); @@ -193,6 +222,8 @@ int s_time_main(int argc, char **argv) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_quiet_shutdown(ctx, 1); + if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0) + goto end; if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0) goto end; diff --git a/doc/man1/openssl-s_time.pod b/doc/man1/openssl-s_time.pod index 8a4f89fbc9..5993cd27fe 100644 --- a/doc/man1/openssl-s_time.pod +++ b/doc/man1/openssl-s_time.pod @@ -22,6 +22,10 @@ B<openssl> B<s_time> [B<-nameopt option>] [B<-time seconds>] [B<-ssl3>] +[B<-tls1>] +[B<-tls1_1>] +[B<-tls1_2>] +[B<-tls1_3>] [B<-bugs>] [B<-cipher cipherlist>] [B<-ciphersuites val>] @@ -109,19 +113,13 @@ Performs the timing test using the same session ID; this can be used as a test that session caching is working. If neither B<-new> nor B<-reuse> are specified, they are both on by default and executed in sequence. -=item B<-ssl3> +=item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-tls1_3> -This option disables the use of SSL version 3. By default -the initial handshake uses a method which should be compatible with all -servers and permit them to use SSL v3 or TLS as appropriate. - -The timing program is not as rich in options to turn protocols on and off as -the L<s_client(1)> program and may not connect to all servers. -Unfortunately there are a lot of ancient and broken servers in use which -cannot handle this technique and will fail to connect. Some servers only -work if TLS is turned off with the B<-ssl3> option. - -Note that this option may not be available, depending on how +These options enable specific SSL or TLS protocol versions for the handshake +initiated by B<s_time>. +By default B<s_time> negotiates the highest mutually supported protocol +version. +Note that not all protocols and flags may be available, depending on how OpenSSL was built. =item B<-bugs>