diff --git a/apps/s_client.c b/apps/s_client.c index d8c66dce0ebbdd17070cba02a945e67ea1bc148f..48e9b82d5c908a65c933136c4830368ad8a784d4 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -555,7 +555,7 @@ typedef enum OPTION_choice { #ifndef OPENSSL_NO_CT OPT_CT, OPT_NOCT, OPT_CTLOG_FILE, #endif - OPT_DANE_TLSA_RRDATA + OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME, } OPTION_CHOICE; OPTIONS s_client_options[] = { @@ -589,6 +589,8 @@ OPTIONS s_client_options[] = { {"dane_tlsa_domain", OPT_DANE_TLSA_DOMAIN, 's', "DANE TLSA base domain"}, {"dane_tlsa_rrdata", OPT_DANE_TLSA_RRDATA, 's', "DANE TLSA rrdata presentation form"}, + {"dane_ee_no_namechecks", OPT_DANE_EE_NO_NAME, '-', + "Disable name checks when matching DANE-EE(3) TLSA records"}, {"reconnect", OPT_RECONNECT, '-', "Drop and re-make the connection with the same Session-ID"}, {"showcerts", OPT_SHOWCERTS, '-', "Show all certificates in the chain"}, @@ -783,6 +785,7 @@ int s_client_main(int argc, char **argv) STACK_OF(OPENSSL_STRING) *ssl_args = NULL; char *dane_tlsa_domain = NULL; STACK_OF(OPENSSL_STRING) *dane_tlsa_rrset = NULL; + int dane_ee_no_name = 0; STACK_OF(X509_CRL) *crls = NULL; const SSL_METHOD *meth = TLS_client_method(); const char *CApath = NULL, *CAfile = NULL; @@ -1257,6 +1260,9 @@ int s_client_main(int argc, char **argv) goto end; } break; + case OPT_DANE_EE_NO_NAME: + dane_ee_no_name = 1; + break; case OPT_NEXTPROTONEG: #ifndef OPENSSL_NO_NEXTPROTONEG next_proto_neg_in = opt_arg(); @@ -1701,6 +1707,8 @@ int s_client_main(int argc, char **argv) "records.\n", prog); goto end; } + if (dane_ee_no_name) + SSL_dane_set_flags(con, DANE_FLAG_NO_DANE_EE_NAMECHECKS); } else if (dane_tlsa_rrset != NULL) { BIO_printf(bio_err, "%s: DANE TLSA authentication requires the " "-dane_tlsa_domain option.\n", prog); diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 4ed032ca3287ef00cd6436affed5bc856eeeb781..11b4a9819585293d2f0c72c4612158f7bea5df33 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -24,6 +24,7 @@ B B [B<-no-CApath>] [B<-dane_tlsa_domain domain>] [B<-dane_tlsa_rrdata rrdata>] +[B<-dane_ee_no_namechecks>] [B<-attime timestamp>] [B<-check_ss_sig>] [B<-crl_check>] @@ -225,6 +226,24 @@ whitespace is ignored in the associated data field. For example: DANE TLSA 2 1 1 ...ee12d2cc90180517616e8a18 matched TA certificate at depth 1 ... +=item B<-dane_ee_no_namechecks> + +This disables server name checks when authenticating via DANE-EE(3) TLSA +records. +For some applications, primarily web browsers, it is not safe to disable name +checks due to "unknown key share" attacks, in which a malicious server can +convince a client that a connection to a victim server is instead a secure +connection to the malicious server. +The malicious server may then be able to violate cross-origin scripting +restrictions. +Thus, despite the text of RFC7671, name checks are by default enabled for +DANE-EE(3) TLSA records, and can be disabled in applications where it is safe +to do so. +In particular, SMTP and XMPP clients should set this option as SRV and MX +records already make it possible for a remote domain to redirect client +connections to any server of its choice, and in any case SMTP and XMPP clients +do not execute scripts downloaded from remote servers. + =item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>, B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>,