提交 32eabe34 编写于 作者: A A J Mohan Rao 提交者: Rich Salz

GH646: Update help for s_server command.

    * added missing help option messages
    * ecdh_single option is removed as it is a no-op and not an option
    supported in earlier versions
    * ssl_ctx_security_debug() was invoked before ctx check for NULL
    * trusted_first option can be removed, as it is always enabled in 1.1.
    But not removed the option, require confirmation.
Signed-off-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
上级 35d8fa56
...@@ -192,32 +192,47 @@ void wait_for_async(SSL *s); ...@@ -192,32 +192,47 @@ void wait_for_async(SSL *s);
OPT_V__LAST OPT_V__LAST
# define OPT_V_OPTIONS \ # define OPT_V_OPTIONS \
{ "policy", OPT_V_POLICY, 's' }, \ { "policy", OPT_V_POLICY, 's', "adds policy to the acceptable policy set"}, \
{ "purpose", OPT_V_PURPOSE, 's' }, \ { "purpose", OPT_V_PURPOSE, 's', \
{ "verify_name", OPT_V_VERIFY_NAME, 's' }, \ "Set the acceptable purpose of the certificate chain"}, \
{ "verify_depth", OPT_V_VERIFY_DEPTH, 'p' }, \ { "verify_name", OPT_V_VERIFY_NAME, 's', "verify name"}, \
{ "attime", OPT_V_ATTIME, 'M' }, \ { "verify_depth", OPT_V_VERIFY_DEPTH, 'p', \
{ "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's' }, \ "Limit the maximum depth of the certificate chain"}, \
{ "verify_email", OPT_V_VERIFY_EMAIL, 's' }, \ { "attime", OPT_V_ATTIME, 'M', "Set the verification time" }, \
{ "verify_ip", OPT_V_VERIFY_IP, 's' }, \ { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', \
{ "ignore_critical", OPT_V_IGNORE_CRITICAL, '-' }, \ "check peer certificate matches \"host\"" }, \
{ "issuer_checks", OPT_V_ISSUER_CHECKS, '-' }, \ { "verify_email", OPT_V_VERIFY_EMAIL, 's', \
"check peer certificate matches \"email\"" }, \
{ "verify_ip", OPT_V_VERIFY_IP, 's', \
"check peer certificate matches \"ipaddr\"" }, \
{ "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \
"Disable critical extension checking"}, \
{ "issuer_checks", OPT_V_ISSUER_CHECKS, '-', \
"Enable debugging of certificate issuer checks"}, \
{ "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \ { "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \
{ "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \ { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \
{ "policy_check", OPT_V_POLICY_CHECK, '-' }, \ { "policy_check", OPT_V_POLICY_CHECK, '-', "Enable certificate policy checking"}, \
{ "explicit_policy", OPT_V_EXPLICIT_POLICY, '-' }, \ { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', "Set the \"require explicit policy\""}, \
{ "inhibit_any", OPT_V_INHIBIT_ANY, '-' }, \ { "inhibit_any", OPT_V_INHIBIT_ANY, '-', "Set the \"inhibit any policy\"\""}, \
{ "inhibit_map", OPT_V_INHIBIT_MAP, '-' }, \ { "inhibit_map", OPT_V_INHIBIT_MAP, '-', "Set the \"inhibit policy mapping\"" }, \
{ "x509_strict", OPT_V_X509_STRICT, '-' }, \ { "x509_strict", OPT_V_X509_STRICT, '-', \
{ "extended_crl", OPT_V_EXTENDED_CRL, '-' }, \ "Strictly apply X509 rules in verification"}, \
{ "use_deltas", OPT_V_USE_DELTAS, '-' }, \ { "extended_crl", OPT_V_EXTENDED_CRL, '-', \
{ "policy_print", OPT_V_POLICY_PRINT, '-' }, \ "Enable extended CRL features such as indirect CRLs, alternate CRL signing keys"}, \
{ "check_ss_sig", OPT_V_CHECK_SS_SIG, '-' }, \ { "use_deltas", OPT_V_USE_DELTAS, '-', \
{ "trusted_first", OPT_V_TRUSTED_FIRST, '-', "Use locally-trusted CA's first in building chain" }, \ "Enable indirect CRLs and CRLs signed by different keys"}, \
{ "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-' }, \ { "policy_print", OPT_V_POLICY_PRINT, '-', "Notify callback that policy is OK"}, \
{ "suiteB_128", OPT_V_SUITEB_128, '-' }, \ { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', \
{ "suiteB_192", OPT_V_SUITEB_192, '-' }, \ "Enable checking of the root CA self signed certificate signature"}, \
{ "partial_chain", OPT_V_PARTIAL_CHAIN, '-' }, \ { "trusted_first", OPT_V_TRUSTED_FIRST, '-', \
"Use locally-trusted CA's first in building chain (enabled by default)" }, \
{ "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128 bit only mode"}, \
{ "suiteB_128", OPT_V_SUITEB_128, '-', \
"Suite B 128 bit mode allowing 192 bit algorithms"}, \
{ "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192 bit only mode" }, \
{ "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \
"verification succeeds even if a complete chain cannot be built, "}, \
{OPT_MORE_STR, 0, 0, "provided a chain to a trusted certificate can be constructed"}, \
{ "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }, \ { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }, \
{ "no_check_time", OPT_V_NO_CHECK_TIME, '-', "Do not check validity against current time" } { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "Do not check validity against current time" }
...@@ -262,12 +277,15 @@ void wait_for_async(SSL *s); ...@@ -262,12 +277,15 @@ void wait_for_async(SSL *s);
OPT_X__LAST OPT_X__LAST
# define OPT_X_OPTIONS \ # define OPT_X_OPTIONS \
{ "xkey", OPT_X_KEY, '<' }, \ { "xkey", OPT_X_KEY, '<', "key for Extended certificates"}, \
{ "xcert", OPT_X_CERT, '<' }, \ { "xcert", OPT_X_CERT, '<', "cert for Extended certificates"}, \
{ "xchain", OPT_X_CHAIN, '<' }, \ { "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates"}, \
{ "xchain_build", OPT_X_CHAIN_BUILD, '-' }, \ { "xchain_build", OPT_X_CHAIN_BUILD, '-', \
{ "xcertform", OPT_X_CERTFORM, 'F' }, \ "build certificate chain for the extended certificates"}, \
{ "xkeyform", OPT_X_KEYFORM, 'F' } { "xcertform", OPT_X_CERTFORM, 'F', \
"format of Extended certificate (PEM or DER) PEM default " }, \
{ "xkeyform", OPT_X_KEYFORM, 'F', \
"format of Exnteded certificate's key (PEM or DER) PEM default"}
# define OPT_X_CASES \ # define OPT_X_CASES \
OPT_X__FIRST: case OPT_X__LAST: break; \ OPT_X__FIRST: case OPT_X__LAST: break; \
...@@ -285,7 +303,7 @@ void wait_for_async(SSL *s); ...@@ -285,7 +303,7 @@ void wait_for_async(SSL *s);
# define OPT_S_ENUM \ # define OPT_S_ENUM \
OPT_S__FIRST=3000, \ OPT_S__FIRST=3000, \
OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \ OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_ECDHSINGLE, OPT_S_NOTICKET, \ OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \
OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \ OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \ OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \
OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \ OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \
...@@ -293,21 +311,26 @@ void wait_for_async(SSL *s); ...@@ -293,21 +311,26 @@ void wait_for_async(SSL *s);
OPT_S__LAST OPT_S__LAST
# define OPT_S_OPTIONS \ # define OPT_S_OPTIONS \
{"no_ssl3", OPT_S_NOSSL3, '-' }, \ {"no_ssl3", OPT_S_NOSSL3, '-',"Just disable SSLv3" }, \
{"no_tls1", OPT_S_NOTLS1, '-' }, \ {"no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1"}, \
{"no_tls1_1", OPT_S_NOTLS1_1, '-' }, \ {"no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \
{"no_tls1_2", OPT_S_NOTLS1_2, '-' }, \ {"no_tls1_2", OPT_S_NOTLS1_2, '-', "Just disable TLSv1.2"}, \
{"bugs", OPT_S_BUGS, '-' }, \ {"bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility"}, \
{"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \ {"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \
{"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \ {"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \
{"ecdh_single", OPT_S_ECDHSINGLE, '-' }, \ {"no_ticket", OPT_S_NOTICKET, '-', \
{"no_ticket", OPT_S_NOTICKET, '-' }, \ "Disable use of TLS session tickets"}, \
{"serverpref", OPT_S_SERVERPREF, '-' }, \ {"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences"}, \
{"legacy_renegotiation", OPT_S_LEGACYRENEG, '-' }, \ {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', \
{"legacy_server_connect", OPT_S_LEGACYCONN, '-' }, \ "Enable use of legacy renegotiation (dangerous)"}, \
{"no_resumption_on_reneg", OPT_S_ONRESUMP, '-' }, \ {"legacy_server_connect", OPT_S_LEGACYCONN, '-', \
{"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-' }, \ "Allow initial connection to servers that don't support RI"}, \
{"strict", OPT_S_STRICT, '-' }, \ {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-', \
"Disallow session resumption on renegotiation"}, \
{"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-', \
"Disallow initial connection to servers that don't support RI"}, \
{"strict", OPT_S_STRICT, '-', \
"Enforce strict certificate checks as per TLS standard"}, \
{"sigalgs", OPT_S_SIGALGS, 's', \ {"sigalgs", OPT_S_SIGALGS, 's', \
"Signature algorithms to support (colon-separated list)" }, \ "Signature algorithms to support (colon-separated list)" }, \
{"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \ {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \
...@@ -317,9 +340,11 @@ void wait_for_async(SSL *s); ...@@ -317,9 +340,11 @@ void wait_for_async(SSL *s);
"Elliptic curves to advertise (colon-separated list)" }, \ "Elliptic curves to advertise (colon-separated list)" }, \
{"named_curve", OPT_S_NAMEDCURVE, 's', \ {"named_curve", OPT_S_NAMEDCURVE, 's', \
"Elliptic curve used for ECDHE (server-side only)" }, \ "Elliptic curve used for ECDHE (server-side only)" }, \
{"cipher", OPT_S_CIPHER, 's', }, \ {"cipher", OPT_S_CIPHER, 's', "Specify cipher list to be used"}, \
{"dhparam", OPT_S_DHPARAM, '<' }, \ {"dhparam", OPT_S_DHPARAM, '<', \
{"debug_broken_protocol", OPT_S_DEBUGBROKE, '-' } "DH parameter file to use, in cert file if not specified"}, \
{"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
"Perform all sorts of protocol violations for testing purposes"}
# define OPT_S_CASES \ # define OPT_S_CASES \
OPT_S__FIRST: case OPT_S__LAST: break; \ OPT_S__FIRST: case OPT_S__LAST: break; \
...@@ -330,7 +355,6 @@ void wait_for_async(SSL *s); ...@@ -330,7 +355,6 @@ void wait_for_async(SSL *s);
case OPT_S_BUGS: \ case OPT_S_BUGS: \
case OPT_S_NO_COMP: \ case OPT_S_NO_COMP: \
case OPT_S_COMP: \ case OPT_S_COMP: \
case OPT_S_ECDHSINGLE: \
case OPT_S_NOTICKET: \ case OPT_S_NOTICKET: \
case OPT_S_SERVERPREF: \ case OPT_S_SERVERPREF: \
case OPT_S_LEGACYRENEG: \ case OPT_S_LEGACYRENEG: \
......
...@@ -823,15 +823,18 @@ typedef enum OPTION_choice { ...@@ -823,15 +823,18 @@ typedef enum OPTION_choice {
OPTIONS s_server_options[] = { OPTIONS s_server_options[] = {
{"help", OPT_HELP, '-', "Display this summary"}, {"help", OPT_HELP, '-', "Display this summary"},
{"port", OPT_PORT, 'p'}, {"port", OPT_PORT, 'p',
"TCP/IP port to listen on for connections (default is " PORT ")"},
{"accept", OPT_ACCEPT, 's', {"accept", OPT_ACCEPT, 's',
"TCP/IP port or service to accept on (default is " PORT ")"}, "TCP/IP optional host and port to accept on (default is " PORT ")"},
#ifdef AF_UNIX #ifdef AF_UNIX
{"unix", OPT_UNIX, 's', "Unix domain socket to accept on"}, {"unix", OPT_UNIX, 's', "Unix domain socket to accept on"},
#endif #endif
{"4", OPT_4, '-', "Use IPv4 only"}, {"4", OPT_4, '-', "Use IPv4 only"},
{"6", OPT_6, '-', "Use IPv6 only"}, {"6", OPT_6, '-', "Use IPv6 only"},
#ifdef AF_UNIX
{"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"}, {"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"},
#endif
{"context", OPT_CONTEXT, 's', "Set session ID context"}, {"context", OPT_CONTEXT, 's', "Set session ID context"},
{"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"}, {"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"},
{"Verify", OPT_UPPER_V_VERIFY, 'n', {"Verify", OPT_UPPER_V_VERIFY, 'n',
...@@ -860,7 +863,8 @@ OPTIONS s_server_options[] = { ...@@ -860,7 +863,8 @@ OPTIONS s_server_options[] = {
{"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"}, {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
{"debug", OPT_DEBUG, '-', "Print more output"}, {"debug", OPT_DEBUG, '-', "Print more output"},
{"msg", OPT_MSG, '-', "Show protocol messages"}, {"msg", OPT_MSG, '-', "Show protocol messages"},
{"msgfile", OPT_MSGFILE, '>'}, {"msgfile", OPT_MSGFILE, '>',
"File to send output of -msg or -trace, instead of stdout"},
{"state", OPT_STATE, '-', "Print the SSL states"}, {"state", OPT_STATE, '-', "Print the SSL states"},
{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"}, {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
...@@ -893,33 +897,52 @@ OPTIONS s_server_options[] = { ...@@ -893,33 +897,52 @@ OPTIONS s_server_options[] = {
"Export keying material using label"}, "Export keying material using label"},
{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p', {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
"Export len bytes of keying material (default 20)"}, "Export len bytes of keying material (default 20)"},
{"CRL", OPT_CRL, '<'}, {"CRL", OPT_CRL, '<', "CRL file to use"},
{"crl_download", OPT_CRL_DOWNLOAD, '-'}, {"crl_download", OPT_CRL_DOWNLOAD, '-',
{"cert_chain", OPT_CERT_CHAIN, '<'}, "Download CRL from distribution points"},
{"dcert_chain", OPT_DCERT_CHAIN, '<'}, {"cert_chain", OPT_CERT_CHAIN, '<',
{"chainCApath", OPT_CHAINCAPATH, '/'}, "certificate chain file in PEM format"},
{"verifyCApath", OPT_VERIFYCAPATH, '/'}, {"dcert_chain", OPT_DCERT_CHAIN, '<',
{"no_cache", OPT_NO_CACHE, '-'}, "second certificate chain file in PEM format"},
{"ext_cache", OPT_EXT_CACHE, '-'}, {"chainCApath", OPT_CHAINCAPATH, '/',
{"CRLform", OPT_CRLFORM, 'F'}, "use dir as certificate store path to build CA certificate chain"},
{"verify_return_error", OPT_VERIFY_RET_ERROR, '-'}, {"verifyCApath", OPT_VERIFYCAPATH, '/',
{"verify_quiet", OPT_VERIFY_QUIET, '-'}, "use dir as certificate store path to verify CA certificate"},
{"build_chain", OPT_BUILD_CHAIN, '-'}, {"no_cache", OPT_NO_CACHE, '-', "Disable session cache"},
{"chainCAfile", OPT_CHAINCAFILE, '<'}, {"ext_cache", OPT_EXT_CACHE, '-',
{"verifyCAfile", OPT_VERIFYCAFILE, '<'}, "Disable internal cache, setup and use external cache"},
{"ign_eof", OPT_IGN_EOF, '-'}, {"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default" },
{"no_ign_eof", OPT_NO_IGN_EOF, '-'}, {"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
{"status", OPT_STATUS, '-'}, "Close connection on verification error"},
{"status_verbose", OPT_STATUS_VERBOSE, '-'}, {"verify_quiet", OPT_VERIFY_QUIET, '-',
{"status_timeout", OPT_STATUS_TIMEOUT, 'n'}, "No verify output except verify errors"},
{"status_url", OPT_STATUS_URL, 's'}, {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"},
{"trace", OPT_TRACE, '-'}, {"chainCAfile", OPT_CHAINCAFILE, '<',
{"security_debug", OPT_SECURITY_DEBUG, '-'}, "CA file for certificate chain (PEM format)"},
{"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'}, {"verifyCAfile", OPT_VERIFYCAFILE, '<',
{"brief", OPT_BRIEF, '-'}, "CA file for certificate verification (PEM format)"},
{"rev", OPT_REV, '-'}, {"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"},
{"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"},
{"status", OPT_STATUS, '-', "Request certificate status from server"},
{"status_verbose", OPT_STATUS_VERBOSE, '-',
"Print more output in certificate status callback"},
{"status_timeout", OPT_STATUS_TIMEOUT, 'n',
"Status request responder timeout"},
{"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"},
#ifndef OPENSSL_NO_SSL_TRACE
{"trace", OPT_TRACE, '-', "trace protocol messages"},
#endif
{"security_debug", OPT_SECURITY_DEBUG, '-',
"Print output from SSL/TLS security framework"},
{"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-',
"Print more output from SSL/TLS security framework"},
{"brief", OPT_BRIEF, '-', \
"Restrict output to brief summary of connection parameters"},
{"rev", OPT_REV, '-',
"act as a simple test server which just sends back with the received text reversed"},
{"async", OPT_ASYNC, '-', "Operate in asynchronous mode"}, {"async", OPT_ASYNC, '-', "Operate in asynchronous mode"},
{"ssl_config", OPT_SSL_CONFIG, 's'}, {"ssl_config", OPT_SSL_CONFIG, 's', \
"Configure SSL_CTX using the configuration 'val'"},
OPT_S_OPTIONS, OPT_S_OPTIONS,
OPT_V_OPTIONS, OPT_V_OPTIONS,
OPT_X_OPTIONS, OPT_X_OPTIONS,
...@@ -951,7 +974,7 @@ OPTIONS s_server_options[] = { ...@@ -951,7 +974,7 @@ OPTIONS s_server_options[] = {
{"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"}, {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"},
#endif #endif
#ifndef OPENSSL_NO_DTLS #ifndef OPENSSL_NO_DTLS
{"dtls", OPT_DTLS, '-'}, {"dtls", OPT_DTLS, '-', "Use any DTLS version"},
{"timeout", OPT_TIMEOUT, '-', "Enable timeouts"}, {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
{"mtu", OPT_MTU, 'p', "Set link layer MTU"}, {"mtu", OPT_MTU, 'p', "Set link layer MTU"},
{"chain", OPT_CHAIN, '-', "Read a certificate chain"}, {"chain", OPT_CHAIN, '-', "Read a certificate chain"},
...@@ -978,7 +1001,7 @@ OPTIONS s_server_options[] = { ...@@ -978,7 +1001,7 @@ OPTIONS s_server_options[] = {
"Set the advertised protocols for the ALPN extension (comma-separated list)"}, "Set the advertised protocols for the ALPN extension (comma-separated list)"},
#endif #endif
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's'}, {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif #endif
{NULL} {NULL}
}; };
...@@ -1680,12 +1703,12 @@ int s_server_main(int argc, char *argv[]) ...@@ -1680,12 +1703,12 @@ int s_server_main(int argc, char *argv[])
} }
ctx = SSL_CTX_new(meth); ctx = SSL_CTX_new(meth);
if (sdebug)
ssl_ctx_security_debug(ctx, sdebug);
if (ctx == NULL) { if (ctx == NULL) {
ERR_print_errors(bio_err); ERR_print_errors(bio_err);
goto end; goto end;
} }
if (sdebug)
ssl_ctx_security_debug(ctx, sdebug);
if (ssl_config) { if (ssl_config) {
if (SSL_CTX_config(ctx, ssl_config) == 0) { if (SSL_CTX_config(ctx, ssl_config) == 0) {
BIO_printf(bio_err, "Error using configuration \"%s\"\n", BIO_printf(bio_err, "Error using configuration \"%s\"\n",
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册