提交 fb0e87fb 编写于 作者: B Bodo Moeller

Add TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv

handling out of #ifndef OPENSSL_NO_DTLS1 section.
Reviewed-by: NRich Salz <rsalz@openssl.org>
上级 cf6da053
...@@ -942,10 +942,6 @@ static char *jpake_secret = NULL; ...@@ -942,10 +942,6 @@ static char *jpake_secret = NULL;
meth=DTLSv1_2_client_method(); meth=DTLSv1_2_client_method();
socket_type=SOCK_DGRAM; socket_type=SOCK_DGRAM;
} }
else if (strcmp(*argv,"-fallback_scsv") == 0)
{
fallback_scsv = 1;
}
else if (strcmp(*argv,"-timeout") == 0) else if (strcmp(*argv,"-timeout") == 0)
enable_timeouts=1; enable_timeouts=1;
else if (strcmp(*argv,"-mtu") == 0) else if (strcmp(*argv,"-mtu") == 0)
...@@ -954,6 +950,10 @@ static char *jpake_secret = NULL; ...@@ -954,6 +950,10 @@ static char *jpake_secret = NULL;
socket_mtu = atol(*(++argv)); socket_mtu = atol(*(++argv));
} }
#endif #endif
else if (strcmp(*argv,"-fallback_scsv") == 0)
{
fallback_scsv = 1;
}
else if (strcmp(*argv,"-keyform") == 0) else if (strcmp(*argv,"-keyform") == 0)
{ {
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
......
...@@ -64,6 +64,9 @@ B<openssl> B<s_client> ...@@ -64,6 +64,9 @@ B<openssl> B<s_client>
[B<-no_ssl2>] [B<-no_ssl2>]
[B<-no_ssl3>] [B<-no_ssl3>]
[B<-no_tls1>] [B<-no_tls1>]
[B<-no_tls1_1>]
[B<-no_tls1_2>]
[B<-fallback_scsv>]
[B<-bugs>] [B<-bugs>]
[B<-cipher cipherlist>] [B<-cipher cipherlist>]
[B<-serverpref>] [B<-serverpref>]
...@@ -245,16 +248,19 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is ...@@ -245,16 +248,19 @@ Use the PSK key B<key> when using a PSK cipher suite. The key is
given as a hexadecimal number without leading 0x, for example -psk given as a hexadecimal number without leading 0x, for example -psk
1a2b3c4d. 1a2b3c4d.
=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1> =item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
these options disable the use of certain SSL or TLS protocols. By default these options disable the use of certain SSL or TLS protocols. By default
the initial handshake uses a method which should be compatible with all the initial handshake uses a method which should be compatible with all
servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
Unfortunately there are a lot of ancient and broken servers in use which Unfortunately there are still ancient and broken servers in use which
cannot handle this technique and will fail to connect. Some servers only cannot handle this technique and will fail to connect. Some servers only
work if TLS is turned off with the B<-no_tls> option others will only work if TLS is turned off.
support SSL v2 and may need the B<-ssl2> option.
=item B<-fallback_scsv>
Send TLS_FALLBACK_SCSV in the ClientHello.
=item B<-bugs> =item B<-bugs>
......
...@@ -71,6 +71,12 @@ SSL_CTX->freelist_max_len, which defaults to 32. Using this flag can ...@@ -71,6 +71,12 @@ SSL_CTX->freelist_max_len, which defaults to 32. Using this flag can
save around 34k per idle SSL connection. save around 34k per idle SSL connection.
This flag has no effect on SSL v2 connections, or on DTLS connections. This flag has no effect on SSL v2 connections, or on DTLS connections.
=item SSL_MODE_FALLBACK_SCSV
Send TLS_FALLBACK_SCSV in the ClientHello.
To be set by applications that reconnect with a downgraded protocol
version; see draft-ietf-tls-downgrade-scsv-00 for details.
=back =back
=head1 RETURN VALUES =head1 RETURN VALUES
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册