mirror of https://github.com/openssl/openssl
apps/cmp.c: -tls_used may be implied by -server https:...; improve related checks and doc
Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21176)
This commit is contained in:
parent
8d120aef95
commit
4a9299ac50
|
@ -1933,10 +1933,6 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
|
|||
CMP_warn("ignoring -proxy option since -server is not given");
|
||||
if (opt_no_proxy != NULL)
|
||||
CMP_warn("ignoring -no_proxy option since -server is not given");
|
||||
if (opt_tls_used) {
|
||||
CMP_warn("ignoring -tls_used option since -server is not given");
|
||||
opt_tls_used = 0;
|
||||
}
|
||||
goto set_path;
|
||||
}
|
||||
if (!OSSL_HTTP_parse_url(opt_server, &use_ssl, NULL /* user */,
|
||||
|
@ -1946,8 +1942,8 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
|
|||
goto err;
|
||||
}
|
||||
if (use_ssl && !opt_tls_used) {
|
||||
CMP_err("missing -tls_used option since -server URL indicates HTTPS");
|
||||
goto err;
|
||||
CMP_warn("assuming -tls_used since -server URL indicates HTTPS");
|
||||
opt_tls_used = 1;
|
||||
}
|
||||
|
||||
BIO_snprintf(server_port, sizeof(server_port), "%s", port);
|
||||
|
|
|
@ -480,8 +480,8 @@ IP address may be for v4 or v6, such as C<127.0.0.1> or C<[::1]> for localhost.
|
|||
This option excludes I<-port> and I<-use_mock_srv>.
|
||||
It is ignored if I<-rspin> is given with enough filename arguments.
|
||||
|
||||
The scheme C<https> may be given only if the B<-tls_used> option is provided.
|
||||
In this case the default port is 443, else 80.
|
||||
If the scheme C<https> is given, the B<-tls_used> option is implied.
|
||||
When TLS is used, the default port is 443, otherwise 80.
|
||||
The optional userinfo and fragment components are ignored.
|
||||
Any given query component is handled as part of the path component.
|
||||
If a path is included it provides the default value for the B<-path> option.
|
||||
|
@ -491,9 +491,9 @@ If a path is included it provides the default value for the B<-path> option.
|
|||
The HTTP(S) proxy server to use for reaching the CMP server unless B<-no_proxy>
|
||||
applies, see below.
|
||||
The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that
|
||||
the optional C<http://> or C<https://> prefix is ignored (note that TLS may be
|
||||
enabled by B<-tls_used>), as well as any path, userinfo, and query, and fragment
|
||||
components.
|
||||
the optional C<http://> or C<https://> prefix is ignored (note that using TLS
|
||||
may be required by B<-tls_used> or B<-server> with the prefix C<https>),
|
||||
as well as any path, userinfo, and query, and fragment components.
|
||||
Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY>
|
||||
in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>.
|
||||
This option is ignored if I<-server> is not given.
|
||||
|
@ -584,7 +584,7 @@ Non-trusted intermediate CA certificate(s).
|
|||
Any extra certificates given with the B<-cert> option are appended to it.
|
||||
All these certificates may be useful for cert path construction
|
||||
for the own CMP signer certificate (to include in the extraCerts field of
|
||||
request messages) and for the TLS client certificate (if TLS is enabled)
|
||||
request messages) and for the TLS client certificate (if TLS is used)
|
||||
as well as for chain building
|
||||
when validating server certificates (checking signature-based
|
||||
CMP message protection) and when validating newly enrolled certificates.
|
||||
|
@ -898,14 +898,14 @@ B<-tls_key>.
|
|||
|
||||
=item B<-tls_used>
|
||||
|
||||
Enable using TLS (even when other TLS-related options are not set)
|
||||
for message exchange with CMP server via HTTP.
|
||||
Make the CMP client use TLS (regardless if other TLS-related options are set)
|
||||
for message exchange with the server via HTTP.
|
||||
This option is not supported with the I<-port> option.
|
||||
It is ignored if the I<-server> option is not given or I<-use_mock_srv> is given
|
||||
or I<-rspin> is given with enough filename arguments.
|
||||
It is implied if the B<-server> option is given with the scheme C<https>.
|
||||
It is ignored if the B<-server> option is not given or B<-use_mock_srv> is given
|
||||
or B<-rspin> is given with enough filename arguments.
|
||||
|
||||
The following TLS-related options are ignored
|
||||
if B<-tls_used> is not given or does not take effect.
|
||||
The following TLS-related options are ignored if TLS is not used.
|
||||
|
||||
=item B<-tls_cert> I<filename>|I<uri>
|
||||
|
||||
|
|
|
@ -21,6 +21,8 @@ TBD,server IP address with TLS port, -section,, -server,_SERVER_IP:_SERVER_TLS,,
|
|||
0,proxy default port, -section,, -server,_SERVER_HOST:_SERVER_PORT, -proxy,127.0.0.1, -no_proxy,nonmatch.com,BLANK,,,,-msg_timeout,1,BLANK,,BLANK,
|
||||
0,proxy missing argument, -section,, -server,_SERVER_HOST:_SERVER_PORT, -proxy,, -no_proxy,nonmatch.com,BLANK,,,,BLANK,,BLANK,,BLANK,
|
||||
,,,,,,,,,,,,,,,,,,,
|
||||
0,tls_used, -section,, -server,_SERVER_HOST:_SERVER_PORT,,,,,-tls_used,,,,-msg_timeout,1,BLANK,,BLANK,
|
||||
,,,,,,,,,,,,,,,,,,,
|
||||
1,path explicit, -section,, -server,_SERVER_HOST:_SERVER_PORT,,,,,BLANK,, -path,_SERVER_PATH,BLANK,,BLANK,,BLANK,
|
||||
1,path overrides -server path, -section,, -server,_SERVER_HOST:_SERVER_PORT/ignored,,,,,BLANK,, -path,_SERVER_PATH,BLANK,,BLANK,,BLANK,
|
||||
1,path default -server path, -section,, -server,_SERVER_HOST:_SERVER_PORT/_SERVER_PATH,,,,,BLANK,, -path,"""",BLANK,,BLANK,,BLANK,
|
||||
|
|
|
Loading…
Reference in New Issue