mirror of https://github.com/openssl/openssl
SSL_OP_DISABLE_TLSEXT_CA_NAMES option implementation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11709)
This commit is contained in:
parent
2b5e12f509
commit
90fc2c26df
|
@ -761,7 +761,7 @@ typedef enum OPTION_choice {
|
|||
OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
|
||||
OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
|
||||
OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,
|
||||
OPT_HTTP_SERVER_BINMODE,
|
||||
OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES,
|
||||
OPT_R_ENUM,
|
||||
OPT_S_ENUM,
|
||||
OPT_V_ENUM,
|
||||
|
@ -952,6 +952,8 @@ const OPTIONS s_server_options[] = {
|
|||
{"anti_replay", OPT_ANTI_REPLAY, '-', "Switch on anti-replay protection (default)"},
|
||||
{"no_anti_replay", OPT_NO_ANTI_REPLAY, '-', "Switch off anti-replay protection"},
|
||||
{"http_server_binmode", OPT_HTTP_SERVER_BINMODE, '-', "opening files in binary mode when acting as http server (-WWW and -HTTP)"},
|
||||
{"no_ca_names", OPT_NOCANAMES, '-',
|
||||
"Disable TLS Extension CA Names"},
|
||||
{"stateless", OPT_STATELESS, '-', "Require TLSv1.3 cookies"},
|
||||
#ifndef OPENSSL_NO_SSL3
|
||||
{"ssl3", OPT_SSL3, '-', "Just talk SSLv3"},
|
||||
|
@ -1089,6 +1091,7 @@ int s_server_main(int argc, char *argv[])
|
|||
const char *keylog_file = NULL;
|
||||
int max_early_data = -1, recv_max_early_data = -1;
|
||||
char *psksessf = NULL;
|
||||
int no_ca_names = 0;
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
int sctp_label_bug = 0;
|
||||
#endif
|
||||
|
@ -1655,6 +1658,9 @@ int s_server_main(int argc, char *argv[])
|
|||
case OPT_HTTP_SERVER_BINMODE:
|
||||
http_server_binmode = 1;
|
||||
break;
|
||||
case OPT_NOCANAMES:
|
||||
no_ca_names = 1;
|
||||
break;
|
||||
case OPT_SENDFILE:
|
||||
#ifndef OPENSSL_NO_KTLS
|
||||
use_sendfile = 1;
|
||||
|
@ -1900,6 +1906,10 @@ int s_server_main(int argc, char *argv[])
|
|||
SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
|
||||
}
|
||||
|
||||
if (no_ca_names) {
|
||||
SSL_CTX_set_options(ctx, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
|
||||
}
|
||||
|
||||
if (max_send_fragment > 0
|
||||
&& !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) {
|
||||
BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
|
||||
|
|
|
@ -46,6 +46,7 @@ B<openssl> B<s_server>
|
|||
[B<-www>]
|
||||
[B<-WWW>]
|
||||
[B<-http_server_binmode>]
|
||||
[B<-no_ca_names>]
|
||||
[B<-servername>]
|
||||
[B<-servername_fatal>]
|
||||
[B<-tlsextdebug>]
|
||||
|
@ -411,6 +412,12 @@ Neither of these options can be used in conjunction with B<-early_data>.
|
|||
When acting as web-server (using option B<-WWW> or B<-HTTP>) open files requested
|
||||
by the client in binary mode.
|
||||
|
||||
=item B<-no_ca_names>
|
||||
|
||||
Disable TLS Extension CA Names. You may want to disable it for security reasons
|
||||
or for compatibility with some Windows TLS implementations crashing when this
|
||||
extension is larger than 1024 bytes.
|
||||
|
||||
=item B<-id_prefix> I<val>
|
||||
|
||||
Generate SSL/TLS session IDs prefixed by I<val>. This is mostly useful
|
||||
|
|
|
@ -507,6 +507,10 @@ B<ExtendedMasterSecret>: use extended master secret extension, enabled by
|
|||
default. Inverse of B<SSL_OP_NO_EXTENDED_MASTER_SECRET>: that is,
|
||||
B<-ExtendedMasterSecret> is the same as setting B<SSL_OP_NO_EXTENDED_MASTER_SECRET>.
|
||||
|
||||
B<CANames>: use CA names extension, enabled by
|
||||
default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is,
|
||||
B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>.
|
||||
|
||||
=item B<VerifyMode>
|
||||
|
||||
The B<value> argument is a comma separated list of flags to set.
|
||||
|
|
|
@ -67,6 +67,12 @@ The following B<bug workaround> options are available:
|
|||
Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
|
||||
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
|
||||
|
||||
=item SSL_OP_DISABLE_TLSEXT_CA_NAMES
|
||||
|
||||
Disable TLS Extension CA Names. You may want to disable it for security reasons
|
||||
or for compatibility with some Windows TLS implementations crashing when this
|
||||
extension is larger than 1024 bytes.
|
||||
|
||||
=item SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
|
||||
|
||||
Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol
|
||||
|
@ -378,7 +384,7 @@ The B<SSL_OP_NO_EXTENDED_MASTER_SECRET> option was added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -331,9 +331,10 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
|
|||
/*
|
||||
* Reserved value (until OpenSSL 3.0.0) 0x00000080U
|
||||
* Reserved value (until OpenSSL 3.0.0) 0x00000100U
|
||||
* Reserved value (until OpenSSL 3.0.0) 0x00000200U
|
||||
*/
|
||||
|
||||
# define SSL_OP_DISABLE_TLSEXT_CA_NAMES 0x00000200U
|
||||
|
||||
/* In TLSv1.3 allow a non-(ec)dhe based kex_mode */
|
||||
# define SSL_OP_ALLOW_NO_DHE_KEX 0x00000400U
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -383,7 +383,8 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
|
|||
SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA),
|
||||
SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT),
|
||||
SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY),
|
||||
SSL_FLAG_TBL_INV("ExtendedMasterSecret", SSL_OP_NO_EXTENDED_MASTER_SECRET)
|
||||
SSL_FLAG_TBL_INV("ExtendedMasterSecret", SSL_OP_NO_EXTENDED_MASTER_SECRET),
|
||||
SSL_FLAG_TBL_INV("CANames", SSL_OP_DISABLE_TLSEXT_CA_NAMES)
|
||||
};
|
||||
if (value == NULL)
|
||||
return -3;
|
||||
|
|
|
@ -2342,7 +2342,7 @@ int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
|
|||
return 0;
|
||||
}
|
||||
|
||||
if (ca_sk != NULL) {
|
||||
if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
|
||||
int i;
|
||||
|
||||
for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
|
||||
|
|
|
@ -1481,7 +1481,7 @@ static SSL_SESSION *get_session_cb(SSL *ssl, const unsigned char *id, int len,
|
|||
}
|
||||
|
||||
static int execute_test_session(int maxprot, int use_int_cache,
|
||||
int use_ext_cache)
|
||||
int use_ext_cache, long s_options)
|
||||
{
|
||||
SSL_CTX *sctx = NULL, *cctx = NULL;
|
||||
SSL *serverssl1 = NULL, *clientssl1 = NULL;
|
||||
|
@ -1524,6 +1524,10 @@ static int execute_test_session(int maxprot, int use_int_cache,
|
|||
| SSL_SESS_CACHE_NO_INTERNAL_STORE);
|
||||
}
|
||||
|
||||
if (s_options) {
|
||||
SSL_CTX_set_options(sctx, s_options);
|
||||
}
|
||||
|
||||
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1,
|
||||
NULL, NULL))
|
||||
|| !TEST_true(create_ssl_connection(serverssl1, clientssl1,
|
||||
|
@ -1768,12 +1772,12 @@ static int execute_test_session(int maxprot, int use_int_cache,
|
|||
static int test_session_with_only_int_cache(void)
|
||||
{
|
||||
#ifndef OPENSSL_NO_TLS1_3
|
||||
if (!execute_test_session(TLS1_3_VERSION, 1, 0))
|
||||
if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
|
||||
return 0;
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_TLS1_2
|
||||
return execute_test_session(TLS1_2_VERSION, 1, 0);
|
||||
return execute_test_session(TLS1_2_VERSION, 1, 0, 0);
|
||||
#else
|
||||
return 1;
|
||||
#endif
|
||||
|
@ -1782,12 +1786,12 @@ static int test_session_with_only_int_cache(void)
|
|||
static int test_session_with_only_ext_cache(void)
|
||||
{
|
||||
#ifndef OPENSSL_NO_TLS1_3
|
||||
if (!execute_test_session(TLS1_3_VERSION, 0, 1))
|
||||
if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
|
||||
return 0;
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_TLS1_2
|
||||
return execute_test_session(TLS1_2_VERSION, 0, 1);
|
||||
return execute_test_session(TLS1_2_VERSION, 0, 1, 0);
|
||||
#else
|
||||
return 1;
|
||||
#endif
|
||||
|
@ -1796,17 +1800,32 @@ static int test_session_with_only_ext_cache(void)
|
|||
static int test_session_with_both_cache(void)
|
||||
{
|
||||
#ifndef OPENSSL_NO_TLS1_3
|
||||
if (!execute_test_session(TLS1_3_VERSION, 1, 1))
|
||||
if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
|
||||
return 0;
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_TLS1_2
|
||||
return execute_test_session(TLS1_2_VERSION, 1, 1);
|
||||
return execute_test_session(TLS1_2_VERSION, 1, 1, 0);
|
||||
#else
|
||||
return 1;
|
||||
#endif
|
||||
}
|
||||
|
||||
static int test_session_wo_ca_names(void)
|
||||
{
|
||||
#ifndef OPENSSL_NO_TLS1_3
|
||||
if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
|
||||
return 0;
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_TLS1_2
|
||||
return execute_test_session(TLS1_2_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
|
||||
#else
|
||||
return 1;
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
#ifndef OPENSSL_NO_TLS1_3
|
||||
static SSL_SESSION *sesscache[6];
|
||||
static int do_cache;
|
||||
|
@ -7585,6 +7604,7 @@ int setup_tests(void)
|
|||
ADD_TEST(test_session_with_only_int_cache);
|
||||
ADD_TEST(test_session_with_only_ext_cache);
|
||||
ADD_TEST(test_session_with_both_cache);
|
||||
ADD_TEST(test_session_wo_ca_names);
|
||||
#ifndef OPENSSL_NO_TLS1_3
|
||||
ADD_ALL_TESTS(test_stateful_tickets, 3);
|
||||
ADD_ALL_TESTS(test_stateless_tickets, 3);
|
||||
|
|
Loading…
Reference in New Issue