diff options
| author | Bodo Moeller <bodo@openssl.org> | 2014-10-15 11:14:34 +0200 |
|---|---|---|
| committer | Bodo Moeller <bodo@openssl.org> | 2014-10-15 11:14:34 +0200 |
| commit | 8745c0815c38c483915c8855b6c8c432341aee87 (patch) | |
| tree | 36d9edc76023ba176d8ea1451d64aa48b68e1d49 | |
| parent | 68828f167cce6dc7b2013d8906b6f6881d5b0392 (diff) | |
Add TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv
handling out of #ifndef OPENSSL_NO_DTLS1 section.
Reviewed-by: Rich Salz <rsalz@openssl.org>
| -rw-r--r-- | apps/s_client.c | 8 | ||||
| -rw-r--r-- | doc/apps/s_client.pod | 10 | ||||
| -rw-r--r-- | doc/ssl/SSL_CTX_set_mode.pod | 6 |
3 files changed, 17 insertions, 7 deletions
diff --git a/apps/s_client.c b/apps/s_client.c index a75cfcf7ee..1e377debc0 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -604,10 +604,6 @@ int MAIN(int argc, char **argv) meth=DTLSv1_client_method(); socket_type=SOCK_DGRAM; } - else if (strcmp(*argv,"-fallback_scsv") == 0) - { - fallback_scsv = 1; - } else if (strcmp(*argv,"-timeout") == 0) enable_timeouts=1; else if (strcmp(*argv,"-mtu") == 0) @@ -616,6 +612,10 @@ int MAIN(int argc, char **argv) socket_mtu = atol(*(++argv)); } #endif + else if (strcmp(*argv,"-fallback_scsv") == 0) + { + fallback_scsv = 1; + } else if (strcmp(*argv,"-bugs") == 0) bugs=1; else if (strcmp(*argv,"-keyform") == 0) diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 57b67f7c4e..259f210f1e 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -37,6 +37,7 @@ B<openssl> B<s_client> [B<-no_ssl2>] [B<-no_ssl3>] [B<-no_tls1>] +[B<-fallback_scsv>] [B<-bugs>] [B<-cipher cipherlist>] [B<-serverpref>] @@ -201,10 +202,13 @@ these options disable the use of certain SSL or TLS protocols. By default the initial handshake uses a method which should be compatible with all servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. -Unfortunately there are a lot of ancient and broken servers in use which +Unfortunately there are still ancient and broken servers in use which cannot handle this technique and will fail to connect. Some servers only -work if TLS is turned off with the B<-no_tls> option others will only -support SSL v2 and may need the B<-ssl2> option. +work if TLS is turned off. + +=item B<-fallback_scsv> + +Send TLS_FALLBACK_SCSV in the ClientHello. =item B<-bugs> diff --git a/doc/ssl/SSL_CTX_set_mode.pod b/doc/ssl/SSL_CTX_set_mode.pod index 8cb669daeb..0bcf5d2afc 100644 --- a/doc/ssl/SSL_CTX_set_mode.pod +++ b/doc/ssl/SSL_CTX_set_mode.pod @@ -71,6 +71,12 @@ SSL_CTX->freelist_max_len, which defaults to 32. Using this flag can save around 34k per idle SSL connection. This flag has no effect on SSL v2 connections, or on DTLS connections. +=item SSL_MODE_FALLBACK_SCSV + +Send TLS_FALLBACK_SCSV in the ClientHello. +To be set by applications that reconnect with a downgraded protocol +version; see draft-ietf-tls-downgrade-scsv-00 for details. + =back =head1 RETURN VALUES |