diff options
author | Nikolay Morozov <nmorozoff77@yandex.ru> | 2020-05-02 12:22:43 +0300 |
---|---|---|
committer | Dmitry Belyavskiy <beldmit@gmail.com> | 2020-05-07 16:14:47 +0300 |
commit | 90fc2c26df23811be080093772b2161850385863 (patch) | |
tree | a372be0919b9ba64d7606b50a1297b8dabbc5371 /apps/s_server.c | |
parent | 2b5e12f5096e1fba7dd91a682f4c34759469c34b (diff) |
SSL_OP_DISABLE_TLSEXT_CA_NAMES option implementation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11709)
Diffstat (limited to 'apps/s_server.c')
-rw-r--r-- | apps/s_server.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/apps/s_server.c b/apps/s_server.c index 4904a21b7a..7ac4221860 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -761,7 +761,7 @@ typedef enum OPTION_choice { OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA, OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG, - OPT_HTTP_SERVER_BINMODE, + OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_R_ENUM, OPT_S_ENUM, OPT_V_ENUM, @@ -952,6 +952,8 @@ const OPTIONS s_server_options[] = { {"anti_replay", OPT_ANTI_REPLAY, '-', "Switch on anti-replay protection (default)"}, {"no_anti_replay", OPT_NO_ANTI_REPLAY, '-', "Switch off anti-replay protection"}, {"http_server_binmode", OPT_HTTP_SERVER_BINMODE, '-', "opening files in binary mode when acting as http server (-WWW and -HTTP)"}, + {"no_ca_names", OPT_NOCANAMES, '-', + "Disable TLS Extension CA Names"}, {"stateless", OPT_STATELESS, '-', "Require TLSv1.3 cookies"}, #ifndef OPENSSL_NO_SSL3 {"ssl3", OPT_SSL3, '-', "Just talk SSLv3"}, @@ -1089,6 +1091,7 @@ int s_server_main(int argc, char *argv[]) const char *keylog_file = NULL; int max_early_data = -1, recv_max_early_data = -1; char *psksessf = NULL; + int no_ca_names = 0; #ifndef OPENSSL_NO_SCTP int sctp_label_bug = 0; #endif @@ -1655,6 +1658,9 @@ int s_server_main(int argc, char *argv[]) case OPT_HTTP_SERVER_BINMODE: http_server_binmode = 1; break; + case OPT_NOCANAMES: + no_ca_names = 1; + break; case OPT_SENDFILE: #ifndef OPENSSL_NO_KTLS use_sendfile = 1; @@ -1900,6 +1906,10 @@ int s_server_main(int argc, char *argv[]) SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC); } + if (no_ca_names) { + SSL_CTX_set_options(ctx, SSL_OP_DISABLE_TLSEXT_CA_NAMES); + } + if (max_send_fragment > 0 && !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) { BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n", |