Revise s_client and s_server verbiage re secure renegotiation.

Since TLS v1.3 eschews renegotiation entirely it’s misleading to have these apps say it’s “not supported” when in fact the TLS version is new enough not to need renegotiation at all. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16937) (cherry picked from commit af5e63e1e3300f784f302a5d3309bf673cc08894)
author: Felipe Gasper <felipe@felipegasper.com> 2021-10-28 10:13:47 -0400
committer: Tomas Mraz <tomas@openssl.org> 2022-11-09 15:29:20 +0100
commit: 5f113755bdeb02d879ee22129d3d3e90630228a4 (patch)
tree: 12b43d5cada8196d23e4d9d8c818588fc196ad8f /apps
parent: 37fdd76d06b961d650e12a0d19d8186669e80398 (diff)
4 files changed, 25 insertions, 9 deletions
diff --git a/apps/include/s_apps.h b/apps/include/s_apps.h
index d610df40be..194ea746ed 100644
--- a/apps/include/s_apps.h
+++ b/apps/include/s_apps.h
@@ -15,6 +15,9 @@
 #define PORT            "4433"
 #define PROTOCOL        "tcp"
 
+#define SSL_VERSION_ALLOWS_RENEGOTIATION(s) \
+    (SSL_is_dtls(s) || (SSL_version(s) < TLS1_3_VERSION))
+
 typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context);
 int report_server_accept(BIO *out, int asock, int with_address, int with_pid);
 int do_server(int *accept_sock, const char *host, const char *port,
@@ -79,6 +82,7 @@ int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
 void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
 int set_keylog_file(SSL_CTX *ctx, const char *keylog_file);
 void print_ca_names(BIO *bio, SSL *s);
+void ssl_print_secure_renegotiation_notes(BIO *bio, SSL *s);
 
 #ifndef OPENSSL_NO_SRP
 /* The client side SRP context that we pass to all SRP related callbacks */
diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c
index f2ddd94c3d..b27518c763 100644
--- a/apps/lib/s_cb.c
+++ b/apps/lib/s_cb.c
@@ -7,7 +7,10 @@
  * https://www.openssl.org/source/license.html
  */
 
-/* callback functions used by s_client, s_server, and s_time */
+/*
+ * callback functions used by s_client, s_server, and s_time,
+ * as well as other common logic for those apps
+ */
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h> /* for memcpy() and strcmp() */
@@ -1567,3 +1570,13 @@ void print_ca_names(BIO *bio, SSL *s)
         BIO_write(bio, "\n", 1);
     }
 }
+
+void ssl_print_secure_renegotiation_notes(BIO *bio, SSL *s)
+{
+    if (SSL_VERSION_ALLOWS_RENEGOTIATION(s)) {
+        BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
+                   SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
+    } else {
+        BIO_printf(bio, "This TLS version forbids renegotiation.\n");
+    }
+}
diff --git a/apps/s_client.c b/apps/s_client.c
index a914238642..182f7d9ddb 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -3244,8 +3244,9 @@ static void print_stuff(BIO *bio, SSL *s, int full)
         BIO_printf(bio, "Server public key is %d bit\n",
                    EVP_PKEY_get_bits(pktmp));
     }
-    BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
-               SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
+
+    ssl_print_secure_renegotiation_notes(bio, s);
+
 #ifndef OPENSSL_NO_COMP
     comp = SSL_get_current_compression(s);
     expansion = SSL_get_current_expansion(s);
diff --git a/apps/s_server.c b/apps/s_server.c
index cfd3deb1be..843598ca9d 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -2995,8 +2995,9 @@ static void print_connection_info(SSL *con)
 #endif
     if (SSL_session_reused(con))
         BIO_printf(bio_s_out, "Reused session-id\n");
-    BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
-               SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
+
+    ssl_print_secure_renegotiation_notes(bio_s_out, con);
+
     if ((SSL_get_options(con) & SSL_OP_NO_RENEGOTIATION))
         BIO_printf(bio_s_out, "Renegotiation is DISABLED\n");
 
@@ -3230,10 +3231,7 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
             }
             BIO_puts(io, "\n");
 
-            BIO_printf(io,
-                       "Secure Renegotiation IS%s supported\n",
-                       SSL_get_secure_renegotiation_support(con) ?
-                       "" : " NOT");
+            ssl_print_secure_renegotiation_notes(io, con);
 
             /*
              * The following is evil and should not really be done
author	Felipe Gasper <felipe@felipegasper.com>	2021-10-28 10:13:47 -0400
committer	Tomas Mraz <tomas@openssl.org>	2022-11-09 15:29:20 +0100
commit	5f113755bdeb02d879ee22129d3d3e90630228a4 (patch)
tree	12b43d5cada8196d23e4d9d8c818588fc196ad8f /apps
parent	37fdd76d06b961d650e12a0d19d8186669e80398 (diff)