Forbid to specify -nextprotoneg if -tls1_3 is enabled

This applies both to s_client and s_server app.

Reaction to Issue #3665.

Signed-off-by: Paul Yang <paulyang.inf@gmail.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3697)

2 files changed, 12 insertions, 0 deletions

diff --git a/apps/s_client.c b/apps/s_client.c
index 8af3853e4b..ad0eaec562 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1424,6 +1424,12 @@ int s_client_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
+#ifndef OPENSSL_NO_NEXTPROTONEG
+    if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
+        BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
+        goto opthelp;
+    }
+#endif
     if (proxystr != NULL) {
         int res;
         char *tmp_host = host, *tmp_port = port;
diff --git a/apps/s_server.c b/apps/s_server.c
index 26947c31f3..930ef6e4a8 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1536,6 +1536,12 @@ int s_server_main(int argc, char *argv[])
     argc = opt_num_rest();
     argv = opt_rest();
 
+#ifndef OPENSSL_NO_NEXTPROTONEG
+    if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
+        BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
+        goto opthelp;
+    }
+#endif
 #ifndef OPENSSL_NO_DTLS
     if (www && socket_type == SOCK_DGRAM) {
         BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");