Teach bssl server about -max-version and -min-version.

Change-Id: Ifbfae883638b35bb274f2002bc53fbba77c7aa85
Reviewed-on: https://boringssl-review.googlesource.com/8821
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2016-07-16 14:51:58 +02:00
parent f5975d865b
commit 225e5ade82
4 changed files with 50 additions and 21 deletions

View File

@ -105,27 +105,6 @@ static ScopedEVP_PKEY LoadPrivateKey(const std::string &file) {
return pkey;
}
static bool VersionFromString(uint16_t *out_version,
const std::string& version) {
if (version == "ssl3") {
*out_version = SSL3_VERSION;
return true;
} else if (version == "tls1" || version == "tls1.0") {
*out_version = TLS1_VERSION;
return true;
} else if (version == "tls1.1") {
*out_version = TLS1_1_VERSION;
return true;
} else if (version == "tls1.2") {
*out_version = TLS1_2_VERSION;
return true;
} else if (version == "tls1.3") {
*out_version = TLS1_3_VERSION;
return true;
}
return false;
}
static int NextProtoSelectCallback(SSL* ssl, uint8_t** out, uint8_t* outlen,
const uint8_t* in, unsigned inlen, void* arg) {
*out = reinterpret_cast<uint8_t *>(arg);

View File

@ -30,6 +30,14 @@ static const struct argument kArguments[] = {
"-cipher", kOptionalArgument,
"An OpenSSL-style cipher suite string that configures the offered ciphers",
},
{
"-max-version", kOptionalArgument,
"The maximum acceptable protocol version",
},
{
"-min-version", kOptionalArgument,
"The minimum acceptable protocol version",
},
{
"-key", kOptionalArgument,
"Private-key file to use (default is server.pem)",
@ -118,6 +126,26 @@ bool Server(const std::vector<std::string> &args) {
return false;
}
if (args_map.count("-max-version") != 0) {
uint16_t version;
if (!VersionFromString(&version, args_map["-max-version"])) {
fprintf(stderr, "Unknown protocol version: '%s'\n",
args_map["-max-version"].c_str());
return false;
}
SSL_CTX_set_max_version(ctx, version);
}
if (args_map.count("-min-version") != 0) {
uint16_t version;
if (!VersionFromString(&version, args_map["-min-version"])) {
fprintf(stderr, "Unknown protocol version: '%s'\n",
args_map["-min-version"].c_str());
return false;
}
SSL_CTX_set_min_version(ctx, version);
}
if (args_map.count("-ocsp-response") != 0 &&
!LoadOCSPResponse(ctx, args_map["-ocsp-response"].c_str())) {
fprintf(stderr, "Failed to load OCSP response: %s\n", args_map["-ocsp-response"].c_str());

View File

@ -181,6 +181,26 @@ out:
return ok;
}
bool VersionFromString(uint16_t *out_version, const std::string &version) {
if (version == "ssl3") {
*out_version = SSL3_VERSION;
return true;
} else if (version == "tls1" || version == "tls1.0") {
*out_version = TLS1_VERSION;
return true;
} else if (version == "tls1.1") {
*out_version = TLS1_1_VERSION;
return true;
} else if (version == "tls1.2") {
*out_version = TLS1_2_VERSION;
return true;
} else if (version == "tls1.3") {
*out_version = TLS1_3_VERSION;
return true;
}
return false;
}
void PrintConnectionInfo(const SSL *ssl) {
const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl);

View File

@ -31,6 +31,8 @@ bool Connect(int *out_sock, const std::string &hostname_and_port);
// It returns true on success and false otherwise.
bool Accept(int *out_sock, const std::string &port);
bool VersionFromString(uint16_t *out_version, const std::string &version);
void PrintConnectionInfo(const SSL *ssl);
bool SocketSetNonBlocking(int sock, bool is_non_blocking);