diff options
author | nelsonb%netscape.com <devnull@localhost> | 2000-05-24 03:44:50 +0000 |
---|---|---|
committer | nelsonb%netscape.com <devnull@localhost> | 2000-05-24 03:44:50 +0000 |
commit | 2d731d571f3bfa43272e5d52ef4c514b43a6c34e (patch) | |
tree | d29b917c8000c19c19bba7bfb505f6734e79ab51 | |
parent | 065d4a55f094775d6542b63d76830a2a0770c64f (diff) | |
download | nss-hg-2d731d571f3bfa43272e5d52ef4c514b43a6c34e.tar.gz |
Correct the implementation of the options for disabling SSL2, SSL3 and TLS.
Add a new -R option to selfserv, which disables detection of rollback from
TLS to SSL3.0. This is necessary for testing with broken TLS clients.
-rw-r--r-- | security/nss/cmd/selfserv/selfserv.c | 55 | ||||
-rw-r--r-- | security/nss/cmd/tstclnt/tstclnt.c | 33 |
2 files changed, 44 insertions, 44 deletions
diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index 57d6554ad..37fdedf38 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -143,9 +143,11 @@ Usage(const char *progName) { fprintf(stderr, -"Usage: %s -n rsa_nickname -p port [-3mrvx] [-w password]\n" +"Usage: %s -n rsa_nickname -p port [-3RTmrvx] [-w password]\n" " [-c ciphers] [-d dbdir] [-f fortezza_nickname] \n" "-3 means disable SSL v3\n" +"-T means disable TLS\n" +"-R means disable detection of rollback from TLS to SSL3\n" "-m means test the model-socket feature of SSL_ImportFD.\n" "-r flag is interepreted as follows:\n" " 1 -r means request, not require, cert on initial handshake.\n" @@ -223,7 +225,7 @@ networkEnd(void) #endif } -static void +static const char * errWarn(char * funcString) { PRErrorCode perr = PR_GetError(); @@ -231,6 +233,7 @@ errWarn(char * funcString) fprintf(stderr, "exit after %s with error %d:\n%s\n", funcString, perr, errString); + return errString; } static void @@ -529,7 +532,10 @@ destroy_thread_data(void) ** End thread management routines. **************************************************************************/ -PRBool useModelSocket = PR_FALSE; +PRBool useModelSocket = PR_FALSE; +PRBool disableSSL3 = PR_FALSE; +PRBool disableTLS = PR_FALSE; +PRBool disableRollBack = PR_FALSE; static const char stopCmd[] = { "GET /stop " }; static const char outHeader[] = { @@ -823,7 +829,7 @@ handle_connection( PR_TRANSMITFILE_KEEP_OPEN, PR_INTERVAL_NO_TIMEOUT); if (bytes < 0) { - errWarn("PR_TransmitFile"); + errString = errWarn("PR_TransmitFile"); i = PORT_Strlen(errString); PORT_Memcpy(buf, errString, i); goto send_answer; @@ -963,10 +969,7 @@ server_main( unsigned short port, int requestCert, SECKEYPrivateKey ** privKey, - CERTCertificate ** cert, - PRBool useModelSocket, - PRBool disableSSL3, - PRBool disableTLS) + CERTCertificate ** cert) { PRFileDesc *listen_sock; PRFileDesc *model_sock = NULL; @@ -1026,18 +1029,19 @@ server_main( } #endif - if (disableSSL3) { - rv = SSL_Enable(model_sock, SSL_ENABLE_SSL3, 0); - if (rv != SECSuccess) { - errExit("error disabling SSLv3 "); - } + rv = SSL_Enable(model_sock, SSL_ENABLE_SSL3, !disableSSL3); + if (rv != SECSuccess) { + errExit("error enabling SSLv3 "); } - if (!disableTLS) { - rv = SSL_Enable(model_sock, SSL_ENABLE_TLS, 1); - if (rv != SECSuccess) { - errExit("error enabling TLS "); - } + rv = SSL_Enable(model_sock, SSL_ENABLE_TLS, !disableTLS); + if (rv != SECSuccess) { + errExit("error enabling TLS "); + } + + rv = SSL_Enable(model_sock, SSL_ROLLBACK_DETECTION, !disableRollBack); + if (rv != SECSuccess) { + errExit("error enabling RollBack detection "); } for (kea = kt_rsa; kea < kt_kea_size; kea++) { @@ -1161,13 +1165,10 @@ main(int argc, char **argv) char * tmp; CERTCertificate * cert [kt_kea_size] = { NULL }; SECKEYPrivateKey * privKey[kt_kea_size] = { NULL }; - int o; int requestCert = 0; unsigned short port = 0; SECStatus rv; PRBool useExportPolicy = PR_FALSE; - PRBool disableSSL3 = PR_FALSE; - PRBool disableTLS = PR_FALSE; PLOptState *optstate; tmp = strrchr(argv[0], '/'); @@ -1175,7 +1176,7 @@ main(int argc, char **argv) progName = strrchr(tmp, '\\'); progName = progName ? progName + 1 : tmp; - optstate = PL_CreateOptState(argc, argv, "T2:3c:d:p:mn:f:rvw:x"); + optstate = PL_CreateOptState(argc, argv, "RT2:3c:d:p:mn:f:rvw:x"); while (PL_GetNextOpt(optstate) == PL_OPT_OK) { switch(optstate->option) { default: @@ -1185,6 +1186,8 @@ main(int argc, char **argv) case '3': disableSSL3 = PR_TRUE; break; + case 'R': disableRollBack = PR_TRUE; break; + case 'T': disableTLS = PR_TRUE; break; case 'c': cipherString = strdup(optstate->value); break; @@ -1288,10 +1291,12 @@ main(int argc, char **argv) privKey[kt_fortezza] = PK11_FindKeyByAnyCert(cert[kt_fortezza], NULL); } - SSL_ConfigMPServerSIDCache(256, 0, 0, NULL); + rv = SSL_ConfigMPServerSIDCache(256, 0, 0, NULL); + if (rv != SECSuccess) { + errExit("SSL_ConfigMPServerSIDCache"); + } - server_main(port, requestCert, privKey, cert, useModelSocket, - disableSSL3, disableTLS); + server_main(port, requestCert, privKey, cert); NSS_Shutdown(); PR_Cleanup(); diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c index 18e1a15e7..badb813df 100644 --- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -170,6 +170,7 @@ static void Usage(const char *progName) printf("%-20s Nickname of key and cert for client auth\n", "-n nickname"); printf("%-20s Disable SSL v2.\n", "-2"); printf("%-20s Disable SSL v3.\n", "-3"); + printf("%-20s Disable TLS (SSL v3.1).\n", "-T"); printf("%-20s Override bad server cert. Make it OK.\n", "-o"); printf("%-20s Use export policy.\n", "-x"); printf("%-20s Letter(s) chosen from the following list\n", "-c ciphers"); @@ -257,7 +258,6 @@ int main(int argc, char **argv) PRInt32 filesReady; PRInt32 ip; int npds; - int o; int override = 0; int disableSSL2 = 0; int disableSSL3 = 0; @@ -439,27 +439,22 @@ int main(int argc, char **argv) } } - if (disableSSL2) { - rv = SSL_Enable(s, SSL_ENABLE_SSL2, 0); - if (rv != SECSuccess) { - SECU_PrintError(progName, "error disabling SSLv2 "); - return -1; - } + rv = SSL_Enable(s, SSL_ENABLE_SSL2, !disableSSL2); + if (rv != SECSuccess) { + SECU_PrintError(progName, "error enabling SSLv2 "); + return -1; } - if (disableSSL3) { - rv = SSL_Enable(s, SSL_ENABLE_SSL3, 0); - if (rv != SECSuccess) { - SECU_PrintError(progName, "error disabling SSLv3 "); - return -1; - } + rv = SSL_Enable(s, SSL_ENABLE_SSL3, !disableSSL3); + if (rv != SECSuccess) { + SECU_PrintError(progName, "error enabling SSLv3 "); + return -1; } - if (!disableTLS) { - rv = SSL_Enable(s, SSL_ENABLE_TLS, 1); - if (rv != SECSuccess) { - SECU_PrintError(progName, "error enabling TLS "); - return -1; - } + + rv = SSL_Enable(s, SSL_ENABLE_TLS, !disableTLS); + if (rv != SECSuccess) { + SECU_PrintError(progName, "error enabling TLS "); + return -1; } #if 0 |