From 77d52d51f7721a6d9e6e4f57eb57ecd73f684825 Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Sat, 27 Feb 2021 09:46:35 +0000
Subject: Bug 1694214 - tstclnt can't enable middlebox compat mode r=beurdouche

Differential Revision: https://phabricator.services.mozilla.com/D106617
---
 cmd/tstclnt/tstclnt.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

(limited to 'cmd')

diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c
index 639cf4f24..2c108c612 100644
--- a/cmd/tstclnt/tstclnt.c
+++ b/cmd/tstclnt/tstclnt.c
@@ -332,6 +332,7 @@ PrintParameterUsage()
             "%-20s 0xAAAABBBBCCCCDDDD:mylabel. Otherwise, the default label of\n"
             "%-20s 'Client_identity' will be used.\n",
             "-z externalPsk", "", "", "");
+    fprintf(stderr, "%-20s Enable middlebox compatibility mode (TLS 1.3 only)\n", "-e");
 }
 
 static void
@@ -986,6 +987,7 @@ int enableSignedCertTimestamps = 0;
 int forceFallbackSCSV = 0;
 int enableExtendedMasterSecret = 0;
 PRBool requireDHNamedGroups = 0;
+PRBool middleboxCompatMode = 0;
 PRSocketOptionData opt;
 PRNetAddr addr;
 PRBool allowIPv4 = PR_TRUE;
@@ -1493,6 +1495,16 @@ run()
         }
     }
 
+    /* Middlebox compatibility mode (TLS 1.3 only) */
+    if (middleboxCompatMode) {
+        rv = SSL_OptionSet(s, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "error enabling middlebox compatibility mode");
+            error = 1;
+            goto done;
+        }
+    }
+
     /* require the use of fixed finite-field DH groups */
     if (requireDHNamedGroups) {
         rv = SSL_OptionSet(s, SSL_REQUIRE_DH_NAMED_GROUPS, PR_TRUE);
@@ -1825,7 +1837,7 @@ main(int argc, char **argv)
     }
 
     optstate = PL_CreateOptState(argc, argv,
-                                 "46A:BCDEFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:x:z:");
+                                 "46A:BCDEFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:efgh:m:n:op:qr:st:uvw:x:z:");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         switch (optstate->option) {
             case '?':
@@ -1996,6 +2008,10 @@ main(int argc, char **argv)
                 certDir = PORT_Strdup(optstate->value);
                 break;
 
+            case 'e':
+                middleboxCompatMode = PR_TRUE;
+                break;
+
             case 'f':
                 clientSpeaksFirst = PR_TRUE;
                 break;
-- 
cgit v1.2.1