[openssl-commits] [openssl] master update

Kurt Roeckx kurt at openssl.org
Wed Mar 9 18:51:14 UTC 2016


The branch master has been updated
       via  2b8fa1d56cd3a41d666994a1b2ed9df0f5e5d1ec (commit)
       via  885e601d97ff235615809db832874ff8dad9cb24 (commit)
       via  0d5301aff900970b09d2fe0c70d1038157d7638b (commit)
       via  1fc7d6664a3d118f9d5de217c9ffd154ed9ddb6f (commit)
      from  ca3895f0b52628df29bcf87e139971904f4b9b28 (commit)


- Log -----------------------------------------------------------------
commit 2b8fa1d56cd3a41d666994a1b2ed9df0f5e5d1ec
Author: Kurt Roeckx <kurt at roeckx.be>
Date:   Wed Mar 2 22:39:40 2016 +0100

    Deprecate the use of version-specific methods
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
    
    MR: #1824

commit 885e601d97ff235615809db832874ff8dad9cb24
Author: Kurt Roeckx <kurt at roeckx.be>
Date:   Wed Mar 2 22:38:08 2016 +0100

    Use version flexible method instead of fixed version
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
    
    MR: #1824

commit 0d5301aff900970b09d2fe0c70d1038157d7638b
Author: Kurt Roeckx <kurt at roeckx.be>
Date:   Tue Feb 2 23:58:49 2016 +0100

    Use minimum and maximum protocol version instead of version fixed methods
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
    
    MR: #1824

commit 1fc7d6664a3d118f9d5de217c9ffd154ed9ddb6f
Author: Kurt Roeckx <kurt at roeckx.be>
Date:   Tue Feb 2 23:16:20 2016 +0100

    Fix usage of OPENSSL_NO_*_METHOD
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
    
    MR: #1824

-----------------------------------------------------------------------

Summary of changes:
 apps/ciphers.c          |  26 +++----
 apps/s_client.c         |  49 ++++++++-----
 apps/s_server.c         |  43 +++++++-----
 apps/s_time.c           |   9 +--
 doc/ssl/SSL_CTX_new.pod |  14 +++-
 include/openssl/ssl.h   |  46 +++++++-----
 ssl/methods.c           | 181 ++++++++++++++++++++++++++++++++++++++----------
 ssl/ssl_lib.c           |   2 +-
 ssl/ssl_locl.h          |  20 +++++-
 ssl/statem/statem_lib.c |  12 ++--
 test/clienthellotest.c  |  26 ++-----
 test/heartbeat_test.c   |   2 +-
 test/ssltest.c          |  85 ++++++++++-------------
 13 files changed, 326 insertions(+), 189 deletions(-)

diff --git a/apps/ciphers.c b/apps/ciphers.c
index 3e1ed95..924c015 100644
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -126,6 +126,7 @@ int ciphers_main(int argc, char **argv)
     char *ciphers = NULL, *prog;
     char buf[512];
     OPTION_CHOICE o;
+    int min_version = 0, max_version = 0;
 
     prog = opt_init(argc, argv, ciphers_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -154,24 +155,20 @@ int ciphers_main(int argc, char **argv)
 #endif
             break;
         case OPT_SSL3:
-#ifndef OPENSSL_NO_SSL3
-            meth = SSLv3_client_method();
-#endif
+            min_version = SSL3_VERSION;
+            max_version = SSL3_VERSION;
             break;
         case OPT_TLS1:
-#ifndef OPENSSL_NO_TLS1
-            meth = TLSv1_client_method();
-#endif
+            min_version = TLS1_VERSION;
+            max_version = TLS1_VERSION;
             break;
         case OPT_TLS1_1:
-#ifndef OPENSSL_NO_TLS1_1
-            meth = TLSv1_1_client_method();
-#endif
+            min_version = TLS1_1_VERSION;
+            max_version = TLS1_1_VERSION;
             break;
         case OPT_TLS1_2:
-#ifndef OPENSSL_NO_TLS1_2
-            meth = TLSv1_2_client_method();
-#endif
+            min_version = TLS1_2_VERSION;
+            max_version = TLS1_2_VERSION;
             break;
         case OPT_PSK:
 #ifndef OPENSSL_NO_PSK
@@ -191,6 +188,11 @@ int ciphers_main(int argc, char **argv)
     ctx = SSL_CTX_new(meth);
     if (ctx == NULL)
         goto err;
+    if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
+        goto err;
+    if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
+        goto err;
+
 #ifndef OPENSSL_NO_PSK
     if (psk)
         SSL_CTX_set_psk_client_callback(ctx, dummy_psk);
diff --git a/apps/s_client.c b/apps/s_client.c
index c338b0c..38d7c32 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -928,6 +928,7 @@ int s_client_main(int argc, char **argv)
     char *ctlog_file = NULL;
     ct_validation_cb ct_validation = NULL;
 #endif
+    int min_version = 0, max_version = 0;
 
     FD_ZERO(&readfds);
     FD_ZERO(&writefds);
@@ -1199,25 +1200,30 @@ int s_client_main(int argc, char **argv)
 #ifndef OPENSSL_NO_SRP
         case OPT_SRPUSER:
             srp_arg.srplogin = opt_arg();
-            meth = TLSv1_client_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
             break;
         case OPT_SRPPASS:
             srppass = opt_arg();
-            meth = TLSv1_client_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
             break;
         case OPT_SRP_STRENGTH:
             srp_arg.strength = atoi(opt_arg());
             BIO_printf(bio_err, "SRP minimal length for N is %d\n",
                        srp_arg.strength);
-            meth = TLSv1_client_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
             break;
         case OPT_SRP_LATEUSER:
             srp_lateuser = 1;
-            meth = TLSv1_client_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
             break;
         case OPT_SRP_MOREGROUPS:
             srp_arg.amp = 1;
-            meth = TLSv1_client_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
             break;
 #else
         case OPT_SRPUSER:
@@ -1231,24 +1237,20 @@ int s_client_main(int argc, char **argv)
             ssl_config = opt_arg();
             break;
         case OPT_SSL3:
-#ifndef OPENSSL_NO_SSL3
-            meth = SSLv3_client_method();
-#endif
+            min_version = SSL3_VERSION;
+            max_version = SSL3_VERSION;
             break;
         case OPT_TLS1_2:
-#ifndef OPENSSL_NO_TLS1_2
-            meth = TLSv1_2_client_method();
-#endif
+            min_version = TLS1_2_VERSION;
+            max_version = TLS1_2_VERSION;
             break;
         case OPT_TLS1_1:
-#ifndef OPENSSL_NO_TLS1_1
-            meth = TLSv1_1_client_method();
-#endif
+            min_version = TLS1_1_VERSION;
+            max_version = TLS1_1_VERSION;
             break;
         case OPT_TLS1:
-#ifndef OPENSSL_NO_TLS1
-            meth = TLSv1_client_method();
-#endif
+            min_version = TLS1_VERSION;
+            max_version = TLS1_VERSION;
             break;
         case OPT_DTLS:
 #ifndef OPENSSL_NO_DTLS
@@ -1258,13 +1260,17 @@ int s_client_main(int argc, char **argv)
             break;
         case OPT_DTLS1:
 #ifndef OPENSSL_NO_DTLS1
-            meth = DTLSv1_client_method();
+            meth = DTLS_client_method();
+            min_version = DTLS1_VERSION;
+            max_version = DTLS1_VERSION;
             socket_type = SOCK_DGRAM;
 #endif
             break;
         case OPT_DTLS1_2:
 #ifndef OPENSSL_NO_DTLS1_2
-            meth = DTLSv1_2_client_method();
+            meth = DTLS_client_method();
+            min_version = DTLS1_2_VERSION;
+            max_version = DTLS1_2_VERSION;
             socket_type = SOCK_DGRAM;
 #endif
             break;
@@ -1566,6 +1572,11 @@ int s_client_main(int argc, char **argv)
         }
     }
 
+    if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
+        goto end;
+    if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
+        goto end;
+
     if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
         BIO_printf(bio_err, "Error setting verify params\n");
         ERR_print_errors(bio_err);
diff --git a/apps/s_server.c b/apps/s_server.c
index af85dd7..e77f2f4 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1066,6 +1066,7 @@ int s_server_main(int argc, char *argv[])
     char *srpuserseed = NULL;
     char *srp_verifier_file = NULL;
 #endif
+    int min_version = 0, max_version = 0;
 
     local_argc = argc;
     local_argv = argv;
@@ -1389,13 +1390,15 @@ int s_server_main(int argc, char *argv[])
         case OPT_SRPVFILE:
 #ifndef OPENSSL_NO_SRP
             srp_verifier_file = opt_arg();
-            meth = TLSv1_server_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
 #endif
             break;
         case OPT_SRPUSERSEED:
 #ifndef OPENSSL_NO_SRP
             srpuserseed = opt_arg();
-            meth = TLSv1_server_method();
+            if (min_version < TLS1_VERSION)
+                min_version = TLS1_VERSION;
 #endif
             break;
         case OPT_REV:
@@ -1414,24 +1417,20 @@ int s_server_main(int argc, char *argv[])
             ssl_config = opt_arg();
             break;
         case OPT_SSL3:
-#ifndef OPENSSL_NO_SSL3
-            meth = SSLv3_server_method();
-#endif
+            min_version = SSL3_VERSION;
+            max_version = SSL3_VERSION;
             break;
         case OPT_TLS1_2:
-#ifndef OPENSSL_NO_TLS1_2
-            meth = TLSv1_2_server_method();
-#endif
+            min_version = TLS1_2_VERSION;
+            max_version = TLS1_2_VERSION;
             break;
         case OPT_TLS1_1:
-#ifndef OPENSSL_NO_TLS1_1
-            meth = TLSv1_1_server_method();
-#endif
+            min_version = TLS1_1_VERSION;
+            max_version = TLS1_1_VERSION;
             break;
         case OPT_TLS1:
-#ifndef OPENSSL_NO_TLS1
-            meth = TLSv1_server_method();
-#endif
+            min_version = TLS1_VERSION;
+            max_version = TLS1_VERSION;
             break;
         case OPT_DTLS:
 #ifndef OPENSSL_NO_DTLS
@@ -1440,14 +1439,18 @@ int s_server_main(int argc, char *argv[])
 #endif
             break;
         case OPT_DTLS1:
-#ifndef OPENSSL_NO_DTLS1
-            meth = DTLSv1_server_method();
+#ifndef OPENSSL_NO_DTLS
+            meth = DTLS_server_method();
+            min_version = DTLS1_VERSION;
+            max_version = DTLS1_VERSION;
             socket_type = SOCK_DGRAM;
 #endif
             break;
         case OPT_DTLS1_2:
-#ifndef OPENSSL_NO_DTLS1_2
-            meth = DTLSv1_2_server_method();
+#ifndef OPENSSL_NO_DTLS
+            meth = DTLS_server_method();
+            min_version = DTLS1_2_VERSION;
+            max_version = DTLS1_2_VERSION;
             socket_type = SOCK_DGRAM;
 #endif
             break;
@@ -1728,6 +1731,10 @@ int s_server_main(int argc, char *argv[])
         goto end;
         }
     }
+    if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
+        goto end;
+    if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
+        goto end;
 
     if (session_id_prefix) {
         if (strlen(session_id_prefix) >= 32)
diff --git a/apps/s_time.c b/apps/s_time.c
index cc9a979..f68002a 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -132,7 +132,7 @@ OPTIONS s_time_options[] = {
     {"bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility"},
     {"verify", OPT_VERIFY, 'p',
      "Turn on peer certificate verification, set depth"},
-    {"time", OPT_TIME, 'p', "Sf seconds to collect data, default" SECONDSSTR},
+    {"time", OPT_TIME, 'p', "Seconds to collect data, default " SECONDSSTR},
     {"www", OPT_WWW, 's', "Fetch specified page from the site"},
 #ifndef OPENSSL_NO_SSL3
     {"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
@@ -162,6 +162,7 @@ int s_time_main(int argc, char **argv)
         0, ver;
     long bytes_read = 0, finishtime = 0;
     OPTION_CHOICE o;
+    int max_version = 0;
 
     meth = TLS_client_method();
     verify_depth = 0;
@@ -230,9 +231,7 @@ int s_time_main(int argc, char **argv)
             }
             break;
         case OPT_SSL3:
-#ifndef OPENSSL_NO_SSL3
-            meth = SSLv3_client_method();
-#endif
+            max_version = SSL3_VERSION;
             break;
         }
     }
@@ -251,6 +250,8 @@ int s_time_main(int argc, char **argv)
         goto end;
 
     SSL_CTX_set_quiet_shutdown(ctx, 1);
+    if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
+        goto end;
 
     if (st_bugs)
         SSL_CTX_set_options(ctx, SSL_OP_ALL);
diff --git a/doc/ssl/SSL_CTX_new.pod b/doc/ssl/SSL_CTX_new.pod
index 53c79ae..f2cdc71 100644
--- a/doc/ssl/SSL_CTX_new.pod
+++ b/doc/ssl/SSL_CTX_new.pod
@@ -33,29 +33,39 @@ functions
  const SSL_METHOD *SSLv3_client_method(void);
  #endif
 
+ #ifndef OPENSSL_NO_TLS1_METHOD
  const SSL_METHOD *TLSv1_method(void);
  const SSL_METHOD *TLSv1_server_method(void);
  const SSL_METHOD *TLSv1_client_method(void);
+ #endif
 
+ #ifndef OPENSSL_NO_TLS1_1_METHOD
  const SSL_METHOD *TLSv1_1_method(void);
  const SSL_METHOD *TLSv1_1_server_method(void);
  const SSL_METHOD *TLSv1_1_client_method(void);
+ #endif
 
+ #ifndef OPENSSL_NO_TLS1_2_METHOD
  const SSL_METHOD *TLSv1_2_method(void);
  const SSL_METHOD *TLSv1_2_server_method(void);
  const SSL_METHOD *TLSv1_2_client_method(void);
+ #endif
 
  const SSL_METHOD *DTLS_method(void);
  const SSL_METHOD *DTLS_server_method(void);
  const SSL_METHOD *DTLS_client_method(void);
 
+ #ifndef OPENSSL_NO_DTLS1_METHOD
  const SSL_METHOD *DTLSv1_method(void);
  const SSL_METHOD *DTLSv1_server_method(void);
  const SSL_METHOD *DTLSv1_client_method(void);
+ #endif
 
+ #ifndef OPENSSL_NO_DTLS1_2_METHOD
  const SSL_METHOD *DTLSv1_2_method(void);
  const SSL_METHOD *DTLSv1_2_server_method(void);
  const SSL_METHOD *DTLSv1_2_client_method(void);
+ #endif
 
 =head1 DESCRIPTION
 
@@ -82,7 +92,7 @@ These are the general-purpose I<version-flexible> SSL/TLS methods.
 The actual protocol version used will be negotiated to the highest version
 mutually supported by the client and the server.
 The supported protocols are SSLv3, TLSv1, TLSv1.1 and TLSv1.2.
-Most applications should use these method, and avoid the version specific
+Applications should use these methods, and avoid the version-specific
 methods described below.
 
 =item SSLv23_method(), SSLv23_server_method(), SSLv23_client_method()
@@ -186,6 +196,8 @@ SSLv23_method(), SSLv23_server_method() and SSLv23_client_method()
 were deprecated and the preferred TLS_method(), TLS_server_method()
 and TLS_client_method() functions were introduced in OpenSSL 1.1.0.
 
+All version-specific methods were deprecated in OpenSSL 1.1.0.
+
 =head1 SEE ALSO
 
 L<SSL_CTX_set_options(3)>, L<SSL_CTX_free(3)>, L<SSL_accept(3)>,
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index cc2a47f..8b8908e 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1642,9 +1642,9 @@ __owur const char *SSL_get_version(const SSL *s);
 __owur int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
 
 # ifndef OPENSSL_NO_SSL3_METHOD
-__owur const SSL_METHOD *SSLv3_method(void); /* SSLv3 */
-__owur const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */
-__owur const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *SSLv3_method(void)) /* SSLv3 */
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *SSLv3_server_method(void)) /* SSLv3 */
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *SSLv3_client_method(void)) /* SSLv3 */
 # endif
 
 #define SSLv23_method           TLS_method
@@ -1656,25 +1656,35 @@ __owur const SSL_METHOD *TLS_method(void);
 __owur const SSL_METHOD *TLS_server_method(void);
 __owur const SSL_METHOD *TLS_client_method(void);
 
-__owur const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */
-__owur const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */
-__owur const SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */
+# ifndef OPENSSL_NO_TLS1_METHOD
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_method(void)) /* TLSv1.0 */
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_server_method(void)) /* TLSv1.0 */
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_client_method(void)) /* TLSv1.0 */
+# endif
 
-__owur const SSL_METHOD *TLSv1_1_method(void); /* TLSv1.1 */
-__owur const SSL_METHOD *TLSv1_1_server_method(void); /* TLSv1.1 */
-__owur const SSL_METHOD *TLSv1_1_client_method(void); /* TLSv1.1 */
+# ifndef OPENSSL_NO_TLS1_1_METHOD
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_1_method(void)) /* TLSv1.1 */
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_1_server_method(void)) /* TLSv1.1 */
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_1_client_method(void)) /* TLSv1.1 */
+# endif
 
-__owur const SSL_METHOD *TLSv1_2_method(void); /* TLSv1.2 */
-__owur const SSL_METHOD *TLSv1_2_server_method(void); /* TLSv1.2 */
-__owur const SSL_METHOD *TLSv1_2_client_method(void); /* TLSv1.2 */
+# ifndef OPENSSL_NO_TLS1_2_METHOD
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_method(void)) /* TLSv1.2 */
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_server_method(void)) /* TLSv1.2 */
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *TLSv1_2_client_method(void)) /* TLSv1.2 */
+# endif
 
-__owur const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */
-__owur const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */
-__owur const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */
+# ifndef OPENSSL_NO_DTLS1_METHOD
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_method(void)) /* DTLSv1.0 */
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_server_method(void)) /* DTLSv1.0 */
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_client_method(void)) /* DTLSv1.0 */
+# endif
 
-__owur const SSL_METHOD *DTLSv1_2_method(void); /* DTLSv1.2 */
-__owur const SSL_METHOD *DTLSv1_2_server_method(void); /* DTLSv1.2 */
-__owur const SSL_METHOD *DTLSv1_2_client_method(void); /* DTLSv1.2 */
+# ifndef OPENSSL_NO_DTLS1_2_METHOD
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_2_method(void)) /* DTLSv1.2 */
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_2_server_method(void)) /* DTLSv1.2 */
+DEPRECATEDIN_1_1_0(__owur const SSL_METHOD *DTLSv1_2_client_method(void)) /* DTLSv1.2 */
+#endif
 
 __owur const SSL_METHOD *DTLS_method(void); /* DTLS 1.0 and 1.2 */
 __owur const SSL_METHOD *DTLS_server_method(void); /* DTLS 1.0 and 1.2 */
diff --git a/ssl/methods.c b/ssl/methods.c
index 6cd83dd..d66edff 100644
--- a/ssl/methods.c
+++ b/ssl/methods.c
@@ -107,7 +107,7 @@
  * Hudson (tjh at cryptsoft.com).
  *
  */
- 
+
 #include <stdio.h>
 #include <openssl/objects.h>
 #include "ssl_locl.h"
@@ -122,19 +122,19 @@ static const SSL_METHOD *tls1_get_method(int ver)
         return TLS_method();
 #ifndef OPENSSL_NO_TLS1_2
     if (ver == TLS1_2_VERSION)
-        return TLSv1_2_method();
+        return tlsv1_2_method();
 #endif
 #ifndef OPENSSL_NO_TLS1_1
     if (ver == TLS1_1_VERSION)
-        return TLSv1_1_method();
+        return tlsv1_1_method();
 #endif
 #ifndef OPENSSL_NO_TLS1
     if (ver == TLS1_VERSION)
-        return TLSv1_method();
+        return tlsv1_method();
 #endif
 #ifndef OPENSSL_NO_SSL3
     if (ver == SSL3_VERSION)
-        return (SSLv3_method());
+        return (sslv3_method());
     else
 #endif
     return NULL;
@@ -147,27 +147,27 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
 
 #ifndef OPENSSL_NO_TLS1_2_METHOD
 IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
-                        TLSv1_2_method,
+                        tlsv1_2_method,
                         ossl_statem_accept,
                         ossl_statem_connect, tls1_get_method, TLSv1_2_enc_data)
 #endif
 
 #ifndef OPENSSL_NO_TLS1_1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1,
-                        TLSv1_1_method,
+                        tlsv1_1_method,
                         ossl_statem_accept,
                         ossl_statem_connect, tls1_get_method, TLSv1_1_enc_data)
 #endif
 
 #ifndef OPENSSL_NO_TLS1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1,
-                        TLSv1_method,
+                        tlsv1_method,
                         ossl_statem_accept,
                         ossl_statem_connect, tls1_get_method, TLSv1_enc_data)
 #endif
 
 #ifndef OPENSSL_NO_SSL3_METHOD
-IMPLEMENT_ssl3_meth_func(SSLv3_method, ossl_statem_accept, ossl_statem_connect,
+IMPLEMENT_ssl3_meth_func(sslv3_method, ossl_statem_accept, ossl_statem_connect,
                          tls1_get_method)
 #endif
 
@@ -182,19 +182,19 @@ static const SSL_METHOD *tls1_get_server_method(int ver)
         return TLS_server_method();
 #ifndef OPENSSL_NO_TLS1_2
     if (ver == TLS1_2_VERSION)
-        return TLSv1_2_server_method();
+        return tlsv1_2_server_method();
 #endif
 #ifndef OPENSSL_NO_TLS1_1
     if (ver == TLS1_1_VERSION)
-        return TLSv1_1_server_method();
+        return tlsv1_1_server_method();
 #endif
 #ifndef OPENSSL_NO_TLS1
     if (ver == TLS1_VERSION)
-        return TLSv1_server_method();
+        return tlsv1_server_method();
 #endif
 #ifndef OPENSSL_NO_SSL3
     if (ver == SSL3_VERSION)
-        return (SSLv3_server_method());
+        return (sslv3_server_method());
 #endif
     return NULL;
 }
@@ -207,7 +207,7 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
 
 #ifndef OPENSSL_NO_TLS1_2_METHOD
 IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
-                        TLSv1_2_server_method,
+                        tlsv1_2_server_method,
                         ossl_statem_accept,
                         ssl_undefined_function,
                         tls1_get_server_method, TLSv1_2_enc_data)
@@ -215,7 +215,7 @@ IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
 
 #ifndef OPENSSL_NO_TLS1_1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1,
-                        TLSv1_1_server_method,
+                        tlsv1_1_server_method,
                         ossl_statem_accept,
                         ssl_undefined_function,
                         tls1_get_server_method, TLSv1_1_enc_data)
@@ -223,14 +223,14 @@ IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1,
 
 #ifndef OPENSSL_NO_TLS1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1,
-                        TLSv1_server_method,
+                        tlsv1_server_method,
                         ossl_statem_accept,
                         ssl_undefined_function,
                         tls1_get_server_method, TLSv1_enc_data)
 #endif
 
 #ifndef OPENSSL_NO_SSL3_METHOD
-IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
+IMPLEMENT_ssl3_meth_func(sslv3_server_method,
                          ossl_statem_accept,
                          ssl_undefined_function, tls1_get_server_method)
 #endif
@@ -246,19 +246,19 @@ static const SSL_METHOD *tls1_get_client_method(int ver)
         return TLS_client_method();
 #ifndef OPENSSL_NO_TLS1_2
     if (ver == TLS1_2_VERSION)
-        return TLSv1_2_client_method();
+        return tlsv1_2_client_method();
 #endif
 #ifndef OPENSSL_NO_TLS1_1
     if (ver == TLS1_1_VERSION)
-        return TLSv1_1_client_method();
+        return tlsv1_1_client_method();
 #endif
 #ifndef OPENSSL_NO_TLS1
     if (ver == TLS1_VERSION)
-        return TLSv1_client_method();
+        return tlsv1_client_method();
 #endif
 #ifndef OPENSSL_NO_SSL3
     if (ver == SSL3_VERSION)
-        return (SSLv3_client_method());
+        return (sslv3_client_method());
 #endif
     return NULL;
 }
@@ -271,7 +271,7 @@ IMPLEMENT_tls_meth_func(TLS_ANY_VERSION, 0, 0,
 
 #ifndef OPENSSL_NO_TLS1_2_METHOD
 IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
-                        TLSv1_2_client_method,
+                        tlsv1_2_client_method,
                         ssl_undefined_function,
                         ossl_statem_connect,
                         tls1_get_client_method, TLSv1_2_enc_data)
@@ -279,7 +279,7 @@ IMPLEMENT_tls_meth_func(TLS1_2_VERSION, 0, SSL_OP_NO_TLSv1_2,
 
 #ifndef OPENSSL_NO_TLS1_1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1,
-                        TLSv1_1_client_method,
+                        tlsv1_1_client_method,
                         ssl_undefined_function,
                         ossl_statem_connect,
                         tls1_get_client_method, TLSv1_1_enc_data)
@@ -287,14 +287,14 @@ IMPLEMENT_tls_meth_func(TLS1_1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1_1,
 
 #ifndef OPENSSL_NO_TLS1_METHOD
 IMPLEMENT_tls_meth_func(TLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_TLSv1,
-                        TLSv1_client_method,
+                        tlsv1_client_method,
                         ssl_undefined_function,
                         ossl_statem_connect,
                         tls1_get_client_method, TLSv1_enc_data)
 #endif
 
 #ifndef OPENSSL_NO_SSL3_METHOD
-IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
+IMPLEMENT_ssl3_meth_func(sslv3_client_method,
                          ssl_undefined_function,
                          ossl_statem_connect, tls1_get_client_method)
 #endif
@@ -309,11 +309,11 @@ static const SSL_METHOD *dtls1_get_method(int ver)
         return DTLS_method();
 #ifndef OPENSSL_NO_DTLS1
     else if (ver == DTLS1_VERSION)
-        return DTLSv1_method();
+        return dtlsv1_method();
 #endif
 #ifndef OPENSSL_NO_DTLS1_2
     else if (ver == DTLS1_2_VERSION)
-        return DTLSv1_2_method();
+        return dtlsv1_2_method();
 #endif
     else
         return NULL;
@@ -321,7 +321,7 @@ static const SSL_METHOD *dtls1_get_method(int ver)
 
 #ifndef OPENSSL_NO_DTLS1_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
-                          DTLSv1_method,
+                          dtlsv1_method,
                           ossl_statem_accept,
                           ossl_statem_connect,
                           dtls1_get_method, DTLSv1_enc_data)
@@ -329,7 +329,7 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
 
 #ifndef OPENSSL_NO_DTLS1_2_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2,
-                          DTLSv1_2_method,
+                          dtlsv1_2_method,
                           ossl_statem_accept,
                           ossl_statem_connect,
                           dtls1_get_method, DTLSv1_2_enc_data)
@@ -351,11 +351,11 @@ static const SSL_METHOD *dtls1_get_server_method(int ver)
         return DTLS_server_method();
 #ifndef OPENSSL_NO_DTLS1
     else if (ver == DTLS1_VERSION)
-        return DTLSv1_server_method();
+        return dtlsv1_server_method();
 #endif
 #ifndef OPENSSL_NO_DTLS1_2
     else if (ver == DTLS1_2_VERSION)
-        return DTLSv1_2_server_method();
+        return dtlsv1_2_server_method();
 #endif
     else
         return NULL;
@@ -363,7 +363,7 @@ static const SSL_METHOD *dtls1_get_server_method(int ver)
 
 #ifndef OPENSSL_NO_DTLS1_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
-                          DTLSv1_server_method,
+                          dtlsv1_server_method,
                           ossl_statem_accept,
                           ssl_undefined_function,
                           dtls1_get_server_method, DTLSv1_enc_data)
@@ -371,7 +371,7 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
 
 #ifndef OPENSSL_NO_DTLS1_2_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2,
-                          DTLSv1_2_server_method,
+                          dtlsv1_2_server_method,
                           ossl_statem_accept,
                           ssl_undefined_function,
                           dtls1_get_server_method, DTLSv1_2_enc_data)
@@ -394,11 +394,11 @@ static const SSL_METHOD *dtls1_get_client_method(int ver)
         return DTLS_client_method();
 #ifndef OPENSSL_NO_DTLS1
     else if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
-        return DTLSv1_client_method();
+        return dtlsv1_client_method();
 #endif
 #ifndef OPENSSL_NO_DTLS1_2
     else if (ver == DTLS1_2_VERSION)
-        return DTLSv1_2_client_method();
+        return dtlsv1_2_client_method();
 #endif
     else
         return NULL;
@@ -406,7 +406,7 @@ static const SSL_METHOD *dtls1_get_client_method(int ver)
 
 #ifndef OPENSSL_NO_DTLS1_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
-                          DTLSv1_client_method,
+                          dtlsv1_client_method,
                           ssl_undefined_function,
                           ossl_statem_connect,
                           dtls1_get_client_method, DTLSv1_enc_data)
@@ -414,7 +414,7 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,
 
 #ifndef OPENSSL_NO_DTLS1_2_METHOD
 IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2,
-                          DTLSv1_2_client_method,
+                          dtlsv1_2_client_method,
                           ssl_undefined_function,
                           ossl_statem_connect,
                           dtls1_get_client_method, DTLSv1_2_enc_data)
@@ -425,3 +425,110 @@ IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0,
                           ssl_undefined_function,
                           ossl_statem_connect,
                           dtls1_get_client_method, DTLSv1_2_enc_data)
+
+#if OPENSSL_API_COMPAT < 0x10100000L
+
+# ifndef OPENSSL_NO_TLS1_2_METHOD
+const SSL_METHOD *TLSv1_2_method(void)
+{
+    return tlsv1_2_method();
+}
+
+const SSL_METHOD *TLSv1_2_server_method(void)
+{
+    return tlsv1_2_server_method();
+}
+
+const SSL_METHOD *TLSv1_2_client_method(void)
+{
+    return tlsv1_2_client_method();
+}
+# endif
+
+# ifndef OPENSSL_NO_TLS1_1_METHOD
+const SSL_METHOD *TLSv1_1_method(void)
+{
+    return tlsv1_1_method();
+}
+
+const SSL_METHOD *TLSv1_1_server_method(void)
+{
+    return tlsv1_1_server_method();
+}
+
+const SSL_METHOD *TLSv1_1_client_method(void)
+{
+    return tlsv1_1_client_method();
+}
+# endif
+
+# ifndef OPENSSL_NO_TLS1_METHOD
+const SSL_METHOD *TLSv1_method(void)
+{
+    return tlsv1_method();
+}
+
+const SSL_METHOD *TLSv1_server_method(void)
+{
+    return tlsv1_server_method();
+}
+
+const SSL_METHOD *TLSv1_client_method(void)
+{
+    return tlsv1_client_method();
+}
+# endif
+
+# ifndef OPENSSL_NO_SSL3_METHOD
+const SSL_METHOD *SSLv3_method(void)
+{
+    return sslv3_method();
+}
+
+const SSL_METHOD *SSLv3_server_method(void)
+{
+    return sslv3_server_method();
+}
+
+const SSL_METHOD *SSLv3_client_method(void)
+{
+    return sslv3_client_method();
+}
+# endif
+
+# ifndef OPENSSL_NO_DTLS1_2_METHOD
+const SSL_METHOD *DTLSv1_2_method(void)
+{
+    return dtlsv1_2_method();
+}
+
+const SSL_METHOD *DTLSv1_2_server_method(void)
+{
+    return dtlsv1_2_server_method();
+}
+
+const SSL_METHOD *DTLSv1_2_client_method(void)
+{
+    return dtlsv1_2_client_method();
+}
+# endif
+
+# ifndef OPENSSL_NO_DTLS1_METHOD
+const SSL_METHOD *DTLSv1_method(void)
+{
+    return dtlsv1_method();
+}
+
+const SSL_METHOD *DTLSv1_server_method(void)
+{
+    return dtlsv1_server_method();
+}
+
+const SSL_METHOD *DTLSv1_client_method(void)
+{
+    return dtlsv1_client_method();
+}
+# endif
+
+#endif
+
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index ef8f6c0..dd39654 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3054,7 +3054,7 @@ int ssl_undefined_const_function(const SSL *s)
     return (0);
 }
 
-SSL_METHOD *ssl_bad_method(int ver)
+const SSL_METHOD *ssl_bad_method(int ver)
 {
     SSLerr(SSL_F_SSL_BAD_METHOD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
     return (NULL);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index adce5ad..d01fb54 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1734,7 +1734,25 @@ typedef struct ssl3_comp_st {
 
 extern SSL3_ENC_METHOD ssl3_undef_enc_method;
 
-SSL_METHOD *ssl_bad_method(int ver);
+__owur const SSL_METHOD *ssl_bad_method(int ver);
+__owur const SSL_METHOD *sslv3_method(void);
+__owur const SSL_METHOD *sslv3_server_method(void);
+__owur const SSL_METHOD *sslv3_client_method(void);
+__owur const SSL_METHOD *tlsv1_method(void);
+__owur const SSL_METHOD *tlsv1_server_method(void);
+__owur const SSL_METHOD *tlsv1_client_method(void);
+__owur const SSL_METHOD *tlsv1_1_method(void);
+__owur const SSL_METHOD *tlsv1_1_server_method(void);
+__owur const SSL_METHOD *tlsv1_1_client_method(void);
+__owur const SSL_METHOD *tlsv1_2_method(void);
+__owur const SSL_METHOD *tlsv1_2_server_method(void);
+__owur const SSL_METHOD *tlsv1_2_client_method(void);
+__owur const SSL_METHOD *dtlsv1_method(void);
+__owur const SSL_METHOD *dtlsv1_server_method(void);
+__owur const SSL_METHOD *dtlsv1_client_method(void);
+__owur const SSL_METHOD *dtlsv1_2_method(void);
+__owur const SSL_METHOD *dtlsv1_2_server_method(void);
+__owur const SSL_METHOD *dtlsv1_2_client_method(void);
 
 extern const SSL3_ENC_METHOD TLSv1_enc_data;
 extern const SSL3_ENC_METHOD TLSv1_1_enc_data;
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 6be6e1d..a24060e 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -716,22 +716,22 @@ typedef struct {
 
 static const version_info tls_version_table[] = {
 #ifndef OPENSSL_NO_TLS1_2
-    { TLS1_2_VERSION, TLSv1_2_client_method, TLSv1_2_server_method },
+    { TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method },
 #else
     { TLS1_2_VERSION, NULL, NULL },
 #endif
 #ifndef OPENSSL_NO_TLS1_1
-    { TLS1_1_VERSION, TLSv1_1_client_method, TLSv1_1_server_method },
+    { TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method },
 #else
     { TLS1_1_VERSION, NULL, NULL },
 #endif
 #ifndef OPENSSL_NO_TLS1
-    { TLS1_VERSION, TLSv1_client_method, TLSv1_server_method },
+    { TLS1_VERSION, tlsv1_client_method, tlsv1_server_method },
 #else
     { TLS1_VERSION, NULL, NULL },
 #endif
 #ifndef OPENSSL_NO_SSL3
-    { SSL3_VERSION, SSLv3_client_method, SSLv3_server_method },
+    { SSL3_VERSION, sslv3_client_method, sslv3_server_method },
 #else
     { SSL3_VERSION, NULL, NULL },
 #endif
@@ -744,12 +744,12 @@ static const version_info tls_version_table[] = {
 
 static const version_info dtls_version_table[] = {
 #ifndef OPENSSL_NO_DTLS1_2
-    { DTLS1_2_VERSION, DTLSv1_2_client_method, DTLSv1_2_server_method },
+    { DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method },
 #else
     { DTLS1_2_VERSION, NULL, NULL },
 #endif
 #ifndef OPENSSL_NO_DTLS1
-    { DTLS1_VERSION, DTLSv1_client_method, DTLSv1_server_method },
+    { DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method },
 #else
     { DTLS1_VERSION, NULL, NULL },
 #endif
diff --git a/test/clienthellotest.c b/test/clienthellotest.c
index 8775661..71c6650 100644
--- a/test/clienthellotest.c
+++ b/test/clienthellotest.c
@@ -72,19 +72,13 @@
 #define EXTENSION_SIZE_LEN      2
 
 
-#define TOTAL_NUM_TESTS                         2
-
-/*
- * Test that explicitly setting ticket data results in it appearing in the
- * ClientHello for TLS1.2
- */
-#define TEST_SET_SESSION_TICK_DATA_TLS_1_2      0
+#define TOTAL_NUM_TESTS                         1
 
 /*
  * Test that explicitly setting ticket data results in it appearing in the
  * ClientHello for a negotiated SSL/TLS version
  */
-#define TEST_SET_SESSION_TICK_DATA_VER_NEG      1
+#define TEST_SET_SESSION_TICK_DATA_VER_NEG      0
 
 int main(int argc, char *argv[])
 {
@@ -114,15 +108,7 @@ int main(int argc, char *argv[])
      */
     for (; currtest < TOTAL_NUM_TESTS; currtest++) {
         testresult = 0;
-        if (currtest == TEST_SET_SESSION_TICK_DATA_TLS_1_2) {
-#ifndef OPENSSL_NO_TLS1_2
-            ctx = SSL_CTX_new(TLSv1_2_method());
-#else
-            continue;
-#endif
-        } else {
-            ctx = SSL_CTX_new(TLS_method());
-        }
+        ctx = SSL_CTX_new(TLS_method());
         con = SSL_new(ctx);
 
         rbio = BIO_new(BIO_s_mem());
@@ -130,8 +116,7 @@ int main(int argc, char *argv[])
         SSL_set_bio(con, rbio, wbio);
         SSL_set_connect_state(con);
 
-        if (currtest == TEST_SET_SESSION_TICK_DATA_TLS_1_2
-                || currtest == TEST_SET_SESSION_TICK_DATA_VER_NEG) {
+        if (currtest == TEST_SET_SESSION_TICK_DATA_VER_NEG) {
             if (!SSL_set_session_ticket_ext(con, dummytick, strlen(dummytick)))
                 goto end;
         }
@@ -183,8 +168,7 @@ int main(int argc, char *argv[])
                 goto end;
 
             if (type == TLSEXT_TYPE_session_ticket) {
-                if (currtest == TEST_SET_SESSION_TICK_DATA_TLS_1_2
-                        || currtest == TEST_SET_SESSION_TICK_DATA_VER_NEG) {
+                if (currtest == TEST_SET_SESSION_TICK_DATA_VER_NEG) {
                     if (size == strlen(dummytick)
                             && memcmp(data, dummytick, size) == 0) {
                         /* Ticket data is as we expected */
diff --git a/test/heartbeat_test.c b/test/heartbeat_test.c
index 453615a..2fda576 100644
--- a/test/heartbeat_test.c
+++ b/test/heartbeat_test.c
@@ -124,7 +124,7 @@ static HEARTBEAT_TEST_FIXTURE set_up(const char *const test_case_name,
 static HEARTBEAT_TEST_FIXTURE set_up_dtls(const char *const test_case_name)
 {
     HEARTBEAT_TEST_FIXTURE fixture = set_up(test_case_name,
-                                            DTLSv1_server_method());
+                                            DTLS_server_method());
     fixture.process_heartbeat = dtls1_process_heartbeat;
 
     /*
diff --git a/test/ssltest.c b/test/ssltest.c
index 64bf071..c3faad7 100644
--- a/test/ssltest.c
+++ b/test/ssltest.c
@@ -830,8 +830,8 @@ static void sv_usage(void)
     fprintf(stderr, " -psk arg      - PSK in hex (without 0x)\n");
 #endif
 #ifndef OPENSSL_NO_SRP
-    fprintf(stderr, " -srpuser user  - SRP username to use\n");
-    fprintf(stderr, " -srppass arg   - password for 'user'\n");
+    fprintf(stderr, " -srpuser user - SRP username to use\n");
+    fprintf(stderr, " -srppass arg  - password for 'user'\n");
 #endif
 #ifndef OPENSSL_NO_SSL3
     fprintf(stderr, " -ssl3         - use SSLv3\n");
@@ -840,7 +840,7 @@ static void sv_usage(void)
     fprintf(stderr, " -tls1         - use TLSv1\n");
 #endif
 #ifndef OPENSSL_NO_DTLS
-    fprintf(stderr, " -dtls        - use DTLS\n");
+    fprintf(stderr, " -dtls         - use DTLS\n");
 #ifndef OPENSSL_NO_DTLS1
     fprintf(stderr, " -dtls1        - use DTLSv1\n");
 #endif
@@ -1056,6 +1056,7 @@ int main(int argc, char *argv[])
     int fips_mode = 0;
 #endif
     int no_protocol;
+    int min_version = 0, max_version = 0;
 
 #ifndef OPENSSL_NO_CT
     /*
@@ -1186,12 +1187,12 @@ int main(int argc, char *argv[])
                 goto bad;
             srp_server_arg.expected_user = srp_client_arg.srplogin =
                 *(++argv);
-            tls1 = 1;
+            min_version = TLS1_VERSION;
         } else if (strcmp(*argv, "-srppass") == 0) {
             if (--argc < 1)
                 goto bad;
             srp_server_arg.pass = srp_client_arg.srppassin = *(++argv);
-            tls1 = 1;
+            min_version = TLS1_VERSION;
         }
 #endif
         else if (strcmp(*argv, "-tls1") == 0) {
@@ -1495,37 +1496,27 @@ int main(int argc, char *argv[])
     }
 #endif
 
-    /*
-     * At this point, ssl3/tls1 is only set if the protocol is available.
-     * (Otherwise we exit early.) However the compiler doesn't know this, so
-     * we ifdef.
-     */
-#ifndef OPENSSL_NO_DTLS
-#ifndef OPENSSL_NO_DTLS1
-    if (dtls1)
-        meth = DTLSv1_method();
-    else
-#endif
-#ifndef OPENSSL_NO_DTLS1_2
-    if (dtls12)
-        meth = DTLSv1_2_method();
-    else
+#ifndef OPENSSL_NO_TLS
+    meth = TLS_method();
+    if (ssl3) {
+        min_version = SSL3_VERSION;
+        max_version = SSL3_VERSION;
+    } else if (tls1) {
+        min_version = TLS1_VERSION;
+        max_version = TLS1_VERSION;
+    }
 #endif
-    if (dtls)
+#ifndef OPENSSL_NO_DTLS
+    if (dtls || dtls1 || dtls12)
         meth = DTLS_method();
-    else
-#endif
-#ifndef OPENSSL_NO_SSL3
-    if (ssl3)
-        meth = SSLv3_method();
-    else
-#endif
-#ifndef OPENSSL_NO_TLS1
-    if (tls1)
-        meth = TLSv1_method();
-    else
+    if (dtls1) {
+        min_version = DTLS1_VERSION;
+        max_version = DTLS1_VERSION;
+    } else if (dtls12) {
+        min_version = DTLS1_2_VERSION;
+        max_version = DTLS1_2_VERSION;
+    }
 #endif
-        meth = TLS_method();
 
     c_ctx = SSL_CTX_new(meth);
     s_ctx = SSL_CTX_new(meth);
@@ -1543,6 +1534,15 @@ int main(int argc, char *argv[])
     SSL_CTX_set_security_level(s_ctx, 0);
     SSL_CTX_set_security_level(s_ctx2, 0);
 
+    if (SSL_CTX_set_min_proto_version(c_ctx, min_version) == 0)
+        goto end;
+    if (SSL_CTX_set_max_proto_version(c_ctx, max_version) == 0)
+        goto end;
+    if (SSL_CTX_set_min_proto_version(s_ctx, min_version) == 0)
+        goto end;
+    if (SSL_CTX_set_max_proto_version(s_ctx, max_version) == 0)
+        goto end;
+
     if (cipher != NULL) {
         if (!SSL_CTX_set_cipher_list(c_ctx, cipher)
             || !SSL_CTX_set_cipher_list(s_ctx, cipher)
@@ -3557,7 +3557,7 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity,
 
 static int do_test_cipherlist(void)
 {
-#if !defined(OPENSSL_NO_SSL3) || !defined(OPENSSL_NO_TLS1)
+#ifndef OPENSSL_NO_TLS
     int i = 0;
     const SSL_METHOD *meth;
     const SSL_CIPHER *ci, *tci = NULL;
@@ -3567,10 +3567,8 @@ static int do_test_cipherlist(void)
      * call functions, thus avoiding auto-init
      */
     OPENSSL_init_crypto(0, NULL);
-#endif
 
-#ifndef OPENSSL_NO_SSL3
-    meth = SSLv3_method();
+    meth = TLS_method();
     tci = NULL;
     while ((ci = meth->get_cipher(i++)) != NULL) {
         if (tci != NULL)
@@ -3582,19 +3580,6 @@ static int do_test_cipherlist(void)
         tci = ci;
     }
 #endif
-#ifndef OPENSSL_NO_TLS1
-    meth = TLSv1_method();
-    tci = NULL;
-    while ((ci = meth->get_cipher(i++)) != NULL) {
-        if (tci != NULL)
-            if (ci->id >= tci->id) {
-                fprintf(stderr, "testing TLSv1 cipher list order: ");
-                fprintf(stderr, "failed %x vs. %x\n", ci->id, tci->id);
-                return 0;
-            }
-        tci = ci;
-    }
-#endif
 
     return 1;
 }


More information about the openssl-commits mailing list