[openssl-dev] [PATCH] Do not offer options like -ssl2, -tls1, -dtls if they are not compiled in

Ángel González angel at tls.16bits.net
Fri Mar 4 21:33:38 UTC 2016

Thanks for your promptly response, Viktor.
Viktor Dukhovni wrote:
> > On Mar 3, 2016, at 8:07 PM, Ángel González <angel at tls.16bits.net>
> > wrote:
> > 
> > They were showed in the help, but providing them failed with an
> > “unknown option” error, and showed the help which listed it
> > as a valid option.
> The patch is not right.  For example, when TLSv1 is disabled, it is
> not the case that TLSv1.1 and TLSv1.2 are disabled.  

When OPENSSL_NO_TLS1 is disabled, the -tls1_2, -tls1_1 and -tls1
options to s_client are not parsed. See lines 958-964:
> #ifndef OPENSSL_NO_TLS1
>         else if (strcmp(*argv, "-tls1_2") == 0)
>             meth = TLSv1_2_client_method();
>         else if (strcmp(*argv, "-tls1_1") == 0)
>             meth = TLSv1_1_client_method();
>         else if (strcmp(*argv, "-tls1") == 0)
>             meth = TLSv1_client_method();
> #endif

I agree it doesn't seem the best name to control tls 1.2, but I assumed
that they were all using some shared functions so that OPENSSL_NO_TLS1
meant you couldn't use any TLS x function. Also note that there are no
other OPENSSL_NO_TLS* macros which would apply to the minor versions
(the most similar is OPENSSL_NO_TLS1_2_CLIENT).
Do you have more information about *what* is the right behavior here?
Sadly, the macros don't seem to be documented.

> Secondly disabled
> features should report that the feature is disabled, not a bad usage
> message, as would be the case with a mistyped option.

I agree it's a much more sensible way of erroring out, and I would be
happy to prepare a patch that does that. Do note however that such is
the way s_client works, see lines 878-1124 where dozens of argparsing
strcmps are guarded by #ifdefs (as well as on sc_usage() function).
I tried to fix the inconsistency in the least disruptive way.

Additionally, do you have any preference about the branch? I prepared
the patch against the stable branch, since it's the one on which I
noticed the problem, but perhaps you prefer it against to master

Best regards

More information about the openssl-dev mailing list