Merge branch 'development' into dtls

* development: Adapt tests to new defaults/errors. Fix typos/cosmetics in Changelog Disable RC4 by default in example programs. Add ssl_set_arc4_support() Set min version to TLS 1.0 in programs Conflicts: include/polarssl/ssl.h library/ssl_cli.c library/ssl_srv.c tests/compat.sh
2025-08-01 10:06:53 +03:00 · 2015-01-21 13:57:33 +00:00
parent bfccdd3c92 51d81661dc
commit 67505bf9e8
14 changed files with 164 additions and 34 deletions
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -88,8 +88,9 @@ int main( int argc, char *argv[] )
 #define DFL_ALLOW_LEGACY        -2
 #define DFL_RENEGOTIATE         0
 #define DFL_EXCHANGES           1
-#define DFL_MIN_VERSION         -1
+#define DFL_MIN_VERSION         SSL_MINOR_VERSION_1
 #define DFL_MAX_VERSION         -1
+#define DFL_ARC4                SSL_ARC4_DISABLED
 #define DFL_AUTH_MODE           SSL_VERIFY_REQUIRED
 #define DFL_MFL_CODE            SSL_MAX_FRAG_LEN_NONE
 #define DFL_TRUNC_HMAC          -1
@ -136,6 +137,7 @@ struct options
    int exchanges;              /* number of data exchanges                 */
    int min_version;            /* minimum protocol version accepted        */
    int max_version;            /* maximum protocol version accepted        */
+    int arc4;                   /* flag for arc4 suites support             */
    int auth_mode;              /* verify mode for connection               */
    unsigned char mfl_code;     /* code for maximum fragment length         */
    int trunc_hmac;             /* negotiate truncated hmac or not          */
@ -386,6 +388,7 @@ static int my_verify( void *data, x509_crt *crt, int depth, int *flags )
    "\n"                                                    \
    "    min_version=%%s      default: \"\" (ssl3)\n"       \
    "    max_version=%%s      default: \"\" (tls1_2)\n"     \
+    "    arc4=%%d             default: 0 (disabled)\n"      \
    "    force_version=%%s    default: \"\" (none)\n"       \
    "                        options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \
    "    auth_mode=%%s        default: \"required\"\n"      \
@ -478,6 +481,7 @@ int main( int argc, char *argv[] )
    opt.exchanges           = DFL_EXCHANGES;
    opt.min_version         = DFL_MIN_VERSION;
    opt.max_version         = DFL_MAX_VERSION;
+    opt.arc4                = DFL_ARC4;
    opt.auth_mode           = DFL_AUTH_MODE;
    opt.mfl_code            = DFL_MFL_CODE;
    opt.trunc_hmac          = DFL_TRUNC_HMAC;
@ -677,6 +681,15 @@ int main( int argc, char *argv[] )
            else
                goto usage;
        }
+        else if( strcmp( p, "arc4" ) == 0 )
+        {
+            switch( atoi( q ) )
+            {
+                case 0:     opt.arc4 = SSL_ARC4_DISABLED;   break;
+                case 1:     opt.arc4 = SSL_ARC4_ENABLED;    break;
+                default:    goto usage;
+            }
+        }
        else if( strcmp( p, "force_version" ) == 0 )
        {
            if( strcmp( q, "ssl3" ) == 0 )
@ -1113,8 +1126,11 @@ int main( int argc, char *argv[] )
    }
 #endif

+    /* RC4 setting is redundant if we use only one ciphersuite */
    if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
        ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
+    else
+        ssl_set_arc4_support( &ssl, opt.arc4 );

    if( opt.allow_legacy != DFL_ALLOW_LEGACY )
        ssl_legacy_renegotiation( &ssl, opt.allow_legacy );