[openssl.org #2819] [patch] Cipher list TLSv1.2 as token; ciphers(1) update

Sun, 20 May 2012 05:27:47 -0700 

Please find attached a simple patch which:

 * modifies ssl_cipher_process_rulestr() to permit a '.' in the name of
   an element
 * adds SSL_TXT_TLSV1_2 into cipher_aliases[]
 * updates apps/ciphers.c to guard the help text by OPENSSL_NO_*
 * adds -tls1.1 and -tls1.2 to apps/ciphers.c to use
   TLSv1_1_client_method() and TLSv1_2_client_method() respectively

plus a second patch for the documentation of ciphers(1).

$ LD_LIBRARY_PATH=$PWD ./apps/openssl ciphers -v TLSv1.2
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) 
Mac=AEAD
[...]

Regards,
-Phil


--- ssl/ssl_ciph.c.orig	2012-05-19 10:37:27.000000000 +0000
+++ ssl/ssl_ciph.c	2012-05-19 10:48:19.000000000 +0000
@@ -312,6 +312,7 @@ static const SSL_CIPHER cipher_aliases[]
 	{0,SSL_TXT_SSLV2,0,   0,0,0,0,SSL_SSLV2, 0,0,0,0},
 	{0,SSL_TXT_SSLV3,0,   0,0,0,0,SSL_SSLV3, 0,0,0,0},
 	{0,SSL_TXT_TLSV1,0,   0,0,0,0,SSL_TLSV1, 0,0,0,0},
+	{0,SSL_TXT_TLSV1_2,0,   0,0,0,0,SSL_TLSV1_2, 0,0,0,0},
 
 	/* export flag */
 	{0,SSL_TXT_EXP,0,     0,0,0,0,0,SSL_EXPORT,0,0,0},
@@ -1150,9 +1151,9 @@ static int ssl_cipher_process_rulestr(co
 			while (	((ch >= 'A') && (ch <= 'Z')) ||
 				((ch >= '0') && (ch <= '9')) ||
 				((ch >= 'a') && (ch <= 'z')) ||
-				 (ch == '-'))
+				 (ch == '-') || (ch == '.'))
 #else
-			while (	isalnum(ch) || (ch == '-'))
+			while (	isalnum(ch) || (ch == '-') || (ch == '.'))
 #endif
 				 {
 				 ch = *(++l);
--- apps/ciphers.c.org	2012-05-19 10:17:35.000000000 +0000
+++ apps/ciphers.c	2012-05-19 10:23:01.000000000 +0000
@@ -73,9 +73,19 @@ static const char *ciphers_usage[]={
 "usage: ciphers args\n",
 " -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
 " -V          - even more verbose\n",
+#ifndef OPENSSL_NO_SSL2
 " -ssl2       - SSL2 mode\n",
+#endif
+#ifndef OPENSSL_NO_SSL3
 " -ssl3       - SSL3 mode\n",
+#endif
+#ifndef OPENSSL_NO_TLS1
 " -tls1       - TLS1 mode\n",
+" -tls1.1     - TLS1.1 mode\n",
+#ifndef OPENSSL_NO_TLS1_2_CLIENT
+" -tls1.2     - TLS1.2 mode\n",
+#endif
+#endif
 NULL
 };
 
@@ -137,6 +147,12 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_TLS1
 		else if (strcmp(*argv,"-tls1") == 0)
 			meth=TLSv1_client_method();
+		else if (strcmp(*argv,"-tls1.1") == 0)
+			meth=TLSv1_1_client_method();
+#ifndef OPENSSL_NO_TLS1_2_CLIENT
+		else if (strcmp(*argv,"-tls1.2") == 0)
+			meth=TLSv1_2_client_method();
+#endif
 #endif
 		else if ((strncmp(*argv,"-h",2) == 0) ||
 			 (strcmp(*argv,"-?") == 0))

--- doc/apps/ciphers.pod.orig	2012-05-19 10:56:52.000000000 +0000
+++ doc/apps/ciphers.pod	2012-05-19 10:59:30.000000000 +0000
@@ -12,6 +12,8 @@ B<openssl> B<ciphers>
 [B<-ssl2>]
 [B<-ssl3>]
 [B<-tls1>]
+[B<-tls1.1>]
+[B<-tls1.2>]
 [B<cipherlist>]
 
 =head1 DESCRIPTION
@@ -50,6 +52,14 @@ only include SSL v2 ciphers.
 
 only include TLS v1 ciphers.
 
+=item B<-tls1.1>
+
+equivalent to -tls1.
+
+=item B<-tls1.2>
+
+only include TLS v1.2 ciphers.
+
 =item B<-h>, B<-?>
 
 print a brief usage message.
@@ -199,9 +209,9 @@ DH keys.  Not implemented.
 ciphers suites using FORTEZZA key exchange, authentication, encryption or all
 FORTEZZA algorithms. Not implemented.
 
-=item B<TLSv1>, B<SSLv3>, B<SSLv2>
+=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2>
 
-TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively.
+TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively.
 
 =item B<DH>

Reply via email to