diff options
-rw-r--r-- | apps/s_apps.h | 1 | ||||
-rw-r--r-- | apps/s_cb.c | 18 | ||||
-rw-r--r-- | apps/s_client.c | 20 | ||||
-rw-r--r-- | apps/s_server.c | 2 |
4 files changed, 25 insertions, 16 deletions
diff --git a/apps/s_apps.h b/apps/s_apps.h index bf27de2fae..aa0565d360 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -77,4 +77,5 @@ int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath, int crl_download); void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose); int set_keylog_file(SSL_CTX *ctx, const char *keylog_file); +void print_ca_names(BIO *bio, SSL *s); #endif diff --git a/apps/s_cb.c b/apps/s_cb.c index 8c6ce48863..1b68164485 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1426,3 +1426,21 @@ int set_keylog_file(SSL_CTX *ctx, const char *keylog_file) SSL_CTX_set_keylog_callback(ctx, keylog_callback); return 0; } + +void print_ca_names(BIO *bio, SSL *s) +{ + const char *cs = SSL_is_server(s) ? "server" : "client"; + const STACK_OF(X509_NAME) *sk = SSL_get0_peer_CA_list(s); + int i; + + if (sk == NULL || sk_X509_NAME_num(sk) == 0) { + BIO_printf(bio, "---\nNo %s certificate CA names sent\n", cs); + return; + } + + BIO_printf(bio, "---\nAcceptable %s certificate CA names\n",cs); + for (i = 0; i < sk_X509_NAME_num(sk); i++) { + X509_NAME_print_ex(bio, sk_X509_NAME_value(sk, i), 0, XN_FLAG_ONELINE); + BIO_write(bio, "\n", 1); + } +} diff --git a/apps/s_client.c b/apps/s_client.c index 8e1a5dda0c..9267393582 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -588,7 +588,7 @@ const OPTIONS s_client_options[] = { {"no-CApath", OPT_NOCAPATH, '-', "Do not load certificates from the default certificates directory"}, {"requestCAfile", OPT_REQCAFILE, '<', - "PEM format file of CA names sent to server"}, + "PEM format file of CA names to send to the server"}, {"dane_tlsa_domain", OPT_DANE_TLSA_DOMAIN, 's', "DANE TLSA base domain"}, {"dane_tlsa_rrdata", OPT_DANE_TLSA_RRDATA, 's', "DANE TLSA rrdata presentation form"}, @@ -1585,6 +1585,7 @@ int s_client_main(int argc, char **argv) } if (ReqCAfile != NULL) { STACK_OF(X509_NAME) *nm = sk_X509_NAME_new_null(); + if (nm == NULL || !SSL_add_file_cert_subjects_to_stack(nm, ReqCAfile)) { sk_X509_NAME_pop_free(nm, X509_NAME_free); BIO_printf(bio_err, "Error loading CA names\n"); @@ -2820,9 +2821,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) X509 *peer = NULL; char buf[BUFSIZ]; STACK_OF(X509) *sk; - STACK_OF(X509_NAME) *sk2; const SSL_CIPHER *c; - X509_NAME *xn; int i; #ifndef OPENSSL_NO_COMP const COMP_METHOD *comp, *expansion; @@ -2864,21 +2863,10 @@ static void print_stuff(BIO *bio, SSL *s, int full) BIO_printf(bio, "subject=%s\n", buf); X509_NAME_oneline(X509_get_issuer_name(peer), buf, sizeof buf); BIO_printf(bio, "issuer=%s\n", buf); - } else - BIO_printf(bio, "no peer certificate available\n"); - - sk2 = SSL_get_client_CA_list(s); - if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) { - BIO_printf(bio, "---\nAcceptable client certificate CA names\n"); - for (i = 0; i < sk_X509_NAME_num(sk2); i++) { - xn = sk_X509_NAME_value(sk2, i); - X509_NAME_oneline(xn, buf, sizeof(buf)); - BIO_write(bio, buf, strlen(buf)); - BIO_write(bio, "\n", 1); - } } else { - BIO_printf(bio, "---\nNo client certificate CA names sent\n"); + BIO_printf(bio, "no peer certificate available\n"); } + print_ca_names(bio, s); ssl_print_sigalgs(bio, s); ssl_print_tmp_key(bio, s); diff --git a/apps/s_server.c b/apps/s_server.c index 5858278b46..4bd2620c9f 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -2704,6 +2704,7 @@ static void print_connection_info(SSL *con) ssl_print_point_formats(bio_s_out, con); ssl_print_groups(bio_s_out, con, 0); #endif + print_ca_names(bio_s_out, con); BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)"); #if !defined(OPENSSL_NO_NEXTPROTONEG) @@ -2990,6 +2991,7 @@ static int www_body(int s, int stype, unsigned char *context) #ifndef OPENSSL_NO_EC ssl_print_groups(io, con, 0); #endif + print_ca_names(io, con); BIO_printf(io, (SSL_session_reused(con) ? "---\nReused, " : "---\nNew, ")); c = SSL_get_current_cipher(con); |