commit 1d29fb5e338249ac38e8573997bcda25d325719f
author Paul Bakker <p.j.bakker@polarssl.org> Fri Sep 28 13:28:45 2012 +0000
committer Paul Bakker <p.j.bakker@polarssl.org> Fri Sep 28 13:28:45 2012 +0000
tree e0a1e6af02653126caee806a87762b206f756f72
parent 5d19f86fdd88cfd1b5b01351e080530b929dd545

 - Added option to add minimum accepted SSL/TLS protocol version

programs/ssl/ssl_server2.c

diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index b98bff7..5076be3 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -59,6 +59,7 @@
 #define DFL_FORCE_CIPHER        0
 #define DFL_RENEGOTIATION       SSL_RENEGOTIATION_ENABLED
 #define DFL_ALLOW_LEGACY        SSL_LEGACY_NO_RENEGOTIATION
+#define DFL_MIN_VERSION         -1
 
 #define HTTP_RESPONSE \
     "HTTP/1.0 200 OK\r\nContent-Type: text/html\r\n\r\n" \
@@ -79,6 +80,7 @@
     int force_ciphersuite[2];   /* protocol/ciphersuite to use, or all      */
     int renegotiation;          /* enable / disable renegotiation           */
     int allow_legacy;           /* allow legacy renegotiation               */
+    int min_version;            /* minimum protocol version accepted        */
 } opt;
 
 void my_debug( void *ctx, int level, const char *str )
@@ -110,6 +112,8 @@
     "    request_page=%%s     default: \".\"\n"             \
     "    renegotiation=%%d    default: 1 (enabled)\n"       \
     "    allow_legacy=%%d     default: 0 (disabled)\n"      \
+    "    min_version=%%s      default: \"ssl3\"\n"          \
+    "                        options: ssl3, tls1, tls1_1, tls1_2\n" \
     "    force_ciphersuite=<name>    default: all enabled\n"\
     " acceptable ciphersuite names:\n"
 
@@ -189,6 +193,7 @@
     opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
     opt.renegotiation       = DFL_RENEGOTIATION;
     opt.allow_legacy        = DFL_ALLOW_LEGACY;
+    opt.min_version         = DFL_MIN_VERSION;
 
     for( i = 1; i < argc; i++ )
     {
@@ -241,6 +246,19 @@
             if( opt.allow_legacy < 0 || opt.allow_legacy > 1 )
                 goto usage;
         }
+        else if( strcmp( p, "min_version" ) == 0 )
+        {
+            if( strcmp( q, "ssl3" ) == 0 )
+                opt.min_version = SSL_MINOR_VERSION_0;
+            else if( strcmp( q, "tls1" ) == 0 )
+                opt.min_version = SSL_MINOR_VERSION_1;
+            else if( strcmp( q, "tls1_1" ) == 0 )
+                opt.min_version = SSL_MINOR_VERSION_2;
+            else if( strcmp( q, "tls1_2" ) == 0 )
+                opt.min_version = SSL_MINOR_VERSION_3;
+            else
+                goto usage;
+        }
         else
             goto usage;
     }
@@ -395,6 +413,9 @@
                             POLARSSL_DHM_RFC5114_MODP_2048_G );
 #endif
 
+    if( opt.min_version != -1 )
+        ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
+
     printf( " ok\n" );
 
 reset:
@@ -464,7 +485,7 @@
         if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
         {
             printf( " failed\n  ! ssl_handshake returned -0x%x\n\n", -ret );
-            goto exit;
+            goto reset;
         }
     }