summaryrefslogtreecommitdiffstats
path: root/security/nss/cmd/selfserv
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/cmd/selfserv')
-rw-r--r--security/nss/cmd/selfserv/selfserv.c51
1 files changed, 32 insertions, 19 deletions
diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c
index c372ec9b8..1784c9ee3 100644
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -165,9 +165,8 @@ PrintUsageHeader(const char *progName)
" [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
" [-V [min-version]:[max-version]] [-a sni_name]\n"
" [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
- " [-C SSLCacheEntries] [-S dsa_nickname] -Q [-I groups]"
- " [-e ec_nickname]"
- "\n"
+ " [-C SSLCacheEntries] [-S dsa_nickname] [-Q]\n"
+ " [-I groups] [-J signatureschemes] [-e ec_nickname]\n"
" -U [0|1] -H [0|1|2] -W [0|1]\n"
"\n",
progName);
@@ -179,7 +178,7 @@ PrintParameterUsage()
fputs(
"-V [min]:[max] restricts the set of enabled SSL/TLS protocol versions.\n"
" All versions are enabled by default.\n"
- " Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
+ " Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2 tls1.3\n"
" Example: \"-V ssl3:\" enables SSL 3 and newer.\n"
"-D means disable Nagle delays in TCP\n"
"-R means disable detection of rollback from TLS to SSL3\n"
@@ -195,7 +194,6 @@ PrintParameterUsage()
"-s means disable SSL socket locking for performance\n"
"-u means enable Session Ticket extension for TLS.\n"
"-v means verbose output\n"
- "-z means enable compression.\n"
"-L seconds means log statistics every 'seconds' seconds (default=30).\n"
"-M maxProcs tells how many processes to run in a multi-process server\n"
"-N means do NOT use the server session cache. Incompatible with -M.\n"
@@ -228,6 +226,13 @@ PrintParameterUsage()
"-I comma separated list of enabled groups for TLS key exchange.\n"
" The following values are valid:\n"
" P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n"
+ "-J comma separated list of enabled signature schemes in preference order.\n"
+ " The following values are valid:\n"
+ " rsa_pkcs1_sha1, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,\n"
+ " ecdsa_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,\n"
+ " ecdsa_secp521r1_sha512,\n"
+ " rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,\n"
+ " rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,\n"
"-Z enable 0-RTT (for TLS 1.3; also use -u)\n",
stderr);
}
@@ -795,13 +800,14 @@ PRBool NoReuse = PR_FALSE;
PRBool hasSidCache = PR_FALSE;
PRBool disableLocking = PR_FALSE;
PRBool enableSessionTickets = PR_FALSE;
-PRBool enableCompression = PR_FALSE;
PRBool failedToNegotiateName = PR_FALSE;
PRBool enableExtendedMasterSecret = PR_FALSE;
PRBool zeroRTT = PR_FALSE;
PRBool enableALPN = PR_FALSE;
SSLNamedGroup *enabledGroups = NULL;
unsigned int enabledGroupsCount = 0;
+const SSLSignatureScheme *enabledSigSchemes = NULL;
+unsigned int enabledSigSchemeCount = 0;
static char *virtServerNameArray[MAX_VIRT_SERVER_NAME_ARRAY_INDEX];
static int virtServerNameIndex = 1;
@@ -1857,13 +1863,6 @@ server_main(
}
}
- if (enableCompression) {
- rv = SSL_OptionSet(model_sock, SSL_ENABLE_DEFLATE, PR_TRUE);
- if (rv != SECSuccess) {
- errExit("error enabling compression ");
- }
- }
-
if (virtServerNameIndex > 1) {
rv = SSL_SNISocketConfigHook(model_sock, mySSLSNISocketConfig,
(void *)&virtServerNameArray);
@@ -1970,6 +1969,13 @@ server_main(
}
}
+ if (enabledSigSchemes) {
+ rv = SSL_SignatureSchemePrefSet(model_sock, enabledSigSchemes, enabledSigSchemeCount);
+ if (rv < 0) {
+ errExit("SSL_SignatureSchemePrefSet failed");
+ }
+ }
+
/* This cipher is not on by default. The Acceptance test
* would like it to be. Turn this cipher on.
*/
@@ -2214,9 +2220,10 @@ main(int argc, char **argv)
/* please keep this list of options in ASCII collating sequence.
** numbers, then capital letters, then lower case, alphabetical.
** XXX: 'B', 'E', 'q', and 'x' were used in the past but removed
- ** in 3.28, please leave some time before resuing those. */
+ ** in 3.28, please leave some time before resuing those.
+ ** 'z' was removed in 3.39. */
optstate = PL_CreateOptState(argc, argv,
- "2:A:C:DGH:I:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:yz");
+ "2:A:C:DGH:I:J:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:y");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
++optionsFound;
switch (optstate->option) {
@@ -2429,10 +2436,6 @@ main(int argc, char **argv)
debugCache = PR_TRUE;
break;
- case 'z':
- enableCompression = PR_TRUE;
- break;
-
case 'Z':
zeroRTT = PR_TRUE;
break;
@@ -2451,6 +2454,16 @@ main(int argc, char **argv)
}
break;
+ case 'J':
+ rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount);
+ if (rv != SECSuccess) {
+ PL_DestroyOptState(optstate);
+ fprintf(stderr, "Bad signature scheme specified.\n");
+ fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
+ exit(5);
+ }
+ break;
+
default:
case '?':
fprintf(stderr, "Unrecognized or bad option specified.\n");