diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c index 639cf4f241..2c108c6124 100644 --- a/cmd/tstclnt/tstclnt.c +++ b/cmd/tstclnt/tstclnt.c @@ -332,6 +332,7 @@ PrintParameterUsage() "%-20s 0xAAAABBBBCCCCDDDD:mylabel. Otherwise, the default label of\n" "%-20s 'Client_identity' will be used.\n", "-z externalPsk", "", "", ""); + fprintf(stderr, "%-20s Enable middlebox compatibility mode (TLS 1.3 only)\n", "-e"); } static void @@ -986,6 +987,7 @@ int enableSignedCertTimestamps = 0; int forceFallbackSCSV = 0; int enableExtendedMasterSecret = 0; PRBool requireDHNamedGroups = 0; +PRBool middleboxCompatMode = 0; PRSocketOptionData opt; PRNetAddr addr; PRBool allowIPv4 = PR_TRUE; @@ -1493,6 +1495,16 @@ run() } } + /* Middlebox compatibility mode (TLS 1.3 only) */ + if (middleboxCompatMode) { + rv = SSL_OptionSet(s, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE); + if (rv != SECSuccess) { + SECU_PrintError(progName, "error enabling middlebox compatibility mode"); + error = 1; + goto done; + } + } + /* require the use of fixed finite-field DH groups */ if (requireDHNamedGroups) { rv = SSL_OptionSet(s, SSL_REQUIRE_DH_NAMED_GROUPS, PR_TRUE); @@ -1825,7 +1837,7 @@ main(int argc, char **argv) } optstate = PL_CreateOptState(argc, argv, - "46A:BCDEFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:x:z:"); + "46A:BCDEFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:efgh:m:n:op:qr:st:uvw:x:z:"); while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case '?': @@ -1996,6 +2008,10 @@ main(int argc, char **argv) certDir = PORT_Strdup(optstate->value); break; + case 'e': + middleboxCompatMode = PR_TRUE; + break; + case 'f': clientSpeaksFirst = PR_TRUE; break;