xref: /freebsd/crypto/openssl/apps/s_client.c (revision d876124d6ae9d56da5b4ff4c6015efd1d0c9222a)
1 /* apps/s_client.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 #include <assert.h>
113 #include <stdio.h>
114 #include <stdlib.h>
115 #include <string.h>
116 #include <openssl/e_os2.h>
117 #ifdef OPENSSL_NO_STDIO
118 #define APPS_WIN16
119 #endif
120 
121 /* With IPv6, it looks like Digital has mixed up the proper order of
122    recursive header file inclusion, resulting in the compiler complaining
123    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
124    is needed to have fileno() declared correctly...  So let's define u_int */
125 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
126 #define __U_INT
127 typedef unsigned int u_int;
128 #endif
129 
130 #define USE_SOCKETS
131 #include "apps.h"
132 #include <openssl/x509.h>
133 #include <openssl/ssl.h>
134 #include <openssl/err.h>
135 #include <openssl/pem.h>
136 #include <openssl/rand.h>
137 #include "s_apps.h"
138 #include "timeouts.h"
139 
140 #ifdef OPENSSL_SYS_WINCE
141 /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
142 #ifdef fileno
143 #undef fileno
144 #endif
145 #define fileno(a) (int)_fileno(a)
146 #endif
147 
148 
149 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
150 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
151 #undef FIONBIO
152 #endif
153 
154 #undef PROG
155 #define PROG	s_client_main
156 
157 /*#define SSL_HOST_NAME	"www.netscape.com" */
158 /*#define SSL_HOST_NAME	"193.118.187.102" */
159 #define SSL_HOST_NAME	"localhost"
160 
161 /*#define TEST_CERT "client.pem" */ /* no default cert. */
162 
163 #undef BUFSIZZ
164 #define BUFSIZZ 1024*8
165 
166 extern int verify_depth;
167 extern int verify_error;
168 
169 #ifdef FIONBIO
170 static int c_nbio=0;
171 #endif
172 static int c_Pause=0;
173 static int c_debug=0;
174 static int c_msg=0;
175 static int c_showcerts=0;
176 
177 static void sc_usage(void);
178 static void print_stuff(BIO *berr,SSL *con,int full);
179 static BIO *bio_c_out=NULL;
180 static int c_quiet=0;
181 static int c_ign_eof=0;
182 
183 static void sc_usage(void)
184 	{
185 	BIO_printf(bio_err,"usage: s_client args\n");
186 	BIO_printf(bio_err,"\n");
187 	BIO_printf(bio_err," -host host     - use -connect instead\n");
188 	BIO_printf(bio_err," -port port     - use -connect instead\n");
189 	BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
190 
191 	BIO_printf(bio_err," -verify depth - turn on peer certificate verification\n");
192 	BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
193 	BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
194 	BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
195 	BIO_printf(bio_err,"                 not specified but cert file is.\n");
196 	BIO_printf(bio_err," -keyform arg  - key format (PEM or DER) PEM default\n");
197 	BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
198 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
199 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
200 	BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
201 	BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
202 	BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
203 	BIO_printf(bio_err," -debug        - extra output\n");
204 #ifdef WATT32
205 	BIO_printf(bio_err," -wdebug       - WATT-32 tcp debugging\n");
206 #endif
207 	BIO_printf(bio_err," -msg          - Show protocol messages\n");
208 	BIO_printf(bio_err," -nbio_test    - more ssl protocol testing\n");
209 	BIO_printf(bio_err," -state        - print the 'ssl' states\n");
210 #ifdef FIONBIO
211 	BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
212 #endif
213 	BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
214 	BIO_printf(bio_err," -quiet        - no s_client output\n");
215 	BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
216 	BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
217 	BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
218 	BIO_printf(bio_err," -tls1         - just use TLSv1\n");
219 	BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");
220 	BIO_printf(bio_err," -mtu          - set the MTU\n");
221 	BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
222 	BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
223 	BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
224 	BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
225 	BIO_printf(bio_err,"                 command to see what is available\n");
226 	BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
227 	BIO_printf(bio_err,"                 for those protocols that support it, where\n");
228 	BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
229 	BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", and \"ftp\" are supported.\n");
230 #ifndef OPENSSL_NO_ENGINE
231 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
232 #endif
233 	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
234 
235 	}
236 
237 enum
238 {
239 	PROTO_OFF	= 0,
240 	PROTO_SMTP,
241 	PROTO_POP3,
242 	PROTO_IMAP,
243 	PROTO_FTP
244 };
245 
246 int MAIN(int, char **);
247 
248 int MAIN(int argc, char **argv)
249 	{
250 	int off=0;
251 	SSL *con=NULL,*con2=NULL;
252 	X509_STORE *store = NULL;
253 	int s,k,width,state=0;
254 	char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
255 	int cbuf_len,cbuf_off;
256 	int sbuf_len,sbuf_off;
257 	fd_set readfds,writefds;
258 	short port=PORT;
259 	int full_log=1;
260 	char *host=SSL_HOST_NAME;
261 	char *cert_file=NULL,*key_file=NULL;
262 	int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
263 	char *passarg = NULL, *pass = NULL;
264 	X509 *cert = NULL;
265 	EVP_PKEY *key = NULL;
266 	char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
267 	int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
268 	int crlf=0;
269 	int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
270 	SSL_CTX *ctx=NULL;
271 	int ret=1,in_init=1,i,nbio_test=0;
272 	int starttls_proto = PROTO_OFF;
273 	int prexit = 0, vflags = 0;
274 	SSL_METHOD *meth=NULL;
275 #ifdef sock_type
276 #undef sock_type
277 #endif
278 	int sock_type=SOCK_STREAM;
279 	BIO *sbio;
280 	char *inrand=NULL;
281 	int mbuf_len=0;
282 #ifndef OPENSSL_NO_ENGINE
283 	char *engine_id=NULL;
284 	ENGINE *e=NULL;
285 #endif
286 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
287 	struct timeval tv;
288 #endif
289 
290 	struct sockaddr peer;
291 	int peerlen = sizeof(peer);
292 	int enable_timeouts = 0 ;
293 	long mtu = 0;
294 
295 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
296 	meth=SSLv23_client_method();
297 #elif !defined(OPENSSL_NO_SSL3)
298 	meth=SSLv3_client_method();
299 #elif !defined(OPENSSL_NO_SSL2)
300 	meth=SSLv2_client_method();
301 #endif
302 
303 	apps_startup();
304 	c_Pause=0;
305 	c_quiet=0;
306 	c_ign_eof=0;
307 	c_debug=0;
308 	c_msg=0;
309 	c_showcerts=0;
310 
311 	if (bio_err == NULL)
312 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
313 
314 	if (!load_config(bio_err, NULL))
315 		goto end;
316 
317 	if (	((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
318 		((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
319 		((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
320 		{
321 		BIO_printf(bio_err,"out of memory\n");
322 		goto end;
323 		}
324 
325 	verify_depth=0;
326 	verify_error=X509_V_OK;
327 #ifdef FIONBIO
328 	c_nbio=0;
329 #endif
330 
331 	argc--;
332 	argv++;
333 	while (argc >= 1)
334 		{
335 		if	(strcmp(*argv,"-host") == 0)
336 			{
337 			if (--argc < 1) goto bad;
338 			host= *(++argv);
339 			}
340 		else if	(strcmp(*argv,"-port") == 0)
341 			{
342 			if (--argc < 1) goto bad;
343 			port=atoi(*(++argv));
344 			if (port == 0) goto bad;
345 			}
346 		else if (strcmp(*argv,"-connect") == 0)
347 			{
348 			if (--argc < 1) goto bad;
349 			if (!extract_host_port(*(++argv),&host,NULL,&port))
350 				goto bad;
351 			}
352 		else if	(strcmp(*argv,"-verify") == 0)
353 			{
354 			verify=SSL_VERIFY_PEER;
355 			if (--argc < 1) goto bad;
356 			verify_depth=atoi(*(++argv));
357 			BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
358 			}
359 		else if	(strcmp(*argv,"-cert") == 0)
360 			{
361 			if (--argc < 1) goto bad;
362 			cert_file= *(++argv);
363 			}
364 		else if	(strcmp(*argv,"-certform") == 0)
365 			{
366 			if (--argc < 1) goto bad;
367 			cert_format = str2fmt(*(++argv));
368 			}
369 		else if	(strcmp(*argv,"-crl_check") == 0)
370 			vflags |= X509_V_FLAG_CRL_CHECK;
371 		else if	(strcmp(*argv,"-crl_check_all") == 0)
372 			vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
373 		else if	(strcmp(*argv,"-prexit") == 0)
374 			prexit=1;
375 		else if	(strcmp(*argv,"-crlf") == 0)
376 			crlf=1;
377 		else if	(strcmp(*argv,"-quiet") == 0)
378 			{
379 			c_quiet=1;
380 			c_ign_eof=1;
381 			}
382 		else if	(strcmp(*argv,"-ign_eof") == 0)
383 			c_ign_eof=1;
384 		else if	(strcmp(*argv,"-pause") == 0)
385 			c_Pause=1;
386 		else if	(strcmp(*argv,"-debug") == 0)
387 			c_debug=1;
388 #ifdef WATT32
389 		else if (strcmp(*argv,"-wdebug") == 0)
390 			dbug_init();
391 #endif
392 		else if	(strcmp(*argv,"-msg") == 0)
393 			c_msg=1;
394 		else if	(strcmp(*argv,"-showcerts") == 0)
395 			c_showcerts=1;
396 		else if	(strcmp(*argv,"-nbio_test") == 0)
397 			nbio_test=1;
398 		else if	(strcmp(*argv,"-state") == 0)
399 			state=1;
400 #ifndef OPENSSL_NO_SSL2
401 		else if	(strcmp(*argv,"-ssl2") == 0)
402 			meth=SSLv2_client_method();
403 #endif
404 #ifndef OPENSSL_NO_SSL3
405 		else if	(strcmp(*argv,"-ssl3") == 0)
406 			meth=SSLv3_client_method();
407 #endif
408 #ifndef OPENSSL_NO_TLS1
409 		else if	(strcmp(*argv,"-tls1") == 0)
410 			meth=TLSv1_client_method();
411 #endif
412 #ifndef OPENSSL_NO_DTLS1
413 		else if	(strcmp(*argv,"-dtls1") == 0)
414 			{
415 			meth=DTLSv1_client_method();
416 			sock_type=SOCK_DGRAM;
417 			}
418 		else if (strcmp(*argv,"-timeout") == 0)
419 			enable_timeouts=1;
420 		else if (strcmp(*argv,"-mtu") == 0)
421 			{
422 			if (--argc < 1) goto bad;
423 			mtu = atol(*(++argv));
424 			}
425 #endif
426 		else if (strcmp(*argv,"-bugs") == 0)
427 			bugs=1;
428 		else if	(strcmp(*argv,"-keyform") == 0)
429 			{
430 			if (--argc < 1) goto bad;
431 			key_format = str2fmt(*(++argv));
432 			}
433 		else if	(strcmp(*argv,"-pass") == 0)
434 			{
435 			if (--argc < 1) goto bad;
436 			passarg = *(++argv);
437 			}
438 		else if	(strcmp(*argv,"-key") == 0)
439 			{
440 			if (--argc < 1) goto bad;
441 			key_file= *(++argv);
442 			}
443 		else if	(strcmp(*argv,"-reconnect") == 0)
444 			{
445 			reconnect=5;
446 			}
447 		else if	(strcmp(*argv,"-CApath") == 0)
448 			{
449 			if (--argc < 1) goto bad;
450 			CApath= *(++argv);
451 			}
452 		else if	(strcmp(*argv,"-CAfile") == 0)
453 			{
454 			if (--argc < 1) goto bad;
455 			CAfile= *(++argv);
456 			}
457 		else if (strcmp(*argv,"-no_tls1") == 0)
458 			off|=SSL_OP_NO_TLSv1;
459 		else if (strcmp(*argv,"-no_ssl3") == 0)
460 			off|=SSL_OP_NO_SSLv3;
461 		else if (strcmp(*argv,"-no_ssl2") == 0)
462 			off|=SSL_OP_NO_SSLv2;
463 		else if (strcmp(*argv,"-serverpref") == 0)
464 			off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
465 		else if	(strcmp(*argv,"-cipher") == 0)
466 			{
467 			if (--argc < 1) goto bad;
468 			cipher= *(++argv);
469 			}
470 #ifdef FIONBIO
471 		else if (strcmp(*argv,"-nbio") == 0)
472 			{ c_nbio=1; }
473 #endif
474 		else if	(strcmp(*argv,"-starttls") == 0)
475 			{
476 			if (--argc < 1) goto bad;
477 			++argv;
478 			if (strcmp(*argv,"smtp") == 0)
479 				starttls_proto = PROTO_SMTP;
480 			else if (strcmp(*argv,"pop3") == 0)
481 				starttls_proto = PROTO_POP3;
482 			else if (strcmp(*argv,"imap") == 0)
483 				starttls_proto = PROTO_IMAP;
484 			else if (strcmp(*argv,"ftp") == 0)
485 				starttls_proto = PROTO_FTP;
486 			else
487 				goto bad;
488 			}
489 #ifndef OPENSSL_NO_ENGINE
490 		else if	(strcmp(*argv,"-engine") == 0)
491 			{
492 			if (--argc < 1) goto bad;
493 			engine_id = *(++argv);
494 			}
495 #endif
496 		else if (strcmp(*argv,"-rand") == 0)
497 			{
498 			if (--argc < 1) goto bad;
499 			inrand= *(++argv);
500 			}
501 		else
502 			{
503 			BIO_printf(bio_err,"unknown option %s\n",*argv);
504 			badop=1;
505 			break;
506 			}
507 		argc--;
508 		argv++;
509 		}
510 	if (badop)
511 		{
512 bad:
513 		sc_usage();
514 		goto end;
515 		}
516 
517 	OpenSSL_add_ssl_algorithms();
518 	SSL_load_error_strings();
519 
520 #ifndef OPENSSL_NO_ENGINE
521         e = setup_engine(bio_err, engine_id, 1);
522 #endif
523 	if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
524 		{
525 		BIO_printf(bio_err, "Error getting password\n");
526 		goto end;
527 		}
528 
529 	if (key_file == NULL)
530 		key_file = cert_file;
531 
532 
533 	if (key_file)
534 
535 		{
536 
537 		key = load_key(bio_err, key_file, key_format, 0, pass, e,
538 			       "client certificate private key file");
539 		if (!key)
540 			{
541 			ERR_print_errors(bio_err);
542 			goto end;
543 			}
544 
545 		}
546 
547 	if (cert_file)
548 
549 		{
550 		cert = load_cert(bio_err,cert_file,cert_format,
551 				NULL, e, "client certificate file");
552 
553 		if (!cert)
554 			{
555 			ERR_print_errors(bio_err);
556 			goto end;
557 			}
558 		}
559 
560 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
561 		&& !RAND_status())
562 		{
563 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
564 		}
565 	if (inrand != NULL)
566 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
567 			app_RAND_load_files(inrand));
568 
569 	if (bio_c_out == NULL)
570 		{
571 		if (c_quiet && !c_debug && !c_msg)
572 			{
573 			bio_c_out=BIO_new(BIO_s_null());
574 			}
575 		else
576 			{
577 			if (bio_c_out == NULL)
578 				bio_c_out=BIO_new_fp(stdout,BIO_NOCLOSE);
579 			}
580 		}
581 
582 	ctx=SSL_CTX_new(meth);
583 	if (ctx == NULL)
584 		{
585 		ERR_print_errors(bio_err);
586 		goto end;
587 		}
588 
589 	if (bugs)
590 		SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
591 	else
592 		SSL_CTX_set_options(ctx,off);
593 	/* DTLS: partial reads end up discarding unread UDP bytes :-(
594 	 * Setting read ahead solves this problem.
595 	 */
596 	if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
597 
598 	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
599 	if (cipher != NULL)
600 		if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
601 		BIO_printf(bio_err,"error setting cipher list\n");
602 		ERR_print_errors(bio_err);
603 		goto end;
604 	}
605 #if 0
606 	else
607 		SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
608 #endif
609 
610 	SSL_CTX_set_verify(ctx,verify,verify_callback);
611 	if (!set_cert_key_stuff(ctx,cert,key))
612 		goto end;
613 
614 	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
615 		(!SSL_CTX_set_default_verify_paths(ctx)))
616 		{
617 		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
618 		ERR_print_errors(bio_err);
619 		/* goto end; */
620 		}
621 
622 	store = SSL_CTX_get_cert_store(ctx);
623 	X509_STORE_set_flags(store, vflags);
624 
625 	con=SSL_new(ctx);
626 #ifndef OPENSSL_NO_KRB5
627 	if (con  &&  (con->kssl_ctx = kssl_ctx_new()) != NULL)
628                 {
629                 kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVER, host);
630 		}
631 #endif	/* OPENSSL_NO_KRB5  */
632 /*	SSL_set_cipher_list(con,"RC4-MD5"); */
633 
634 re_start:
635 
636 	if (init_client(&s,host,port,sock_type) == 0)
637 		{
638 		BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error());
639 		SHUTDOWN(s);
640 		goto end;
641 		}
642 	BIO_printf(bio_c_out,"CONNECTED(%08X)\n",s);
643 
644 #ifdef FIONBIO
645 	if (c_nbio)
646 		{
647 		unsigned long l=1;
648 		BIO_printf(bio_c_out,"turning on non blocking io\n");
649 		if (BIO_socket_ioctl(s,FIONBIO,&l) < 0)
650 			{
651 			ERR_print_errors(bio_err);
652 			goto end;
653 			}
654 		}
655 #endif
656 	if (c_Pause & 0x01) con->debug=1;
657 
658 	if ( SSL_version(con) == DTLS1_VERSION)
659 		{
660 		struct timeval timeout;
661 
662 		sbio=BIO_new_dgram(s,BIO_NOCLOSE);
663 		if (getsockname(s, &peer, (void *)&peerlen) < 0)
664 			{
665 			BIO_printf(bio_err, "getsockname:errno=%d\n",
666 				get_last_socket_error());
667 			SHUTDOWN(s);
668 			goto end;
669 			}
670 
671 		BIO_ctrl_set_connected(sbio, 1, &peer);
672 
673 		if ( enable_timeouts)
674 			{
675 			timeout.tv_sec = 0;
676 			timeout.tv_usec = DGRAM_RCV_TIMEOUT;
677 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
678 
679 			timeout.tv_sec = 0;
680 			timeout.tv_usec = DGRAM_SND_TIMEOUT;
681 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
682 			}
683 
684 		if ( mtu > 0)
685 			{
686 			SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
687 			SSL_set_mtu(con, mtu);
688 			}
689 		else
690 			/* want to do MTU discovery */
691 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
692 		}
693 	else
694 		sbio=BIO_new_socket(s,BIO_NOCLOSE);
695 
696 
697 
698 	if (nbio_test)
699 		{
700 		BIO *test;
701 
702 		test=BIO_new(BIO_f_nbio_test());
703 		sbio=BIO_push(test,sbio);
704 		}
705 
706 	if (c_debug)
707 		{
708 		con->debug=1;
709 		BIO_set_callback(sbio,bio_dump_callback);
710 		BIO_set_callback_arg(sbio,(char *)bio_c_out);
711 		}
712 	if (c_msg)
713 		{
714 		SSL_set_msg_callback(con, msg_cb);
715 		SSL_set_msg_callback_arg(con, bio_c_out);
716 		}
717 
718 	SSL_set_bio(con,sbio,sbio);
719 	SSL_set_connect_state(con);
720 
721 	/* ok, lets connect */
722 	width=SSL_get_fd(con)+1;
723 
724 	read_tty=1;
725 	write_tty=0;
726 	tty_on=0;
727 	read_ssl=1;
728 	write_ssl=1;
729 
730 	cbuf_len=0;
731 	cbuf_off=0;
732 	sbuf_len=0;
733 	sbuf_off=0;
734 
735 	/* This is an ugly hack that does a lot of assumptions */
736 	/* We do have to handle multi-line responses which may come
737  	   in a single packet or not. We therefore have to use
738 	   BIO_gets() which does need a buffering BIO. So during
739 	   the initial chitchat we do push a buffering BIO into the
740 	   chain that is removed again later on to not disturb the
741 	   rest of the s_client operation. */
742 	if (starttls_proto == PROTO_SMTP)
743 		{
744 		int foundit=0;
745 		BIO *fbio = BIO_new(BIO_f_buffer());
746 		BIO_push(fbio, sbio);
747 		/* wait for multi-line response to end from SMTP */
748 		do
749 			{
750 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
751 			}
752 		while (mbuf_len>3 && mbuf[3]=='-');
753 		/* STARTTLS command requires EHLO... */
754 		BIO_printf(fbio,"EHLO openssl.client.net\r\n");
755 		BIO_flush(fbio);
756 		/* wait for multi-line response to end EHLO SMTP response */
757 		do
758 			{
759 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
760 			if (strstr(mbuf,"STARTTLS"))
761 				foundit=1;
762 			}
763 		while (mbuf_len>3 && mbuf[3]=='-');
764 		BIO_flush(fbio);
765 		BIO_pop(fbio);
766 		BIO_free(fbio);
767 		if (!foundit)
768 			BIO_printf(bio_err,
769 				   "didn't found starttls in server response,"
770 				   " try anyway...\n");
771 		BIO_printf(sbio,"STARTTLS\r\n");
772 		BIO_read(sbio,sbuf,BUFSIZZ);
773 		}
774 	else if (starttls_proto == PROTO_POP3)
775 		{
776 		BIO_read(sbio,mbuf,BUFSIZZ);
777 		BIO_printf(sbio,"STLS\r\n");
778 		BIO_read(sbio,sbuf,BUFSIZZ);
779 		}
780 	else if (starttls_proto == PROTO_IMAP)
781 		{
782 		int foundit=0;
783 		BIO *fbio = BIO_new(BIO_f_buffer());
784 		BIO_push(fbio, sbio);
785 		BIO_gets(fbio,mbuf,BUFSIZZ);
786 		/* STARTTLS command requires CAPABILITY... */
787 		BIO_printf(fbio,". CAPABILITY\r\n");
788 		BIO_flush(fbio);
789 		/* wait for multi-line CAPABILITY response */
790 		do
791 			{
792 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
793 			if (strstr(mbuf,"STARTTLS"))
794 				foundit=1;
795 			}
796 		while (mbuf_len>3 && mbuf[0]!='.');
797 		BIO_flush(fbio);
798 		BIO_pop(fbio);
799 		BIO_free(fbio);
800 		if (!foundit)
801 			BIO_printf(bio_err,
802 				   "didn't found STARTTLS in server response,"
803 				   " try anyway...\n");
804 		BIO_printf(sbio,". STARTTLS\r\n");
805 		BIO_read(sbio,sbuf,BUFSIZZ);
806 		}
807 	else if (starttls_proto == PROTO_FTP)
808 		{
809 		BIO *fbio = BIO_new(BIO_f_buffer());
810 		BIO_push(fbio, sbio);
811 		/* wait for multi-line response to end from FTP */
812 		do
813 			{
814 			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
815 			}
816 		while (mbuf_len>3 && mbuf[3]=='-');
817 		BIO_flush(fbio);
818 		BIO_pop(fbio);
819 		BIO_free(fbio);
820 		BIO_printf(sbio,"AUTH TLS\r\n");
821 		BIO_read(sbio,sbuf,BUFSIZZ);
822 		}
823 
824 	for (;;)
825 		{
826 		FD_ZERO(&readfds);
827 		FD_ZERO(&writefds);
828 
829 		if (SSL_in_init(con) && !SSL_total_renegotiations(con))
830 			{
831 			in_init=1;
832 			tty_on=0;
833 			}
834 		else
835 			{
836 			tty_on=1;
837 			if (in_init)
838 				{
839 				in_init=0;
840 				print_stuff(bio_c_out,con,full_log);
841 				if (full_log > 0) full_log--;
842 
843 				if (starttls_proto)
844 					{
845 					BIO_printf(bio_err,"%s",mbuf);
846 					/* We don't need to know any more */
847 					starttls_proto = PROTO_OFF;
848 					}
849 
850 				if (reconnect)
851 					{
852 					reconnect--;
853 					BIO_printf(bio_c_out,"drop connection and then reconnect\n");
854 					SSL_shutdown(con);
855 					SSL_set_connect_state(con);
856 					SHUTDOWN(SSL_get_fd(con));
857 					goto re_start;
858 					}
859 				}
860 			}
861 
862 		ssl_pending = read_ssl && SSL_pending(con);
863 
864 		if (!ssl_pending)
865 			{
866 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
867 			if (tty_on)
868 				{
869 				if (read_tty)  FD_SET(fileno(stdin),&readfds);
870 				if (write_tty) FD_SET(fileno(stdout),&writefds);
871 				}
872 			if (read_ssl)
873 				FD_SET(SSL_get_fd(con),&readfds);
874 			if (write_ssl)
875 				FD_SET(SSL_get_fd(con),&writefds);
876 #else
877 			if(!tty_on || !write_tty) {
878 				if (read_ssl)
879 					FD_SET(SSL_get_fd(con),&readfds);
880 				if (write_ssl)
881 					FD_SET(SSL_get_fd(con),&writefds);
882 			}
883 #endif
884 /*			printf("mode tty(%d %d%d) ssl(%d%d)\n",
885 				tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
886 
887 			/* Note: under VMS with SOCKETSHR the second parameter
888 			 * is currently of type (int *) whereas under other
889 			 * systems it is (void *) if you don't have a cast it
890 			 * will choke the compiler: if you do have a cast then
891 			 * you can either go for (int *) or (void *).
892 			 */
893 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
894                         /* Under Windows/DOS we make the assumption that we can
895 			 * always write to the tty: therefore if we need to
896 			 * write to the tty we just fall through. Otherwise
897 			 * we timeout the select every second and see if there
898 			 * are any keypresses. Note: this is a hack, in a proper
899 			 * Windows application we wouldn't do this.
900 			 */
901 			i=0;
902 			if(!write_tty) {
903 				if(read_tty) {
904 					tv.tv_sec = 1;
905 					tv.tv_usec = 0;
906 					i=select(width,(void *)&readfds,(void *)&writefds,
907 						 NULL,&tv);
908 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
909 					if(!i && (!_kbhit() || !read_tty) ) continue;
910 #else
911 					if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
912 #endif
913 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
914 					 NULL,NULL);
915 			}
916 #elif defined(OPENSSL_SYS_NETWARE)
917 			if(!write_tty) {
918 				if(read_tty) {
919 					tv.tv_sec = 1;
920 					tv.tv_usec = 0;
921 					i=select(width,(void *)&readfds,(void *)&writefds,
922 						NULL,&tv);
923 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
924 					NULL,NULL);
925 			}
926 #else
927 			i=select(width,(void *)&readfds,(void *)&writefds,
928 				 NULL,NULL);
929 #endif
930 			if ( i < 0)
931 				{
932 				BIO_printf(bio_err,"bad select %d\n",
933 				get_last_socket_error());
934 				goto shut;
935 				/* goto end; */
936 				}
937 			}
938 
939 		if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
940 			{
941 			k=SSL_write(con,&(cbuf[cbuf_off]),
942 				(unsigned int)cbuf_len);
943 			switch (SSL_get_error(con,k))
944 				{
945 			case SSL_ERROR_NONE:
946 				cbuf_off+=k;
947 				cbuf_len-=k;
948 				if (k <= 0) goto end;
949 				/* we have done a  write(con,NULL,0); */
950 				if (cbuf_len <= 0)
951 					{
952 					read_tty=1;
953 					write_ssl=0;
954 					}
955 				else /* if (cbuf_len > 0) */
956 					{
957 					read_tty=0;
958 					write_ssl=1;
959 					}
960 				break;
961 			case SSL_ERROR_WANT_WRITE:
962 				BIO_printf(bio_c_out,"write W BLOCK\n");
963 				write_ssl=1;
964 				read_tty=0;
965 				break;
966 			case SSL_ERROR_WANT_READ:
967 				BIO_printf(bio_c_out,"write R BLOCK\n");
968 				write_tty=0;
969 				read_ssl=1;
970 				write_ssl=0;
971 				break;
972 			case SSL_ERROR_WANT_X509_LOOKUP:
973 				BIO_printf(bio_c_out,"write X BLOCK\n");
974 				break;
975 			case SSL_ERROR_ZERO_RETURN:
976 				if (cbuf_len != 0)
977 					{
978 					BIO_printf(bio_c_out,"shutdown\n");
979 					goto shut;
980 					}
981 				else
982 					{
983 					read_tty=1;
984 					write_ssl=0;
985 					break;
986 					}
987 
988 			case SSL_ERROR_SYSCALL:
989 				if ((k != 0) || (cbuf_len != 0))
990 					{
991 					BIO_printf(bio_err,"write:errno=%d\n",
992 						get_last_socket_error());
993 					goto shut;
994 					}
995 				else
996 					{
997 					read_tty=1;
998 					write_ssl=0;
999 					}
1000 				break;
1001 			case SSL_ERROR_SSL:
1002 				ERR_print_errors(bio_err);
1003 				goto shut;
1004 				}
1005 			}
1006 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
1007 		/* Assume Windows/DOS can always write */
1008 		else if (!ssl_pending && write_tty)
1009 #else
1010 		else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
1011 #endif
1012 			{
1013 #ifdef CHARSET_EBCDIC
1014 			ascii2ebcdic(&(sbuf[sbuf_off]),&(sbuf[sbuf_off]),sbuf_len);
1015 #endif
1016 			i=write(fileno(stdout),&(sbuf[sbuf_off]),sbuf_len);
1017 
1018 			if (i <= 0)
1019 				{
1020 				BIO_printf(bio_c_out,"DONE\n");
1021 				goto shut;
1022 				/* goto end; */
1023 				}
1024 
1025 			sbuf_len-=i;;
1026 			sbuf_off+=i;
1027 			if (sbuf_len <= 0)
1028 				{
1029 				read_ssl=1;
1030 				write_tty=0;
1031 				}
1032 			}
1033 		else if (ssl_pending || FD_ISSET(SSL_get_fd(con),&readfds))
1034 			{
1035 #ifdef RENEG
1036 { static int iiii; if (++iiii == 52) { SSL_renegotiate(con); iiii=0; } }
1037 #endif
1038 #if 1
1039 			k=SSL_read(con,sbuf,1024 /* BUFSIZZ */ );
1040 #else
1041 /* Demo for pending and peek :-) */
1042 			k=SSL_read(con,sbuf,16);
1043 { char zbuf[10240];
1044 printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240));
1045 }
1046 #endif
1047 
1048 			switch (SSL_get_error(con,k))
1049 				{
1050 			case SSL_ERROR_NONE:
1051 				if (k <= 0)
1052 					goto end;
1053 				sbuf_off=0;
1054 				sbuf_len=k;
1055 
1056 				read_ssl=0;
1057 				write_tty=1;
1058 				break;
1059 			case SSL_ERROR_WANT_WRITE:
1060 				BIO_printf(bio_c_out,"read W BLOCK\n");
1061 				write_ssl=1;
1062 				read_tty=0;
1063 				break;
1064 			case SSL_ERROR_WANT_READ:
1065 				BIO_printf(bio_c_out,"read R BLOCK\n");
1066 				write_tty=0;
1067 				read_ssl=1;
1068 				if ((read_tty == 0) && (write_ssl == 0))
1069 					write_ssl=1;
1070 				break;
1071 			case SSL_ERROR_WANT_X509_LOOKUP:
1072 				BIO_printf(bio_c_out,"read X BLOCK\n");
1073 				break;
1074 			case SSL_ERROR_SYSCALL:
1075 				BIO_printf(bio_err,"read:errno=%d\n",get_last_socket_error());
1076 				goto shut;
1077 			case SSL_ERROR_ZERO_RETURN:
1078 				BIO_printf(bio_c_out,"closed\n");
1079 				goto shut;
1080 			case SSL_ERROR_SSL:
1081 				ERR_print_errors(bio_err);
1082 				goto shut;
1083 				/* break; */
1084 				}
1085 			}
1086 
1087 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
1088 #if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
1089 		else if (_kbhit())
1090 #else
1091 		else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
1092 #endif
1093 #elif defined (OPENSSL_SYS_NETWARE)
1094         else if (_kbhit())
1095 #else
1096 		else if (FD_ISSET(fileno(stdin),&readfds))
1097 #endif
1098 			{
1099 			if (crlf)
1100 				{
1101 				int j, lf_num;
1102 
1103 				i=read(fileno(stdin),cbuf,BUFSIZZ/2);
1104 				lf_num = 0;
1105 				/* both loops are skipped when i <= 0 */
1106 				for (j = 0; j < i; j++)
1107 					if (cbuf[j] == '\n')
1108 						lf_num++;
1109 				for (j = i-1; j >= 0; j--)
1110 					{
1111 					cbuf[j+lf_num] = cbuf[j];
1112 					if (cbuf[j] == '\n')
1113 						{
1114 						lf_num--;
1115 						i++;
1116 						cbuf[j+lf_num] = '\r';
1117 						}
1118 					}
1119 				assert(lf_num == 0);
1120 				}
1121 			else
1122 				i=read(fileno(stdin),cbuf,BUFSIZZ);
1123 
1124 			if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
1125 				{
1126 				BIO_printf(bio_err,"DONE\n");
1127 				goto shut;
1128 				}
1129 
1130 			if ((!c_ign_eof) && (cbuf[0] == 'R'))
1131 				{
1132 				BIO_printf(bio_err,"RENEGOTIATING\n");
1133 				SSL_renegotiate(con);
1134 				cbuf_len=0;
1135 				}
1136 			else
1137 				{
1138 				cbuf_len=i;
1139 				cbuf_off=0;
1140 #ifdef CHARSET_EBCDIC
1141 				ebcdic2ascii(cbuf, cbuf, i);
1142 #endif
1143 				}
1144 
1145 			write_ssl=1;
1146 			read_tty=0;
1147 			}
1148 		}
1149 shut:
1150 	SSL_shutdown(con);
1151 	SHUTDOWN(SSL_get_fd(con));
1152 	ret=0;
1153 end:
1154 	if(prexit) print_stuff(bio_c_out,con,1);
1155 	if (con != NULL) SSL_free(con);
1156 	if (con2 != NULL) SSL_free(con2);
1157 	if (ctx != NULL) SSL_CTX_free(ctx);
1158 	if (cert)
1159 		X509_free(cert);
1160 	if (key)
1161 		EVP_PKEY_free(key);
1162 	if (pass)
1163 		OPENSSL_free(pass);
1164 	if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
1165 	if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
1166 	if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
1167 	if (bio_c_out != NULL)
1168 		{
1169 		BIO_free(bio_c_out);
1170 		bio_c_out=NULL;
1171 		}
1172 	apps_shutdown();
1173 	OPENSSL_EXIT(ret);
1174 	}
1175 
1176 
1177 static void print_stuff(BIO *bio, SSL *s, int full)
1178 	{
1179 	X509 *peer=NULL;
1180 	char *p;
1181 	static const char *space="                ";
1182 	char buf[BUFSIZ];
1183 	STACK_OF(X509) *sk;
1184 	STACK_OF(X509_NAME) *sk2;
1185 	SSL_CIPHER *c;
1186 	X509_NAME *xn;
1187 	int j,i;
1188 #ifndef OPENSSL_NO_COMP
1189 	const COMP_METHOD *comp, *expansion;
1190 #endif
1191 
1192 	if (full)
1193 		{
1194 		int got_a_chain = 0;
1195 
1196 		sk=SSL_get_peer_cert_chain(s);
1197 		if (sk != NULL)
1198 			{
1199 			got_a_chain = 1; /* we don't have it for SSL2 (yet) */
1200 
1201 			BIO_printf(bio,"---\nCertificate chain\n");
1202 			for (i=0; i<sk_X509_num(sk); i++)
1203 				{
1204 				X509_NAME_oneline(X509_get_subject_name(
1205 					sk_X509_value(sk,i)),buf,sizeof buf);
1206 				BIO_printf(bio,"%2d s:%s\n",i,buf);
1207 				X509_NAME_oneline(X509_get_issuer_name(
1208 					sk_X509_value(sk,i)),buf,sizeof buf);
1209 				BIO_printf(bio,"   i:%s\n",buf);
1210 				if (c_showcerts)
1211 					PEM_write_bio_X509(bio,sk_X509_value(sk,i));
1212 				}
1213 			}
1214 
1215 		BIO_printf(bio,"---\n");
1216 		peer=SSL_get_peer_certificate(s);
1217 		if (peer != NULL)
1218 			{
1219 			BIO_printf(bio,"Server certificate\n");
1220 			if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
1221 				PEM_write_bio_X509(bio,peer);
1222 			X509_NAME_oneline(X509_get_subject_name(peer),
1223 				buf,sizeof buf);
1224 			BIO_printf(bio,"subject=%s\n",buf);
1225 			X509_NAME_oneline(X509_get_issuer_name(peer),
1226 				buf,sizeof buf);
1227 			BIO_printf(bio,"issuer=%s\n",buf);
1228 			}
1229 		else
1230 			BIO_printf(bio,"no peer certificate available\n");
1231 
1232 		sk2=SSL_get_client_CA_list(s);
1233 		if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0))
1234 			{
1235 			BIO_printf(bio,"---\nAcceptable client certificate CA names\n");
1236 			for (i=0; i<sk_X509_NAME_num(sk2); i++)
1237 				{
1238 				xn=sk_X509_NAME_value(sk2,i);
1239 				X509_NAME_oneline(xn,buf,sizeof(buf));
1240 				BIO_write(bio,buf,strlen(buf));
1241 				BIO_write(bio,"\n",1);
1242 				}
1243 			}
1244 		else
1245 			{
1246 			BIO_printf(bio,"---\nNo client certificate CA names sent\n");
1247 			}
1248 		p=SSL_get_shared_ciphers(s,buf,sizeof buf);
1249 		if (p != NULL)
1250 			{
1251 			/* This works only for SSL 2.  In later protocol
1252 			 * versions, the client does not know what other
1253 			 * ciphers (in addition to the one to be used
1254 			 * in the current connection) the server supports. */
1255 
1256 			BIO_printf(bio,"---\nCiphers common between both SSL endpoints:\n");
1257 			j=i=0;
1258 			while (*p)
1259 				{
1260 				if (*p == ':')
1261 					{
1262 					BIO_write(bio,space,15-j%25);
1263 					i++;
1264 					j=0;
1265 					BIO_write(bio,((i%3)?" ":"\n"),1);
1266 					}
1267 				else
1268 					{
1269 					BIO_write(bio,p,1);
1270 					j++;
1271 					}
1272 				p++;
1273 				}
1274 			BIO_write(bio,"\n",1);
1275 			}
1276 
1277 		BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
1278 			BIO_number_read(SSL_get_rbio(s)),
1279 			BIO_number_written(SSL_get_wbio(s)));
1280 		}
1281 	BIO_printf(bio,((s->hit)?"---\nReused, ":"---\nNew, "));
1282 	c=SSL_get_current_cipher(s);
1283 	BIO_printf(bio,"%s, Cipher is %s\n",
1284 		SSL_CIPHER_get_version(c),
1285 		SSL_CIPHER_get_name(c));
1286 	if (peer != NULL) {
1287 		EVP_PKEY *pktmp;
1288 		pktmp = X509_get_pubkey(peer);
1289 		BIO_printf(bio,"Server public key is %d bit\n",
1290 							 EVP_PKEY_bits(pktmp));
1291 		EVP_PKEY_free(pktmp);
1292 	}
1293 #ifndef OPENSSL_NO_COMP
1294 	comp=SSL_get_current_compression(s);
1295 	expansion=SSL_get_current_expansion(s);
1296 	BIO_printf(bio,"Compression: %s\n",
1297 		comp ? SSL_COMP_get_name(comp) : "NONE");
1298 	BIO_printf(bio,"Expansion: %s\n",
1299 		expansion ? SSL_COMP_get_name(expansion) : "NONE");
1300 #endif
1301 	SSL_SESSION_print(bio,SSL_get_session(s));
1302 	BIO_printf(bio,"---\n");
1303 	if (peer != NULL)
1304 		X509_free(peer);
1305 	/* flush, or debugging output gets mixed with http response */
1306 	BIO_flush(bio);
1307 	}
1308 
1309