apps/cmp.c: -tls_used may be implied by -server https:...; improve re…

…lated checks and doc Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21176)
openssl · Oct 10, 2023 · 4a9299a · 4a9299a
1 parent 8d120ae
commit 4a9299a
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 18 deletions.
diff --git a/apps/cmp.c b/apps/cmp.c
@@ -1933,10 +1933,6 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
             CMP_warn("ignoring -proxy option since -server is not given");
         if (opt_no_proxy != NULL)
             CMP_warn("ignoring -no_proxy option since -server is not given");
-        if (opt_tls_used) {
-            CMP_warn("ignoring -tls_used option since -server is not given");
-            opt_tls_used = 0;
-        }
         goto set_path;
     }
     if (!OSSL_HTTP_parse_url(opt_server, &use_ssl, NULL /* user */,
@@ -1946,8 +1942,8 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
         goto err;
     }
     if (use_ssl && !opt_tls_used) {
-        CMP_err("missing -tls_used option since -server URL indicates HTTPS");
-        goto err;
+        CMP_warn("assuming -tls_used since -server URL indicates HTTPS");
+        opt_tls_used = 1;
     }
 
     BIO_snprintf(server_port, sizeof(server_port), "%s", port);

diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
@@ -480,8 +480,8 @@ IP address may be for v4 or v6, such as C<127.0.0.1> or C<[::1]> for localhost.
 This option excludes I<-port> and I<-use_mock_srv>.
 It is ignored if I<-rspin> is given with enough filename arguments.
 
-The scheme C<https> may be given only if the B<-tls_used> option is provided.
-In this case the default port is 443, else 80.
+If the scheme C<https> is given, the B<-tls_used> option is implied.
+When TLS is used, the default port is 443, otherwise 80.
 The optional userinfo and fragment components are ignored.
 Any given query component is handled as part of the path component.
 If a path is included it provides the default value for the B<-path> option.
@@ -491,9 +491,9 @@ If a path is included it provides the default value for the B<-path> option.
 The HTTP(S) proxy server to use for reaching the CMP server unless B<-no_proxy>
 applies, see below.
 The proxy port defaults to 80 or 443 if the scheme is C<https>; apart from that
-the optional C<http://> or C<https://> prefix is ignored (note that TLS may be
-enabled by B<-tls_used>), as well as any path, userinfo, and query, and fragment
-components.
+the optional C<http://> or C<https://> prefix is ignored (note that using TLS
+may be required by B<-tls_used> or B<-server> with the prefix C<https>),
+as well as any path, userinfo, and query, and fragment components.
 Defaults to the environment variable C<http_proxy> if set, else C<HTTP_PROXY>
 in case no TLS is used, otherwise C<https_proxy> if set, else C<HTTPS_PROXY>.
 This option is ignored if I<-server> is not given.
@@ -584,7 +584,7 @@ Non-trusted intermediate CA certificate(s).
 Any extra certificates given with the B<-cert> option are appended to it.
 All these certificates may be useful for cert path construction
 for the own CMP signer certificate (to include in the extraCerts field of
-request messages) and for the TLS client certificate (if TLS is enabled)
+request messages) and for the TLS client certificate (if TLS is used)
 as well as for chain building
 when validating server certificates (checking signature-based
 CMP message protection) and when validating newly enrolled certificates.
@@ -898,14 +898,14 @@ B<-tls_key>.
 
 =item B<-tls_used>
 
-Enable using TLS (even when other TLS-related options are not set)
-for message exchange with CMP server via HTTP.
+Make the CMP client use TLS (regardless if other TLS-related options are set)
+for message exchange with the server via HTTP.
 This option is not supported with the I<-port> option.
-It is ignored if the I<-server> option is not given or I<-use_mock_srv> is given
-or I<-rspin> is given with enough filename arguments.
+It is implied if the B<-server> option is given with the scheme C<https>.
+It is ignored if the B<-server> option is not given or B<-use_mock_srv> is given
+or B<-rspin> is given with enough filename arguments.
 
-The following TLS-related options are ignored
-if B<-tls_used> is not given or does not take effect.
+The following TLS-related options are ignored if TLS is not used.
 
 =item B<-tls_cert> I<filename>|I<uri>
 

diff --git a/test/recipes/80-test_cmp_http_data/test_connection.csv b/test/recipes/80-test_cmp_http_data/test_connection.csv
@@ -21,6 +21,8 @@ TBD,server IP address with TLS port, -section,, -server,_SERVER_IP:_SERVER_TLS,,
 0,proxy default port, -section,, -server,_SERVER_HOST:_SERVER_PORT, -proxy,127.0.0.1, -no_proxy,nonmatch.com,BLANK,,,,-msg_timeout,1,BLANK,,BLANK,
 0,proxy missing argument, -section,, -server,_SERVER_HOST:_SERVER_PORT, -proxy,, -no_proxy,nonmatch.com,BLANK,,,,BLANK,,BLANK,,BLANK,
 ,,,,,,,,,,,,,,,,,,,
+0,tls_used, -section,, -server,_SERVER_HOST:_SERVER_PORT,,,,,-tls_used,,,,-msg_timeout,1,BLANK,,BLANK,
+,,,,,,,,,,,,,,,,,,,
 1,path explicit, -section,, -server,_SERVER_HOST:_SERVER_PORT,,,,,BLANK,, -path,_SERVER_PATH,BLANK,,BLANK,,BLANK,
 1,path overrides -server path, -section,, -server,_SERVER_HOST:_SERVER_PORT/ignored,,,,,BLANK,, -path,_SERVER_PATH,BLANK,,BLANK,,BLANK,
 1,path default -server path, -section,, -server,_SERVER_HOST:_SERVER_PORT/_SERVER_PATH,,,,,BLANK,, -path,"""",BLANK,,BLANK,,BLANK,