===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/ciphers.c,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- src/usr.bin/openssl/ciphers.c	2022/07/14 08:37:17	1.13
+++ src/usr.bin/openssl/ciphers.c	2022/07/19 16:07:35	1.14
@@ -1,4 +1,4 @@
-/* $OpenBSD: ciphers.c,v 1.13 2022/07/14 08:37:17 tb Exp $ */
+/* $OpenBSD: ciphers.c,v 1.14 2022/07/19 16:07:35 tb Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -28,6 +28,7 @@
 	int usage;
 	int use_supported;
 	int verbose;
+	int version;
 } ciphers_config;
 
 static const struct option ciphers_options[] = {
@@ -49,9 +50,33 @@
 	},
 	{
 		.name = "tls1",
-		.type = OPTION_DISCARD,
+		.desc = "Use TLS protocol version 1",
+		.type = OPTION_VALUE,
+		.opt.value = &ciphers_config.version,
+		.value = TLS1_VERSION,
 	},
 	{
+		.name = "tls1_1",
+		.desc = "Use TLS protocol version 1.1",
+		.type = OPTION_VALUE,
+		.opt.value = &ciphers_config.version,
+		.value = TLS1_1_VERSION,
+	},
+	{
+		.name = "tls1_2",
+		.desc = "Use TLS protocol version 1.2",
+		.type = OPTION_VALUE,
+		.opt.value = &ciphers_config.version,
+		.value = TLS1_2_VERSION,
+	},
+	{
+		.name = "tls1_3",
+		.desc = "Use TLS protocol version 1.3",
+		.type = OPTION_VALUE,
+		.opt.value = &ciphers_config.version,
+		.value = TLS1_3_VERSION,
+	},
+	{
 		.name = "v",
 		.desc = "Provide cipher listing",
 		.type = OPTION_VALUE,
@@ -71,7 +96,8 @@
 static void
 ciphers_usage(void)
 {
-	fprintf(stderr, "usage: ciphers [-hsVv] [cipherlist]\n");
+	fprintf(stderr, "usage: ciphers [-hsVv] [-tls1] [-tls1_1] [-tls1_2] "
+	    "[-tls1_3] [cipherlist]\n");
 	options_usage(ciphers_options);
 }
 
@@ -108,8 +134,17 @@
 		return (1);
 	}
 
-	if ((ssl_ctx = SSL_CTX_new(TLS_client_method())) == NULL)
+	if ((ssl_ctx = SSL_CTX_new(TLS_method())) == NULL)
 		goto err;
+
+	if (ciphers_config.version != 0) {
+		if (!SSL_CTX_set_min_proto_version(ssl_ctx,
+		    ciphers_config.version))
+			goto err;
+		if (!SSL_CTX_set_max_proto_version(ssl_ctx,
+		    ciphers_config.version))
+			goto err;
+	}
 
 	if (cipherlist != NULL) {
 		if (SSL_CTX_set_cipher_list(ssl_ctx, cipherlist) == 0)