[Bug 219805] openssl s_client and xmpp

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Jun 5 20:55:19 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219805

            Bug ID: 219805
           Summary: openssl s_client and xmpp
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs at FreeBSD.org
          Reporter: fbsd98816551 at avksrv.org

Hello!

I tried t check SSL cert from XMPP server. Acording to documentaion command
like 

/usr/local/bin/openssl s_client -servername "xmpp.google.com" -connect
"xmpp.google.com":"5222" -starttls "xmpp"

will connect to XMPP server start TLS sessiona and return the SSL cert to
STDOUT. But under FreeBSD I got the error instead

CONNECTED(00000004)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 385 bytes and written 120 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated

When I tried run same command under Fedora, it returns expected cert.
FreeBSD version from ports:
/usr/local/bin/openssl version
OpenSSL 1.0.2l  25 May 2017
and Fedora:
OpenSSL 1.0.2k-fips  26 Jan 2017

If we check the SRPM from fedora package, we will see patch
openssl-1.0.2a-xmpp-starttls.patch 
--- openssl-1.0.2a/apps/s_client.c.starttls    2015-04-22 18:23:12.964387157
+0200
+++ openssl-1.0.2a/apps/s_client.c    2015-04-22 18:23:56.496414820 +0200
@@ -134,7 +134,8 @@
  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
  * OTHERWISE.
  */
-
+/* for strcasestr */
+#define _GNU_SOURCE
 #include <assert.h>
 #include <ctype.h>
 #include <stdio.h>
@@ -1626,8 +1627,11 @@ int MAIN(int argc, char **argv)
                    "xmlns='jabber:client' to='%s' version='1.0'>", host);
         seen = BIO_read(sbio, mbuf, BUFSIZZ);
         mbuf[seen] = 0;
-        while (!strstr
-               (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
+        while (!strcasestr
+               (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")
+               && !strcasestr(mbuf,
+                              "<starttls
xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
+        {
             if (strstr(mbuf, "/stream:features>"))
                 goto shut;
             seen = BIO_read(sbio, mbuf, BUFSIZZ);

---

and we can see same changes in 1.1 (not 1.0.X) open SSL tree in the GIT (5
years ago!)
https://github.com/openssl/openssl/commit/4e48c77572a9a96a301e362a3646cd3cc7eca0f9

They simple added second check with extra " in the string
fedora patch also added non case sens. test.

Can we merge such simple patch to the ports tree ?

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list