Re: [PATCH] `s_client -starttls smtp' fails if not using EHLO
Pavel Gorshkov wrote: Some SMTP servers require a HELO/EHLO command before a STARTTLS, e.g.: [...] The attached patch (against openssl-0.9.8a) adds the `-ehlo' option to s_client: -ehlo hostname - use the EHLO smtp command before issuing STARTTLS (to be used in conjunction with -starttls smtp) with this patch, s_client successfully connects and shows the certificate: This patch solves only smtp. But there are many more protocols using STARTTLS Has anybody thought about a plugin interface or a different way to handle the startup ? Either a -manualstart starttext command that opens the socket, forwards stdin to the socket and data from the socket to stdout, and starts TLS after it receives the given starttext from stdin. Or the -startcmd cmd command, that calls the specified command to do the initial handshake (and starts TLS if the command returns without error... Bye Goetz -- DMCA: The greed of the few outweighs the freedom of the many smime.p7s Description: S/MIME Cryptographic Signature
Re: [PATCH] `s_client -starttls smtp' fails if not using EHLO
On Sat, Dec 31, 2005 at 04:26:46PM +0100, Goetz Babin-Ebell wrote: This patch solves only smtp. But there are many more protocols using STARTTLS Has anybody thought about a plugin interface or a different way to handle the startup ? I agree that it would be better to have a generalized approach. Here's a relevant excerpt from gnutls-cli(1): -s, --starttls Connect, establish a plain session and start TLS when EOF or a SIGALRM is received. this looks like a perfect solution except maybe when dealing with a tricky binary protocol requiring you to perform multiple authentication steps before a starttls. (sorry for mentioning gnutls on this list) Happy New Year! -- Pavel Gorshkov __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [PATCH] `s_client -starttls smtp' fails if not using EHLO
Pavel Gorshkov wrote: On Sat, Dec 31, 2005 at 04:26:46PM +0100, Goetz Babin-Ebell wrote: This patch solves only smtp. But there are many more protocols using STARTTLS Has anybody thought about a plugin interface or a different way to handle the startup ? I agree that it would be better to have a generalized approach. Here's a relevant excerpt from gnutls-cli(1): -s, --starttls Connect, establish a plain session and start TLS when EOF or a SIGALRM is received. Seems usable. But what if you want to use s_client with -starttls in a script ? this looks like a perfect solution except maybe when dealing with a tricky binary protocol requiring you to perform multiple authentication steps before a starttls. For these cases (and others) my -startcmd cmd is the best way. but normally starttls is used in sane (clear text) protocols... (sorry for mentioning gnutls on this list) It's OK, you didn't say Jehovah (which would lead to your stoning... ;-) ) By the way: Hapy new year...) Bye Goetz -- DMCA: The greed of the few outweighs the freedom of the many smime.p7s Description: S/MIME Cryptographic Signature
Re: [PATCH] `s_client -starttls smtp' fails if not using EHLO
On 12/31/05, Goetz Babin-Ebell [EMAIL PROTECTED] wrote: Pavel Gorshkov wrote: I agree that it would be better to have a generalized approach. Here's a relevant excerpt from gnutls-cli(1): -s, --starttls Connect, establish a plain session and start TLS when EOF or a SIGALRM is received. Seems usable. But what if you want to use s_client with -starttls in a script ? How about a means of specifying what file descriptor is being used for the pre-starttls, while leaving stdin open for additional data after the starttls succeeds? -Kyle H __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[PATCH] `s_client -starttls smtp' fails if not using EHLO
Some SMTP servers require a HELO/EHLO command before a STARTTLS,
e.g.:
$ telnet mail.sourceforge.net 25
220 mail.sourceforge.net ESMTP Exim 4.44 ...
STARTTLS
503 STARTTLS command used when not advertised
for instance, when I try to retrieve the server certificate for
mail.sourceforge.net:25 using `-starttls smtp -showcerts':
$ openssl s_client -connect mail.sourceforge.net:25 \
-starttls smtp -CApath /etc/ssl/certs -showcerts
it fails with an error message like:
CONNECTED(0003)
9829:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:567:
The attached patch (against openssl-0.9.8a) adds the `-ehlo'
option to s_client:
-ehlo hostname - use the EHLO smtp command before issuing STARTTLS
(to be used in conjunction with -starttls smtp)
with this patch, s_client successfully connects and shows the
certificate:
$ openssl s_client -connect mail.sourceforge.net:25 -showcerts
-starttls smtp -ehlo host.domain -CApath /etc/ssl/certs
...
Verify return code: 0 (ok)
---
220 mail.sourceforge.net ESMTP Exim 4.44 Tue, 27 Dec 2005 10:58:18 -0800
sc8-sf-mx1.sourceforge.net
250-mail.sourceforge.net Hello ppp85-140-15-108.pppoe.mtu-net.ru [85.140.15.108]
250-SIZE 1048576
250-EXPN
250-PIPELINING
250-STARTTLS
250 HELP
--
Pavel Gorshkov
--- openssl-0.9.8a.orig/apps/s_client.c Sat Oct 1 03:38:19 2005
+++ openssl-0.9.8a/apps/s_client.c Tue Dec 27 18:43:52 2005
@@ -227,6 +227,8 @@
BIO_printf(bio_err, for those protocols that support
it, where\n);
BIO_printf(bio_err, 'prot' defines which one to
assume. Currently,\n);
BIO_printf(bio_err, only \smtp\ and \pop3\ are
supported.\n);
+ BIO_printf(bio_err, -ehlo hostname - use the EHLO smtp command before
issuing STARTTLS\n);
+ BIO_printf(bio_err, (to be used in conjunction with
-starttls smtp)\n);
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, -engine id- Initialise and use the specified
engine\n);
#endif
@@ -245,6 +247,7 @@
char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
int cbuf_len,cbuf_off;
int sbuf_len,sbuf_off;
+ int mbuf_off;
fd_set readfds,writefds;
short port=PORT;
int full_log=1;
@@ -261,6 +264,7 @@
SSL_CTX *ctx=NULL;
int ret=1,in_init=1,i,nbio_test=0;
int starttls_proto = 0;
+ char *ehlo_hostname=NULL;
int prexit = 0, vflags = 0;
SSL_METHOD *meth=NULL;
#ifdef sock_type
@@ -472,6 +476,11 @@
else
goto bad;
}
+ else if (strcmp(*argv,-ehlo) == 0)
+ {
+ if (--argc 1) goto bad;
+ ehlo_hostname = *++argv;
+ }
#ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv,-engine) == 0)
{
@@ -717,11 +726,17 @@
cbuf_off=0;
sbuf_len=0;
sbuf_off=0;
+ mbuf_off=0;
/* This is an ugly hack that does a lot of assumptions */
if (starttls_proto == 1)
{
- BIO_read(sbio,mbuf,BUFSIZZ);
+ mbuf_off = BIO_read(sbio,mbuf,BUFSIZZ);
+ if (ehlo_hostname)
+ {
+ BIO_printf(sbio,EHLO %s\r\n,ehlo_hostname);
+ BIO_read(sbio,mbuf+mbuf_off,BUFSIZZ-mbuf_off);
+ }
BIO_printf(sbio,STARTTLS\r\n);
BIO_read(sbio,sbuf,BUFSIZZ);
}
