Re: [PATCH] `s_client -starttls smtp' fails if not using EHLO

2005-12-31 Thread Goetz Babin-Ebell

Pavel Gorshkov wrote:

Some SMTP servers require a HELO/EHLO command before a STARTTLS,
e.g.:

[...]


The attached patch (against openssl-0.9.8a) adds the `-ehlo'
option to s_client:

 -ehlo hostname - use the EHLO smtp command before issuing STARTTLS
 (to be used in conjunction with -starttls smtp)

with this patch, s_client successfully connects and shows the
certificate:


This patch solves only smtp.
But there are many more protocols using STARTTLS

Has anybody thought about a plugin interface or a different way
to handle the startup ?

Either a -manualstart starttext command that opens the socket,
 forwards stdin to the socket and data from the socket to stdout,
 and starts TLS after it receives the given starttext from stdin.
Or the -startcmd cmd command, that calls the specified command
 to do the initial handshake (and starts TLS if the command
 returns without error...

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many


smime.p7s
Description: S/MIME Cryptographic Signature


Re: [PATCH] `s_client -starttls smtp' fails if not using EHLO

2005-12-31 Thread Pavel Gorshkov
On Sat, Dec 31, 2005 at 04:26:46PM +0100, Goetz Babin-Ebell wrote:
 This patch solves only smtp.
 But there are many more protocols using STARTTLS
 
 Has anybody thought about a plugin interface or a different way
 to handle the startup ?

I agree that it would be better to have a generalized approach.
Here's a relevant excerpt from gnutls-cli(1):

   -s, --starttls
  Connect, establish a plain session and start TLS when EOF or a
  SIGALRM is received.

this looks like a perfect solution except maybe when dealing with
a tricky binary protocol requiring you to perform multiple
authentication steps before a starttls.
(sorry for mentioning gnutls on this list)

Happy New Year!

--
Pavel Gorshkov
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: [PATCH] `s_client -starttls smtp' fails if not using EHLO

2005-12-31 Thread Goetz Babin-Ebell

Pavel Gorshkov wrote:

On Sat, Dec 31, 2005 at 04:26:46PM +0100, Goetz Babin-Ebell wrote:

This patch solves only smtp.
But there are many more protocols using STARTTLS

Has anybody thought about a plugin interface or a different way
to handle the startup ?


I agree that it would be better to have a generalized approach.
Here's a relevant excerpt from gnutls-cli(1):

   -s, --starttls
  Connect, establish a plain session and start TLS when EOF or a
  SIGALRM is received.


Seems usable.
But what if you want to use s_client with -starttls in a script ?


this looks like a perfect solution except maybe when dealing with
a tricky binary protocol requiring you to perform multiple
authentication steps before a starttls.


For these cases (and others) my -startcmd cmd is the best way.
but normally starttls is used in sane (clear text) protocols...


(sorry for mentioning gnutls on this list)


It's OK, you didn't say Jehovah
(which would lead to your stoning... ;-) )

By the way: Hapy new year...)

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many


smime.p7s
Description: S/MIME Cryptographic Signature


Re: [PATCH] `s_client -starttls smtp' fails if not using EHLO

2005-12-31 Thread Kyle Hamilton
On 12/31/05, Goetz Babin-Ebell [EMAIL PROTECTED] wrote:
 Pavel Gorshkov wrote:
 
  I agree that it would be better to have a generalized approach.
  Here's a relevant excerpt from gnutls-cli(1):
 
 -s, --starttls
Connect, establish a plain session and start TLS when EOF or a
SIGALRM is received.

 Seems usable.
 But what if you want to use s_client with -starttls in a script ?

How about a means of specifying what file descriptor is being used for
the pre-starttls, while leaving stdin open for additional data after
the starttls succeeds?

-Kyle H
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]


[PATCH] `s_client -starttls smtp' fails if not using EHLO

2005-12-27 Thread Pavel Gorshkov
Some SMTP servers require a HELO/EHLO command before a STARTTLS,
e.g.:

$ telnet mail.sourceforge.net 25
220 mail.sourceforge.net ESMTP Exim 4.44 ...
STARTTLS
503 STARTTLS command used when not advertised

for instance, when I try to retrieve the server certificate for
mail.sourceforge.net:25 using `-starttls smtp -showcerts':

$ openssl s_client -connect mail.sourceforge.net:25 \
-starttls smtp -CApath /etc/ssl/certs -showcerts

it fails with an error message like:

CONNECTED(0003)
9829:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
protocol:s23_clnt.c:567:


The attached patch (against openssl-0.9.8a) adds the `-ehlo'
option to s_client:

 -ehlo hostname - use the EHLO smtp command before issuing STARTTLS
 (to be used in conjunction with -starttls smtp)

with this patch, s_client successfully connects and shows the
certificate:

$ openssl s_client -connect mail.sourceforge.net:25 -showcerts
-starttls smtp -ehlo host.domain -CApath /etc/ssl/certs
...
Verify return code: 0 (ok)
---
220 mail.sourceforge.net ESMTP Exim 4.44 Tue, 27 Dec 2005 10:58:18 -0800 
sc8-sf-mx1.sourceforge.net
250-mail.sourceforge.net Hello ppp85-140-15-108.pppoe.mtu-net.ru [85.140.15.108]
250-SIZE 1048576
250-EXPN
250-PIPELINING
250-STARTTLS
250 HELP


--
Pavel Gorshkov
--- openssl-0.9.8a.orig/apps/s_client.c Sat Oct  1 03:38:19 2005
+++ openssl-0.9.8a/apps/s_client.c  Tue Dec 27 18:43:52 2005
@@ -227,6 +227,8 @@
BIO_printf(bio_err, for those protocols that support 
it, where\n);
BIO_printf(bio_err, 'prot' defines which one to 
assume.  Currently,\n);
BIO_printf(bio_err, only \smtp\ and \pop3\ are 
supported.\n);
+   BIO_printf(bio_err, -ehlo hostname - use the EHLO smtp command before 
issuing STARTTLS\n);
+   BIO_printf(bio_err, (to be used in conjunction with 
-starttls smtp)\n);
 #ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, -engine id- Initialise and use the specified 
engine\n);
 #endif
@@ -245,6 +247,7 @@
char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
int cbuf_len,cbuf_off;
int sbuf_len,sbuf_off;
+   int mbuf_off;
fd_set readfds,writefds;
short port=PORT;
int full_log=1;
@@ -261,6 +264,7 @@
SSL_CTX *ctx=NULL;
int ret=1,in_init=1,i,nbio_test=0;
int starttls_proto = 0;
+   char *ehlo_hostname=NULL;
int prexit = 0, vflags = 0;
SSL_METHOD *meth=NULL;
 #ifdef sock_type
@@ -472,6 +476,11 @@
else
goto bad;
}
+   else if (strcmp(*argv,-ehlo) == 0)
+   {
+   if (--argc  1) goto bad;
+   ehlo_hostname = *++argv;
+   }
 #ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv,-engine) == 0)
{
@@ -717,11 +726,17 @@
cbuf_off=0;
sbuf_len=0;
sbuf_off=0;
+   mbuf_off=0;
 
/* This is an ugly hack that does a lot of assumptions */
if (starttls_proto == 1)
{
-   BIO_read(sbio,mbuf,BUFSIZZ);
+   mbuf_off = BIO_read(sbio,mbuf,BUFSIZZ);
+   if (ehlo_hostname)
+   {
+   BIO_printf(sbio,EHLO %s\r\n,ehlo_hostname);
+   BIO_read(sbio,mbuf+mbuf_off,BUFSIZZ-mbuf_off);
+   }
BIO_printf(sbio,STARTTLS\r\n);
BIO_read(sbio,sbuf,BUFSIZZ);
}