On Tue, Jul 07, 2015 at 01:35:00PM +0100, Stuart Henderson wrote:
On 2015/07/06 13:40, Landry Breuil wrote:
Hi,
i'm not an ssl hacker at all, but while debugging openssl -starttls
issues against an xmpp server, i stumbled upon
https://rt.openssl.org/Ticket/Display.html?id=2860user=guestpass=guest
which fixes some issue with -starttls xmpp and adds the possibility to
use -xmpphost in case there's some virtualhost. Backported the patch to
libressl and applied style(9), works fine here in basic testing against
prosody, before -starttls xmpp host was just stalling. I havent touched
the documentation chunks since i dont really know if we still use the
pod format or...
Seems useful to me, some of the starttls-based protocols can be a
pain to diagnose without a tool like this.
It definitely needs the documentation chunk for -xmpphost though,
it should go in src/usr.bin/openssl/openssl.1, and I think probably
adding to sc_usage() in s_client.c.
New version with manpage usage amended.
Landry
Index: openssl.1
===
RCS file: /cvs/src/usr.bin/openssl/openssl.1,v
retrieving revision 1.15
diff -u -r1.15 openssl.1
--- openssl.1 20 Jun 2015 01:07:25 - 1.15
+++ openssl.1 8 Jul 2015 04:42:04 -
@@ -7137,6 +7137,13 @@
command for more information.
.It Fl connect Ar host : Ns Ar port
This specifies the host and optional port to connect to.
+.It Fl xmpphost Ar hostname
+This option, when used with
+.Fl starttls Ar xmpp,
+specifies the host for the to attribute of the stream element.
+If this option is not specified, then the host specified with
+.Fl connect
+will be used.
.It Fl key Ar keyfile
The private key to use.
If not specified, the certificate file will be used.
Index: s_client.c
===
RCS file: /cvs/src/usr.bin/openssl/s_client.c,v
retrieving revision 1.13
diff -u -r1.13 s_client.c
--- s_client.c 14 Apr 2015 12:56:36 - 1.13
+++ s_client.c 8 Jul 2015 04:42:04 -
@@ -238,6 +238,7 @@
BIO_printf(bio_err, 'prot' defines which one to
assume. Currently,\n);
BIO_printf(bio_err, only \smtp\, \lmtp\,
\pop3\, \imap\, \ftp\ and \xmpp\\n);
BIO_printf(bio_err, are supported.\n);
+ BIO_printf(bio_err, -xmpphost host - connect to this virtual host on
the xmpp server\n);
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, -engine id- Initialise and use the specified
engine\n);
#endif
@@ -335,6 +336,7 @@
char *port = PORT_STR;
int full_log = 1;
char *host = SSL_HOST_NAME;
+ char *xmpphost = NULL;
char *proxy = NULL, *connect = NULL;
char *cert_file = NULL, *key_file = NULL;
int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
@@ -415,6 +417,10 @@
if (--argc 1)
goto bad;
proxy = *(++argv);
+ } else if (strcmp(*argv,-xmpphost) == 0) {
+ if (--argc 1)
+ goto bad;
+ xmpphost= *(++argv);
} else if (strcmp(*argv, -verify) == 0) {
verify = SSL_VERIFY_PEER;
if (--argc 1)
@@ -985,13 +991,16 @@
int seen = 0;
BIO_printf(sbio, stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
- xmlns='jabber:client' to='%s' version='1.0', host);
+ xmlns='jabber:client' to='%s' version='1.0', xmpphost?
xmpphost:host);
seen = BIO_read(sbio, mbuf, BUFSIZZ);
mbuf[seen] = 0;
- while (!strstr(mbuf, starttls
xmlns='urn:ietf:params:xml:ns:xmpp-tls')) {
- if (strstr(mbuf, /stream:features))
- goto shut;
+ while (!strstr(mbuf, starttls
xmlns='urn:ietf:params:xml:ns:xmpp-tls')
+ !strstr(mbuf, starttls
xmlns=\urn:ietf:params:xml:ns:xmpp-tls\)) {
seen = BIO_read(sbio, mbuf, BUFSIZZ);
+
+ if (seen = 0)
+ goto shut;
+
mbuf[seen] = 0;
}
BIO_printf(sbio, starttls
xmlns='urn:ietf:params:xml:ns:xmpp-tls'/);