On Tue, Jul 07, 2015 at 01:35:00PM +0100, Stuart Henderson wrote:
> On 2015/07/06 13:40, Landry Breuil wrote:
> > Hi,
> >
> > i'm not an ssl hacker at all, but while debugging openssl -starttls
> > issues against an xmpp server, i stumbled upon
> > https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest
> > which fixes some issue with -starttls xmpp and adds the possibility to
> > use -xmpphost in case there's some virtualhost. Backported the patch to
> > libressl and applied style(9), works fine here in basic testing against
> > prosody, before -starttls xmpp host was just stalling. I havent touched
> > the documentation chunks since i dont really know if we still use the
> > pod format or...
>
> Seems useful to me, some of the starttls-based protocols can be a
> pain to diagnose without a tool like this.
>
> It definitely needs the documentation chunk for -xmpphost though,
> it should go in src/usr.bin/openssl/openssl.1, and I think probably
> adding to sc_usage() in s_client.c.
New version with manpage & usage amended.
Landry
Index: openssl.1
===================================================================
RCS file: /cvs/src/usr.bin/openssl/openssl.1,v
retrieving revision 1.15
diff -u -r1.15 openssl.1
--- openssl.1 20 Jun 2015 01:07:25 -0000 1.15
+++ openssl.1 8 Jul 2015 04:42:04 -0000
@@ -7137,6 +7137,13 @@
command for more information.
.It Fl connect Ar host : Ns Ar port
This specifies the host and optional port to connect to.
+.It Fl xmpphost Ar hostname
+This option, when used with
+.Fl starttls Ar xmpp,
+specifies the host for the "to" attribute of the stream element.
+If this option is not specified, then the host specified with
+.Fl connect
+will be used.
.It Fl key Ar keyfile
The private key to use.
If not specified, the certificate file will be used.
Index: s_client.c
===================================================================
RCS file: /cvs/src/usr.bin/openssl/s_client.c,v
retrieving revision 1.13
diff -u -r1.13 s_client.c
--- s_client.c 14 Apr 2015 12:56:36 -0000 1.13
+++ s_client.c 8 Jul 2015 04:42:04 -0000
@@ -238,6 +238,7 @@
BIO_printf(bio_err, " 'prot' defines which one to
assume. Currently,\n");
BIO_printf(bio_err, " only \"smtp\", \"lmtp\",
\"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
BIO_printf(bio_err, " are supported.\n");
+ BIO_printf(bio_err, " -xmpphost host - connect to this virtual host on
the xmpp server\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, " -engine id - Initialise and use the specified
engine\n");
#endif
@@ -335,6 +336,7 @@
char *port = PORT_STR;
int full_log = 1;
char *host = SSL_HOST_NAME;
+ char *xmpphost = NULL;
char *proxy = NULL, *connect = NULL;
char *cert_file = NULL, *key_file = NULL;
int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
@@ -415,6 +417,10 @@
if (--argc < 1)
goto bad;
proxy = *(++argv);
+ } else if (strcmp(*argv,"-xmpphost") == 0) {
+ if (--argc < 1)
+ goto bad;
+ xmpphost= *(++argv);
} else if (strcmp(*argv, "-verify") == 0) {
verify = SSL_VERIFY_PEER;
if (--argc < 1)
@@ -985,13 +991,16 @@
int seen = 0;
BIO_printf(sbio, "<stream:stream "
"xmlns:stream='http://etherx.jabber.org/streams' "
- "xmlns='jabber:client' to='%s' version='1.0'>", host);
+ "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost?
xmpphost:host);
seen = BIO_read(sbio, mbuf, BUFSIZZ);
mbuf[seen] = 0;
- while (!strstr(mbuf, "<starttls
xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
- if (strstr(mbuf, "/stream:features>"))
- goto shut;
+ while (!strstr(mbuf, "<starttls
xmlns='urn:ietf:params:xml:ns:xmpp-tls'") &&
+ !strstr(mbuf, "<starttls
xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"")) {
seen = BIO_read(sbio, mbuf, BUFSIZZ);
+
+ if (seen <= 0)
+ goto shut;
+
mbuf[seen] = 0;
}
BIO_printf(sbio, "<starttls
xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
