Hello! I tried t check SSL cert from XMPP server. Acording to documentaion command like /usr/local/bin/openssl s_client -servername "xmpp.google.com" -connect "xmpp.google.com":"5222" -starttls "xmpp" will connect to XMPP server start TLS sessiona and return the SSL cert to STDOUT. But under FreeBSD I got the error instead CONNECTED(00000004) --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 385 bytes and written 120 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated When I tried run same command under Fedora, it returns expected cert. FreeBSD version from ports: /usr/local/bin/openssl version OpenSSL 1.0.2l 25 May 2017 and Fedora: OpenSSL 1.0.2k-fips 26 Jan 2017 If we check the SRPM from fedora package, we will see patch openssl-1.0.2a-xmpp-starttls.patch --- openssl-1.0.2a/apps/s_client.c.starttls 2015-04-22 18:23:12.964387157 +0200 +++ openssl-1.0.2a/apps/s_client.c 2015-04-22 18:23:56.496414820 +0200 @@ -134,7 +134,8 @@ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR * OTHERWISE. */ - +/* for strcasestr */ +#define _GNU_SOURCE #include <assert.h> #include <ctype.h> #include <stdio.h> @@ -1626,8 +1627,11 @@ int MAIN(int argc, char **argv) "xmlns='jabber:client' to='%s' version='1.0'>", host); seen = BIO_read(sbio, mbuf, BUFSIZZ); mbuf[seen] = 0; - while (!strstr - (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) { + while (!strcasestr + (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") + && !strcasestr(mbuf, + "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"")) + { if (strstr(mbuf, "/stream:features>")) goto shut; seen = BIO_read(sbio, mbuf, BUFSIZZ); --- and we can see same changes in 1.1 (not 1.0.X) open SSL tree in the GIT (5 years ago!) https://github.com/openssl/openssl/commit/4e48c77572a9a96a301e362a3646cd3cc7eca0f9 They simple added second check with extra " in the string fedora patch also added non case sens. test. Can we merge such simple patch to the ports tree ?
Use correct summary (category/port: summary) and assign to maintainer
@Alexey Thank you for your report. Can you add the patch mentioned in the description/comment as an attachment in unified diff format please
Created attachment 183311 [details] Add checking for extra " from XMPP server I simple applied attached patch (as i wrote, got it from official Fedora SRPM repo) after # make clean patch and before # make all install and! it works! --- $ /usr/local/bin/openssl s_client -servername "xmpp.google.com" -connect "xmpp.google.com":"5222" -starttls "xmpp" < /dev/nul l | fgrep Issue depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com verify return:1 DONE ---
A commit references this bug: Author: brnrd Date: Sat Jun 10 13:24:11 UTC 2017 New revision: 443087 URL: https://svnweb.freebsd.org/changeset/ports/443087 Log: security/openssl: Fix xmpp STARTTLS - Add (refactored) patch from master branch PR: 219805 Submitted by: Alexey <fbsd98816551@avksrv.org> Changes: head/security/openssl/files/patch-apps_s__client.c
Re-open for MFH
Great! now openssl from ports (security/openssl) works as expected. Thanks you.
MFH happened with branching of 2017Q3