Bug 219805
| Summary: | security/openssl: openssl s_client and XMPP | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Alexey <ucu8u1b-ol> | ||||
| Component: | Individual Port(s) | Assignee: | Bernard Spil <brnrd> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | CC: | brnrd | ||||
| Priority: | --- | Keywords: | needs-qa | ||||
| Version: | Latest | Flags: | koobs:
maintainer-feedback?
(brnrd) koobs: merge-quarterly? |
||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| URL: | https://github.com/openssl/openssl/commit/4e48c77572a9a96a301e362a3646cd3cc7eca0f9 | ||||||
| Attachments: |
|
||||||
Use correct summary (category/port: summary) and assign to maintainer @Alexey Thank you for your report. Can you add the patch mentioned in the description/comment as an attachment in unified diff format please Created attachment 183311 [details]
Add checking for extra " from XMPP server
I simple applied attached patch (as i wrote, got it from official Fedora SRPM repo) after
# make clean patch
and before
# make all install
and! it works!
---
$ /usr/local/bin/openssl s_client -servername "xmpp.google.com" -connect "xmpp.google.com":"5222" -starttls "xmpp" < /dev/nul
l | fgrep Issue
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com
verify return:1
DONE
---
A commit references this bug: Author: brnrd Date: Sat Jun 10 13:24:11 UTC 2017 New revision: 443087 URL: https://svnweb.freebsd.org/changeset/ports/443087 Log: security/openssl: Fix xmpp STARTTLS - Add (refactored) patch from master branch PR: 219805 Submitted by: Alexey <fbsd98816551@avksrv.org> Changes: head/security/openssl/files/patch-apps_s__client.c Re-open for MFH Great! now openssl from ports (security/openssl) works as expected. Thanks you. MFH happened with branching of 2017Q3 |
Hello! I tried t check SSL cert from XMPP server. Acording to documentaion command like /usr/local/bin/openssl s_client -servername "xmpp.google.com" -connect "xmpp.google.com":"5222" -starttls "xmpp" will connect to XMPP server start TLS sessiona and return the SSL cert to STDOUT. But under FreeBSD I got the error instead CONNECTED(00000004) --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 385 bytes and written 120 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated When I tried run same command under Fedora, it returns expected cert. FreeBSD version from ports: /usr/local/bin/openssl version OpenSSL 1.0.2l 25 May 2017 and Fedora: OpenSSL 1.0.2k-fips 26 Jan 2017 If we check the SRPM from fedora package, we will see patch openssl-1.0.2a-xmpp-starttls.patch --- openssl-1.0.2a/apps/s_client.c.starttls 2015-04-22 18:23:12.964387157 +0200 +++ openssl-1.0.2a/apps/s_client.c 2015-04-22 18:23:56.496414820 +0200 @@ -134,7 +134,8 @@ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR * OTHERWISE. */ - +/* for strcasestr */ +#define _GNU_SOURCE #include <assert.h> #include <ctype.h> #include <stdio.h> @@ -1626,8 +1627,11 @@ int MAIN(int argc, char **argv) "xmlns='jabber:client' to='%s' version='1.0'>", host); seen = BIO_read(sbio, mbuf, BUFSIZZ); mbuf[seen] = 0; - while (!strstr - (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) { + while (!strcasestr + (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") + && !strcasestr(mbuf, + "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"")) + { if (strstr(mbuf, "/stream:features>")) goto shut; seen = BIO_read(sbio, mbuf, BUFSIZZ); --- and we can see same changes in 1.1 (not 1.0.X) open SSL tree in the GIT (5 years ago!) https://github.com/openssl/openssl/commit/4e48c77572a9a96a301e362a3646cd3cc7eca0f9 They simple added second check with extra " in the string fedora patch also added non case sens. test. Can we merge such simple patch to the ports tree ?