Bug 219805 - security/openssl: openssl s_client and XMPP
Summary: security/openssl: openssl s_client and XMPP
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Bernard Spil
URL: https://github.com/openssl/openssl/co...
Keywords: needs-qa
Depends on:
Blocks:
 
Reported: 2017-06-05 20:55 UTC by Alexey
Modified: 2017-07-24 09:52 UTC (History)
1 user (show)

See Also:
koobs: maintainer-feedback? (brnrd)
koobs: merge-quarterly?


Attachments
Add checking for extra " from XMPP server (1.10 KB, patch)
2017-06-07 22:06 UTC, Alexey
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey 2017-06-05 20:55:19 UTC
Hello!

I tried t check SSL cert from XMPP server. Acording to documentaion command like 

/usr/local/bin/openssl s_client -servername "xmpp.google.com" -connect "xmpp.google.com":"5222" -starttls "xmpp"

will connect to XMPP server start TLS sessiona and return the SSL cert to STDOUT. But under FreeBSD I got the error instead

CONNECTED(00000004)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 385 bytes and written 120 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated

When I tried run same command under Fedora, it returns expected cert.
FreeBSD version from ports:
/usr/local/bin/openssl version
OpenSSL 1.0.2l  25 May 2017
and Fedora:
OpenSSL 1.0.2k-fips  26 Jan 2017

If we check the SRPM from fedora package, we will see patch openssl-1.0.2a-xmpp-starttls.patch 
--- openssl-1.0.2a/apps/s_client.c.starttls    2015-04-22 18:23:12.964387157 +0200
+++ openssl-1.0.2a/apps/s_client.c    2015-04-22 18:23:56.496414820 +0200
@@ -134,7 +134,8 @@
  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
  * OTHERWISE.
  */
-
+/* for strcasestr */
+#define _GNU_SOURCE
 #include <assert.h>
 #include <ctype.h>
 #include <stdio.h>
@@ -1626,8 +1627,11 @@ int MAIN(int argc, char **argv)
                    "xmlns='jabber:client' to='%s' version='1.0'>", host);
         seen = BIO_read(sbio, mbuf, BUFSIZZ);
         mbuf[seen] = 0;
-        while (!strstr
-               (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
+        while (!strcasestr
+               (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")
+               && !strcasestr(mbuf,
+                              "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
+        {
             if (strstr(mbuf, "/stream:features>"))
                 goto shut;
             seen = BIO_read(sbio, mbuf, BUFSIZZ);

---

and we can see same changes in 1.1 (not 1.0.X) open SSL tree in the GIT (5 years ago!)
https://github.com/openssl/openssl/commit/4e48c77572a9a96a301e362a3646cd3cc7eca0f9

They simple added second check with extra " in the string
fedora patch also added non case sens. test.

Can we merge such simple patch to the ports tree ?
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2017-06-06 04:47:36 UTC
Use correct summary (category/port: summary) and assign to maintainer
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2017-06-06 04:48:35 UTC
@Alexey Thank you for your report.

Can you add the patch mentioned in the description/comment as an attachment in unified diff format please
Comment 3 Alexey 2017-06-07 22:06:38 UTC
Created attachment 183311 [details]
Add checking for extra " from XMPP server

I simple applied attached patch (as i wrote, got it from official Fedora SRPM repo) after 
# make clean patch
 and before 
# make all install
 and! it works!

---
$ /usr/local/bin/openssl s_client -servername "xmpp.google.com" -connect "xmpp.google.com":"5222" -starttls "xmpp" < /dev/nul
l | fgrep Issue
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com
verify return:1
DONE
---
Comment 4 commit-hook freebsd_committer 2017-06-10 13:25:12 UTC
A commit references this bug:

Author: brnrd
Date: Sat Jun 10 13:24:11 UTC 2017
New revision: 443087
URL: https://svnweb.freebsd.org/changeset/ports/443087

Log:
  security/openssl: Fix xmpp STARTTLS

   - Add (refactored) patch from master branch

  PR:		219805
  Submitted by:	Alexey <fbsd98816551@avksrv.org>

Changes:
  head/security/openssl/files/patch-apps_s__client.c
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2017-06-12 03:52:02 UTC
Re-open for MFH
Comment 6 Alexey 2017-06-13 21:42:50 UTC
Great! now openssl from ports (security/openssl) works as expected. 
Thanks you.
Comment 7 Bernard Spil freebsd_committer 2017-07-24 09:52:54 UTC
MFH happened with branching of 2017Q3