Bug 219805 - security/openssl: openssl s_client and XMPP
Summary: security/openssl: openssl s_client and XMPP
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Bernard Spil
URL: https://github.com/openssl/openssl/co...
Keywords: needs-qa
Depends on:
Reported: 2017-06-05 20:55 UTC by Alexey
Modified: 2017-07-24 09:52 UTC (History)
1 user (show)

See Also:
koobs: maintainer-feedback? (brnrd)
koobs: merge-quarterly?

Add checking for extra " from XMPP server (1.10 KB, patch)
2017-06-07 22:06 UTC, Alexey
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey 2017-06-05 20:55:19 UTC

I tried t check SSL cert from XMPP server. Acording to documentaion command like 

/usr/local/bin/openssl s_client -servername "xmpp.google.com" -connect "xmpp.google.com":"5222" -starttls "xmpp"

will connect to XMPP server start TLS sessiona and return the SSL cert to STDOUT. But under FreeBSD I got the error instead

no peer certificate available
No client certificate CA names sent
SSL handshake has read 385 bytes and written 120 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated

When I tried run same command under Fedora, it returns expected cert.
FreeBSD version from ports:
/usr/local/bin/openssl version
OpenSSL 1.0.2l  25 May 2017
and Fedora:
OpenSSL 1.0.2k-fips  26 Jan 2017

If we check the SRPM from fedora package, we will see patch openssl-1.0.2a-xmpp-starttls.patch 
--- openssl-1.0.2a/apps/s_client.c.starttls    2015-04-22 18:23:12.964387157 +0200
+++ openssl-1.0.2a/apps/s_client.c    2015-04-22 18:23:56.496414820 +0200
@@ -134,7 +134,8 @@
+/* for strcasestr */
+#define _GNU_SOURCE
 #include <assert.h>
 #include <ctype.h>
 #include <stdio.h>
@@ -1626,8 +1627,11 @@ int MAIN(int argc, char **argv)
                    "xmlns='jabber:client' to='%s' version='1.0'>", host);
         seen = BIO_read(sbio, mbuf, BUFSIZZ);
         mbuf[seen] = 0;
-        while (!strstr
-               (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) {
+        while (!strcasestr
+               (mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")
+               && !strcasestr(mbuf,
+                              "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
+        {
             if (strstr(mbuf, "/stream:features>"))
                 goto shut;
             seen = BIO_read(sbio, mbuf, BUFSIZZ);


and we can see same changes in 1.1 (not 1.0.X) open SSL tree in the GIT (5 years ago!)

They simple added second check with extra " in the string
fedora patch also added non case sens. test.

Can we merge such simple patch to the ports tree ?
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2017-06-06 04:47:36 UTC
Use correct summary (category/port: summary) and assign to maintainer
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2017-06-06 04:48:35 UTC
@Alexey Thank you for your report.

Can you add the patch mentioned in the description/comment as an attachment in unified diff format please
Comment 3 Alexey 2017-06-07 22:06:38 UTC
Created attachment 183311 [details]
Add checking for extra " from XMPP server

I simple applied attached patch (as i wrote, got it from official Fedora SRPM repo) after 
# make clean patch
 and before 
# make all install
 and! it works!

$ /usr/local/bin/openssl s_client -servername "xmpp.google.com" -connect "xmpp.google.com":"5222" -starttls "xmpp" < /dev/nul
l | fgrep Issue
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com
verify return:1
Comment 4 commit-hook freebsd_committer 2017-06-10 13:25:12 UTC
A commit references this bug:

Author: brnrd
Date: Sat Jun 10 13:24:11 UTC 2017
New revision: 443087
URL: https://svnweb.freebsd.org/changeset/ports/443087

  security/openssl: Fix xmpp STARTTLS

   - Add (refactored) patch from master branch

  PR:		219805
  Submitted by:	Alexey <fbsd98816551@avksrv.org>

Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2017-06-12 03:52:02 UTC
Re-open for MFH
Comment 6 Alexey 2017-06-13 21:42:50 UTC
Great! now openssl from ports (security/openssl) works as expected. 
Thanks you.
Comment 7 Bernard Spil freebsd_committer 2017-07-24 09:52:54 UTC
MFH happened with branching of 2017Q3