support of option "-xmpphost <hostname>"

[drwetter]

Hi Peter,

jabber needs on a protocol level a hostname.:

Doesn't work: openssl s_client -connect talk.google.com:5222 -starttls xmpp DOES work: openssl s_client -connect talk.google.com:5222 -starttls xmpp -xmpphost gmail.com

(probably not very good example as google's IM is not anymore XMPP compatible as I've heard)

This patch adds the option -xmpphost <hostname> .

prompt|0% echo q | openssl32-static.xmpphost s_client -connect talk.google.com:5222 -starttls xmpp -xmpphost gmail.com 
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = gmail.com
verify return:1

---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=gmail.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEeTCCA2GgAwIBAgIIC0v9l+G/CPowDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwNjE4MDg1NDUzWhcNMTUwOTE2MDAwMDAw
WjBjMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzESMBAGA1UEAwwJZ21h
aWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqbf68cb3NnT6
R3IGvodAgijfpKR6iKgjCENQUVXGmItOEjcyNYiUAIhRG6vgZgM84MbNrORkFcM3
++aXGYETNunUPieQwh9tjAlWh8b2xvt4Gtnka2+DA0QSkvCrwSzQIHpSl7bijbrm
saum1B/mSe6+v2bS0RbNmSilvuC1fh8mO6IhGj+Mc3wmAl6JwMF8294alLt+ByPm
Cub25p+XyNZfkTxC80DewffqOPrHFJ9XyoNPTm9racPXf9kKqhWw7A5G6ROUN32x
xfuZCljgBM39VXZ8k1uSwUev7yEOSfb2dEIhhkkTSPNe/NZj//ptismUlJe4Ihmh
yzE9/TZ4HQIDAQABo4IBSTCCAUUwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMCEGA1UdEQQaMBiCCWdtYWlsLmNvbYILKi5nbWFpbC5jb20waAYIKwYBBQUH
AQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIu
Y3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3Nw
MB0GA1UdDgQWBBRtRI8rHBK2jIZUmv8kDbbskUDE/zAMBgNVHRMBAf8EAjAAMB8G
A1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYB
BAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20v
R0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQA2KMmUXVVbTPCqnJXWED/85gkZ
WWssZ3OL56hpUHsQM28hrapHWrd754e1iC96Q8FiWRYtd1hIRZf/UceO3ios085j
Aq8vobg2cv7mMf4uUXIfpdEErBGvZnnETld4hElNGv4N2GhN8M9T+9mX8k6lu3r1
Ad1nq0U9mZ+jNM9CvHbXHjHFuKZ4tjoyTF86i03r57iiI/Cl4ag1+Ydr4JF89FoD
NxQdIOamhh3Zv28TwW5yRukSCOCqp1tflBOrpCFH8BU5PXohovwIGJAugTEFIMQB
53+AfO3ZehhIb7aSwENW35lDkp1ut0BanLvqs7vbyAm88pjRPo+9fXQLiGEE
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

---
SSL handshake has read 4143 bytes and written 653 bytes

---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: F8715837B3A5FF071BE14CC0526CDE39F86D9C14E6398D741D736A737FC93B3B
    Session-ID-ctx: 
    Master-Key: 1DE779C6A07F9674E7E29259D99EDC200258191240360DB0BE795A2A3745E788F48186E7429FE25A2F18945A51AF41AA
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 6d 23 01 58 da ca 82 21-fd 42 bf e7 42 4a b1 0f   m#.X...!.B..BJ..
    0010 - 67 e6 a2 83 1d 87 e9 e1-0d 40 52 8a 60 4b bd 4b   g........@R.`K.K
    0020 - 74 e9 01 1b 8d c5 a9 62-cc f7 78 83 24 7d a9 38   t......b..x.$}.8
    0030 - fe 70 77 3c 65 aa cc 2b-0b 68 5d 5b b5 81 9b f2   .pw<e..+.h][....
    0040 - a5 57 d6 23 9d bc 84 57-6a 68 08 46 92 90 6d a1   .W.#...Wjh.F..m.
    0050 - de 9d d1 52 c6 e8 ba 32-f1 bf bc 51 7d 93 fd e8   ...R...2...Q}...
    0060 - 30 55 0c e8 c9 aa 61 d9-8c d4 0e 14 59 fe b9 5f   0U....a.....Y.._
    0070 - 96 3e f7 00 47 a7 15 13-13 52 0e f0 64 47 cd 19   .>..G....R..dG..
    0080 - a5 32 ec c2 c6 f9 b1 14-48 62 cd 0f 00 c7 07 0f   .2......Hb......
    0090 - bc aa 5b 5b d1 53 bd 10-1c 59 60 78 10 38 c8 b3   ..[[.S...Y`x.8..
    00a0 - 69 da 08 8d                                       i...

    Start Time: 1436200688
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

---
DONE
prompt|0% 

Source: http://t126982.encryption-openssl-cvs.encryptiontalk.info/openssl-source-code-branch-master-updated-d2625fd65772ce3de2563e648decd2d1074fd873-t126982.html . Newer branch: https://mta.openssl.org/pipermail/openssl-commits/2015-April/000947.html .

Cheers, Dirk

[PeterMosmans]

Thanks for the pull request Dirk - however it seems that this is already implemented :smile: Have you tried -servername ?

openssl s_client -connect talk.google.com:5222 -starttls xmpp -servername gmail.com

On the other hand I prefer it if this fork aligns as much as possible to the official masterbranch. I'll keep you posted...

[drwetter]

Am 07/07/2015 um 12:39 AM schrieb Peter Mosmans:

Thanks for the pull request Dirk - however it seems that this is already implemented :smile: Have you tried |-servername| ?

Oh! ok... I haven't tried at all -servername as it is for me the switch for SNI.

|openssl s_client -connect talk.google.com:5222 -starttls xmpp -servername gmail.com |

On the other hand I prefer it if this fork aligns as much as possible to the official masterbranch. I'll keep you posted...

Both would be great ;-)

I haven't found this patch in the git repo of vanilla openssl though: https://mta.openssl.org/pipermail/openssl-commits/2015-April/000947.html .

My 2 cents: Taking into consideration the old patch (I applied), the new one above and the name conflict xmpphost would make more sense to me.

Cheers, Dirk

[drwetter]

Am 07/07/2015 um 08:38 AM schrieb Dirk Wetter:

Am 07/07/2015 um 12:39 AM schrieb Peter Mosmans:

Thanks for the pull request Dirk - however it seems that this is already implemented :smile: Have you tried |-servername| ?

Oh! ok... I haven't tried at all -servername as it is for me the switch for SNI.

|openssl s_client -connect talk.google.com:5222 -starttls xmpp -servername gmail.com |

On the other hand I prefer it if this fork aligns as much as possible to the official masterbranch. I'll keep you posted...

Both would be great ;-)

I haven't found this patch in the git repo of vanilla openssl though: https://mta.openssl.org/pipermail/openssl-commits/2015-April/000947.html .

My 2 cents: Taking into consideration the old patch (I applied), the new one above and the name conflict xmpphost would make more sense to me.

I thought after your mail to go ahead and change testssl.sh to also add -servername as an option of this.

However a test (XMPP, STARTTLS) with a vanilla version of openssl stalled. It interprets that as SNI. So I think that switch because of it's ambiguity kind of problematic also.

Cheers, Dirk

[PeterMosmans]

Hi Dirk, Thanks for your feedback. I totally agree on the ambiguity part and will implement the change from using the xmpphost variable instead of servername. I probably won't use your patch completely however, as this needs some more editing. My planning is to do this before the next version announcement (Thursday the 9th of July).

[drwetter]

Hi Peter,.

cool! Take your time.

WRT to my patch: I am using it the binaries from my PR in testssl.sh and it works at least -- but do whatever you feel it's the best.

Cheers, Dirk

PS: Curious about the vulnerability in the next version...

[PeterMosmans]

Thanks for your contribution @drwetter, much appreciated :) I merged the repository with the latest version of openssl 1.0.2d, and the vulnerability CVE-2015-1793 is fixed. The fork is up to date (I re-added support for DH parameters < 768)

[drwetter]

cool, thx for your great work!