Closed drwetter closed 9 years ago
Thanks for the pull request Dirk - however it seems that this is already implemented :smile:
Have you tried -servername
?
openssl s_client -connect talk.google.com:5222 -starttls xmpp -servername gmail.com
On the other hand I prefer it if this fork aligns as much as possible to the official masterbranch. I'll keep you posted...
Am 07/07/2015 um 12:39 AM schrieb Peter Mosmans:
Thanks for the pull request Dirk - however it seems that this is already implemented :smile: Have you tried |-servername| ?
Oh! ok... I haven't tried at all -servername as it is for me the switch for SNI.
|openssl s_client -connect talk.google.com:5222 -starttls xmpp -servername gmail.com |
On the other hand I prefer it if this fork aligns as much as possible to the official masterbranch. I'll keep you posted...
Both would be great ;-)
I haven't found this patch in the git repo of vanilla openssl though: https://mta.openssl.org/pipermail/openssl-commits/2015-April/000947.html .
My 2 cents: Taking into consideration the old patch (I applied), the new one above and the name conflict xmpphost would make more sense to me.
Cheers, Dirk
Am 07/07/2015 um 08:38 AM schrieb Dirk Wetter:
Am 07/07/2015 um 12:39 AM schrieb Peter Mosmans:
Thanks for the pull request Dirk - however it seems that this is already implemented :smile: Have you tried |-servername| ?
Oh! ok... I haven't tried at all -servername as it is for me the switch for SNI.
|openssl s_client -connect talk.google.com:5222 -starttls xmpp -servername gmail.com |
On the other hand I prefer it if this fork aligns as much as possible to the official masterbranch. I'll keep you posted...
Both would be great ;-)
I haven't found this patch in the git repo of vanilla openssl though: https://mta.openssl.org/pipermail/openssl-commits/2015-April/000947.html .
My 2 cents: Taking into consideration the old patch (I applied), the new one above and the name conflict xmpphost would make more sense to me.
I thought after your mail to go ahead and change testssl.sh to also add -servername as an option of this.
However a test (XMPP, STARTTLS) with a vanilla version of openssl stalled. It interprets that as SNI. So I think that switch because of it's ambiguity kind of problematic also.
Cheers, Dirk
Hi Dirk,
Thanks for your feedback. I totally agree on the ambiguity part and will implement the change from using the xmpphost
variable instead of servername
. I probably won't use your patch completely however, as this needs some more editing.
My planning is to do this before the next version announcement (Thursday the 9th of July).
Hi Peter,.
cool! Take your time.
WRT to my patch: I am using it the binaries from my PR in testssl.sh and it works at least -- but do whatever you feel it's the best.
Cheers, Dirk
PS: Curious about the vulnerability in the next version...
Thanks for your contribution @drwetter, much appreciated :) I merged the repository with the latest version of openssl 1.0.2d, and the vulnerability CVE-2015-1793 is fixed. The fork is up to date (I re-added support for DH parameters < 768)
cool, thx for your great work!
Hi Peter,
jabber needs on a protocol level a hostname.:
Doesn't work:
openssl s_client -connect talk.google.com:5222 -starttls xmpp
DOES work:openssl s_client -connect talk.google.com:5222 -starttls xmpp -xmpphost gmail.com
(probably not very good example as google's IM is not anymore XMPP compatible as I've heard)
This patch adds the option
-xmpphost <hostname>
.Source: http://t126982.encryption-openssl-cvs.encryptiontalk.info/openssl-source-code-branch-master-updated-d2625fd65772ce3de2563e648decd2d1074fd873-t126982.html . Newer branch: https://mta.openssl.org/pipermail/openssl-commits/2015-April/000947.html .
Cheers, Dirk