Improve XMPP protocol support for starttls on s_client #2

clopez · 2013-05-27T22:38:29Z

I submit this patches time ago to the openssl mailing list but got not answer.
I have rebased the patches on top of current master and I'm retrying submitting it here with the hope that it will caught more attention.

This pull request fixes the support for XMPP on openssl s_client. A number of reports on Internet complain about this. Examples:

* Some XMPP Servers (OpenFire) use double quotes. * This makes s_client starttls work with this servers. * Tested with OpenFire servers from http://xmpp.net/ :: openssl s_client -connect coderollers.com:5222 -starttls xmpp

* When the host used in "-connect" is not what the remote XMPP server expects the server will return an error like this: <stream:error> <host-unknown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/> </stream:error> * But the actual code will stay on the loop forever because the stop condition "/stream:features>" will never happen, * Make this more robust: The stop condition should be that BIO_read failed * Test if for example with :: openssl s_client -connect random.jabb3r.net:5222 -starttls xmpp

…npage

* Many XMPP servers are configured with multiple domains (virtual hosts) * In order to establish successfully the TLS connection you have to specify which virtual host you are trying to connect. * Test this, for example with :: * Fail: openssl s_client -connect talk.google.com:5222 -starttls xmpp * Works: openssl s_client -connect talk.google.com:5222 -starttls xmpp -xmpphost gmail.com

benlaurie · 2013-09-05T16:30:34Z

Merged.

(cherry picked from commit a74bee5)

Previous commit 7bb196a attempted to "fix" a problem with the way SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had SSL_shutdown() return immediately having taken no action if called mid- handshake with a return value of 1 (meaning everything was shutdown successfully). In fact the shutdown has not been successful. Commit 7bb196a changed that to send a close_notify anyway and then return. This seems to be causing some problems for some applications so perhaps a better (much simpler) approach is revert to the previous behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown was not successful). This also fixes a bug where SSL_shutdown always returns 0 when shutdown *very* early in the handshake (i.e. we are still using SSLv23_method). Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

Previous commit f73c737 attempted to "fix" a problem with the way SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had SSL_shutdown() return immediately having taken no action if called mid- handshake with a return value of 1 (meaning everything was shutdown successfully). In fact the shutdown has not been successful. Commit f73c737 changed that to send a close_notify anyway and then return. This seems to be causing some problems for some applications so perhaps a better (much simpler) approach is revert to the previous behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown was not successful). This also fixes a bug where SSL_shutdown always returns 0 when shutdown *very* early in the handshake (i.e. we are still using SSLv23_method). Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

Added functions to create, delete a set of cert/key and PKCS#12, which can be used to manage a lot of auth-client key sets. Revert some unnecessary changes Revert some unnecessary changes openssl#2 Pair-Bag total manage capability added to CA.pl

Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch Patch-id: 10 Patch-status: | # # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so # # that new modifications made to these files by upstream are not lost. From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce commit openssl#2: Patch-name: 0011-Remove-EC-curves.patch Patch-id: 11 Patch-status: | # # remove unsupported EC curves From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce

Here the undefined value "npa" passed to a function WPACKET_sub_memcpy_u16(pkt, npa, npalen). However the value is not really used, because "npalen" is zero, but the call statememt itself is considered an invalid operation by the new sanitizer. The original sanitizer error report was: ==49175==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x55a276b29d6f in tls_construct_stoc_next_proto_neg /home/runner/work/openssl/openssl/ssl/statem/extensions_srvr.c:1518:21 openssl#1 0x55a276b15d7d in tls_construct_extensions /home/runner/work/openssl/openssl/ssl/statem/extensions.c:909:15 openssl#2 0x55a276b513dc in tls_construct_server_hello /home/runner/work/openssl/openssl/ssl/statem/statem_srvr.c:2471:10 openssl#3 0x55a276b2e160 in write_state_machine /home/runner/work/openssl/openssl/ssl/statem/statem.c:896:26 openssl#4 0x55a276b2e160 in state_machine /home/runner/work/openssl/openssl/ssl/statem/statem.c:490:21 openssl#5 0x55a276b2f562 in ossl_statem_accept /home/runner/work/openssl/openssl/ssl/statem/statem.c:309:12 openssl#6 0x55a276a9f867 in SSL_do_handshake /home/runner/work/openssl/openssl/ssl/ssl_lib.c:4890:19 openssl#7 0x55a276a9f605 in SSL_accept /home/runner/work/openssl/openssl/ssl/ssl_lib.c:2169:12 openssl#8 0x55a276a3d4db in create_bare_ssl_connection /home/runner/work/openssl/openssl/test/helpers/ssltestlib.c:1281:24 openssl#9 0x55a276a3d7cb in create_ssl_connection /home/runner/work/openssl/openssl/test/helpers/ssltestlib.c:1350:10 openssl#10 0x55a276a64c0b in test_npn /home/runner/work/openssl/openssl/test/sslapitest.c:12266:14 openssl#11 0x55a276b9fc20 in run_tests /home/runner/work/openssl/openssl/test/testutil/driver.c:377:21 openssl#12 0x55a276ba0b10 in main /home/runner/work/openssl/openssl/test/testutil/main.c:31:15 Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#26269)

Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch Patch-id: 10 Patch-status: | # # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so # # that new modifications made to these files by upstream are not lost. From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce commit openssl#2: Patch-name: 0011-Remove-EC-curves.patch Patch-id: 11 Patch-status: | # # remove unsupported EC curves From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce

the self_test_digest_sig() test fails when EC PCT is enabled because ossl_ec_key_pairwise_check() consumes entropy when generator * priv_key = pub_key is calculated in EC_POINT_mul(). #0 RAND_priv_bytes_ex openssl#1 bnrand openssl#2 BN_priv_rand_ex openssl#3 ec_GF2m_simple_ladder_pre openssl#4 ec_point_ladder_pre openssl#5 ossl_ec_scalar_mul_ladder openssl#6 ec_GF2m_simple_points_mul openssl#7 EC_POINT_mul openssl#8 ossl_ec_key_pairwise_check which led to the different signature then expected in the ecdsa_prime_expected_sig. Moving set_kat_drbg() after the EVP_PKEY_fromdata() fixed the problem. Fixes openssl/project#1302 Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>

The new malloc failure test caught an asan error in this code: Direct leak of 40 byte(s) in 1 object(s) allocated from: 2025-08-07T03:22:20.3655117Z #0 0x7fb88d8fd9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 2025-08-07T03:22:20.3655796Z #1 0x5584f0e4670a in CRYPTO_malloc crypto/mem.c:211 2025-08-07T03:22:20.3656291Z #2 0x5584f0e4679d in CRYPTO_zalloc crypto/mem.c:231 2025-08-07T03:22:20.3657040Z #3 0x5584f11c4c10 in EVP_RAND_CTX_new crypto/evp/evp_rand.c:353 2025-08-07T03:22:20.3657656Z #4 0x5584f0e93b27 in rand_new_drbg crypto/rand/rand_lib.c:666 2025-08-07T03:22:20.3658289Z #5 0x5584f0e949d0 in rand_get0_public crypto/rand/rand_lib.c:843 2025-08-07T03:22:20.3658914Z #6 0x5584f0e9305b in RAND_bytes_ex crypto/rand/rand_lib.c:490 2025-08-07T03:22:20.3659486Z #7 0x5584f0b2405f in SSL_CTX_new_ex ssl/ssl_lib.c:4191 2025-08-07T03:22:20.3660183Z #8 0x5584f0ae313c in create_ssl_ctx_pair test/helpers/ssltestlib.c:958 2025-08-07T03:22:20.3660871Z #9 0x5584f0adeaf6 in do_handshake test/handshake-memfail.c:56 2025-08-07T03:22:20.3661539Z #10 0x5584f0adee50 in test_alloc_failures test/handshake-memfail.c:125 2025-08-07T03:22:20.3662161Z #11 0x5584f0cd9da8 in run_tests test/testutil/driver.c:342 2025-08-07T03:22:20.3662664Z #12 0x5584f0cda9e5 in main test/testutil/main.c:31 2025-08-07T03:22:20.3663450Z #13 0x7fb88d42a1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f) 2025-08-07T03:22:20.3664630Z #14 0x7fb88d42a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f) 2025-08-07T03:22:20.3666608Z #15 0x5584f0ade864 in _start (/home/runner/work/openssl/openssl/test/handshake-memfail+0x22a864) (BuildId: 19659a44d8bed2c082918d25425f77e3a98df534) It occurs because when rand_get0_public/rand_get0_private sets an EVP_RAND_CTX object in its thread local storage, it neglects to check the return code of the operation, which may fail when the associated sparse array is expanded. fix it by checking the return code and failing the get0_[public|private] operation so the failure is graceful. Fixes openssl/project#1315 Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from #28195)

Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch Patch-id: 10 Patch-status: | # # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so # # that new modifications made to these files by upstream are not lost. From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce commit openssl#2: Patch-name: 0011-Remove-EC-curves.patch Patch-id: 11 Patch-status: | # # remove unsupported EC curves From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce

Fix critical memory bug in ascon_aead128_dupctx causing double-free errors

Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch Patch-id: 10 Patch-status: | # # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so # # that new modifications made to these files by upstream are not lost. From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce commit openssl#2: Patch-name: 0011-Remove-EC-curves.patch Patch-id: 11 Patch-status: | # # remove unsupported EC curves From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce

clopez added 4 commits May 27, 2013 23:47

Fix XMPP code detection on s_client starttls xmpp

745fc28

* Some XMPP Servers (OpenFire) use double quotes. * This makes s_client starttls work with this servers. * Tested with OpenFire servers from http://xmpp.net/ :: openssl s_client -connect coderollers.com:5222 -starttls xmpp

Add "xmpp" to the list of supported starttls protocols on s_client ma…

097b069

…npage

benlaurie closed this Sep 5, 2013

snhenson pushed a commit that referenced this pull request Apr 8, 2014

VMS build fix #2.

a74bee5

snhenson pushed a commit that referenced this pull request Apr 8, 2014

VMS build fix #2.

6ef9d9b

(cherry picked from commit a74bee5)

Tatsuya-Nonogaki added a commit to Tatsuya-Nonogaki/openssl that referenced this pull request Mar 22, 2016

Revert some unnecessary changes openssl#2

7118e8c

elitetony mentioned this pull request Apr 27, 2016

openssl-1.1.0-pre5 OCSP_SINGLERESP_add1_ext_i2d add SCT data error #1001

Closed

oathupdate mentioned this pull request Apr 29, 2016

there is a core dump in openss 1.0.1 e #1010

Closed

tmshort mentioned this pull request May 13, 2016

Fix session ticket and SNI (1.0.2) #1065

Closed

elitetony mentioned this pull request Jun 13, 2016

openssl-1.1.0-pre5 coredumped #1205

Closed

ealloradai mentioned this pull request Jul 15, 2016

Strange behaviour of OpenSSL cms sign on large files #1302

Closed

tmshort mentioned this pull request Sep 27, 2016

Failed tests on OpenSSL 1.1.0b with enable-ec_nistp_64_gcc_128 and/or enable-ssl-trace #1623

Closed

glftpd mentioned this pull request Nov 12, 2016

openssl version command hangs with 1.1.0c and no-dso option #1899

Closed

kingcpro mentioned this pull request Nov 24, 2016

Core dump cased by libcrypto.so.1.0.2h (openssl-1.0.2h) #1995

Closed

rainerjung mentioned this pull request Mar 19, 2017

Crash in test during ossltest_destroy() for OpenSSL 1.1.0e on Linux x86_64. #2987

Closed

lyuboasenov mentioned this pull request Apr 26, 2017

X509_sign fails with segmentation fault #3315

Closed

fxdupont mentioned this pull request Jun 6, 2017

pkey_ecd_digestsign must check privkey #3618

Closed

eastyu mentioned this pull request Jun 17, 2017

SSL_CTX_new function call makes a segment fault #3706

Closed

lonewasp mentioned this pull request Jun 20, 2017

SIGSEGV in subcall from FIPS_drbg_generate() #3721

Closed

speedingdaemon mentioned this pull request Jul 14, 2017

Using OpenSSL with LKL's non-blocking sockets #3937

Closed

paulidale mentioned this pull request Jul 18, 2017

Rand seed #3956

Closed

caikun mentioned this pull request Jul 20, 2017

ssleay_rand_bytes get the Arithmetic exception crash #3978

Closed

tariq3103 mentioned this pull request Apr 28, 2025

79-test_http.t and 80-test_cmp_http.t fail on 3.0.16 #27517

Closed

AustrianSimon mentioned this pull request May 5, 2025

tls_client_method and sendmail/STARTTLS not working on a number of mail servers with TLS1.2 and TLS1.1 #27557

Open

wangzengliang123 mentioned this pull request May 16, 2025

When multiple engines are loaded, the last engine fails to be loaded, and only the destroy function of the first engine is invoked. #27633

Closed

npajkovsky mentioned this pull request Jul 29, 2025

Pairwise check for EC keys import as part of FIPS #28114

Closed

andrewkdinh added a commit to andrewkdinh/openssl that referenced this pull request Aug 5, 2025

Fix attempt openssl#2

ec252bf

andrewkdinh added a commit to andrewkdinh/openssl that referenced this pull request Aug 5, 2025

fixup! Fix attempt openssl#2

d124184

andrewkdinh added a commit to andrewkdinh/openssl that referenced this pull request Aug 6, 2025

fixup! fixup! Fix attempt openssl#2

d9e5687

Anveena mentioned this pull request Sep 10, 2025

QUIC: Double-free in error handling when connection reset with multiple connections #28501

Closed

nhorman mentioned this pull request Sep 24, 2025

Fix heap buffer overflow in krb5kdf #28656

Closed

Max-Deng-203 pushed a commit to Max-Deng-203/openssl that referenced this pull request Nov 23, 2025

Merge pull request openssl#2 from evil-cry/feature/sp-800-232

f0d5faa

Fix critical memory bug in ascon_aead128_dupctx causing double-free errors

lan1120 mentioned this pull request Jan 15, 2026

BIO_set_data() causes crash #29645

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Improve XMPP protocol support for starttls on s_client #2

Improve XMPP protocol support for starttls on s_client #2

Uh oh!

clopez commented May 27, 2013

Uh oh!

benlaurie commented Sep 5, 2013

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Improve XMPP protocol support for starttls on s_client #2

Improve XMPP protocol support for starttls on s_client #2

Uh oh!

Conversation

clopez commented May 27, 2013

Uh oh!

benlaurie commented Sep 5, 2013

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants