Ubuntu
openssl package

s_client doesn't recognise XMPP STARTTLS messages with double quotes

Bug #1420608 reported by Hristo Erinin
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenSSL
Fix Released
Unknown
openssl (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

OpenSSL s_client does not recognise the XML produced by some Jabber servers (eg. OpenFire). The parameter values use double (") instead of single quotes (') and s_client is too conservative in its string-parsing routine.

To demonstrate the problem I used one of the public XMPP servers running OpenFire 3.9.3:

openssl s_client -connect jabber.rootbash.com:5222 -starttls xmpp -debug
CONNECTED(00000003)
write to 0x1124c10 [0x7fffdf2d49c0] (124 bytes => 124 (0x7C))
0000 - 3c 73 74 72 65 61 6d 3a-73 74 72 65 61 6d 20 78 <stream:stream x
0010 - 6d 6c 6e 73 3a 73 74 72-65 61 6d 3d 27 68 74 74 mlns:stream='htt
0020 - 70 3a 2f 2f 65 74 68 65-72 78 2e 6a 61 62 62 65 p://etherx.jabbe
0030 - 72 2e 6f 72 67 2f 73 74-72 65 61 6d 73 27 20 78 r.org/streams' x
0040 - 6d 6c 6e 73 3d 27 6a 61-62 62 65 72 3a 63 6c 69 mlns='jabber:cli
0050 - 65 6e 74 27 20 74 6f 3d-27 6a 61 62 62 65 72 2e ent' to='jabber.
0060 - 72 6f 6f 74 62 61 73 68-2e 63 6f 6d 27 20 76 65 rootbash.com' ve
0070 - 72 73 69 6f 6e 3d 27 31-2e 30 27 3e rsion='1.0'>
read from 0x1124c10 [0x1118800] (8192 bytes => 192 (0xC0))
0000 - 3c 3f 78 6d 6c 20 76 65-72 73 69 6f 6e 3d 27 31 <?xml version='1
0010 - 2e 30 27 20 65 6e 63 6f-64 69 6e 67 3d 27 55 54 .0' encoding='UT
0020 - 46 2d 38 27 3f 3e 3c 73-74 72 65 61 6d 3a 73 74 F-8'?><stream:st
0030 - 72 65 61 6d 20 78 6d 6c-6e 73 3a 73 74 72 65 61 ream xmlns:strea
0040 - 6d 3d 22 68 74 74 70 3a-2f 2f 65 74 68 65 72 78 m="http://etherx
0050 - 2e 6a 61 62 62 65 72 2e-6f 72 67 2f 73 74 72 65 .jabber.org/stre
0060 - 61 6d 73 22 20 78 6d 6c-6e 73 3d 22 6a 61 62 62 ams" xmlns="jabb
0070 - 65 72 3a 63 6c 69 65 6e-74 22 20 66 72 6f 6d 3d er:client" from=
0080 - 22 6a 61 62 62 65 72 2e-72 6f 6f 74 62 61 73 68 "jabber.rootbash
0090 - 2e 63 6f 6d 22 20 69 64-3d 22 61 39 64 33 30 61 .com" id="a9d30a
00a0 - 34 32 22 20 78 6d 6c 3a-6c 61 6e 67 3d 22 65 6e 42" xml:lang="en
00b0 - 22 20 76 65 72 73 69 6f-6e 3d 22 31 2e 30 22 3e " version="1.0">
read from 0x1124c10 [0x1118800] (8192 bytes => 428 (0x1AC))
0000 - 3c 73 74 72 65 61 6d 3a-66 65 61 74 75 72 65 73 <stream:features
0010 - 3e 3c 73 74 61 72 74 74-6c 73 20 78 6d 6c 6e 73 ><starttls xmlns
0020 - 3d 22 75 72 6e 3a 69 65-74 66 3a 70 61 72 61 6d ="urn:ietf:param
0030 - 73 3a 78 6d 6c 3a 6e 73-3a 78 6d 70 70 2d 74 6c s:xml:ns:xmpp-tl
0040 - 73 22 3e 3c 2f 73 74 61-72 74 74 6c 73 3e 3c 6d s"></starttls><m
0050 - 65 63 68 61 6e 69 73 6d-73 20 78 6d 6c 6e 73 3d echanisms xmlns=
0060 - 22 75 72 6e 3a 69 65 74-66 3a 70 61 72 61 6d 73 "urn:ietf:params
0070 - 3a 78 6d 6c 3a 6e 73 3a-78 6d 70 70 2d 73 61 73 :xml:ns:xmpp-sas
0080 - 6c 22 3e 3c 6d 65 63 68-61 6e 69 73 6d 3e 44 49 l"><mechanism>DI
0090 - 47 45 53 54 2d 4d 44 35-3c 2f 6d 65 63 68 61 6e GEST-MD5</mechan
00a0 - 69 73 6d 3e 3c 6d 65 63-68 61 6e 69 73 6d 3e 50 ism><mechanism>P
00b0 - 4c 41 49 4e 3c 2f 6d 65-63 68 61 6e 69 73 6d 3e LAIN</mechanism>
00c0 - 3c 6d 65 63 68 61 6e 69-73 6d 3e 41 4e 4f 4e 59 <mechanism>ANONY
00d0 - 4d 4f 55 53 3c 2f 6d 65-63 68 61 6e 69 73 6d 3e MOUS</mechanism>
00e0 - 3c 6d 65 63 68 61 6e 69-73 6d 3e 43 52 41 4d 2d <mechanism>CRAM-
00f0 - 4d 44 35 3c 2f 6d 65 63-68 61 6e 69 73 6d 3e 3c MD5</mechanism><
0100 - 2f 6d 65 63 68 61 6e 69-73 6d 73 3e 3c 63 6f 6d /mechanisms><com
0110 - 70 72 65 73 73 69 6f 6e-20 78 6d 6c 6e 73 3d 22 pression xmlns="
0120 - 68 74 74 70 3a 2f 2f 6a-61 62 62 65 72 2e 6f 72 http://jabber.or
0130 - 67 2f 66 65 61 74 75 72-65 73 2f 63 6f 6d 70 72 g/features/compr
0140 - 65 73 73 22 3e 3c 6d 65-74 68 6f 64 3e 7a 6c 69 ess"><method>zli
0150 - 62 3c 2f 6d 65 74 68 6f-64 3e 3c 2f 63 6f 6d 70 b</method></comp
0160 - 72 65 73 73 69 6f 6e 3e-3c 61 75 74 68 20 78 6d ression><auth xm
0170 - 6c 6e 73 3d 22 68 74 74-70 3a 2f 2f 6a 61 62 62 lns="http://jabb
0180 - 65 72 2e 6f 72 67 2f 66-65 61 74 75 72 65 73 2f er.org/features/
0190 - 69 71 2d 61 75 74 68 22-2f 3e 3c 2f 73 74 72 65 iq-auth"/></stre
01a0 - 61 6d 3a 66 65 61 74 75-72 65 73 3e am:features>
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 620 bytes and written 124 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

The "no peer certificate available" is incorrect, it appears because s_client doesn't correctly recognise the response from the remote server.

The problem comes from the hard-coded string that s_client is looking for during communication with the remote server here:
https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/apps/s_client.c#L1461 - the utility expects only a single-quoted string, while the standard also allows the use of double quotes.

There is a bug report and a series of patches for various XMPP-related bugs submitted in OpenSSL RT bugtracker https://rt.openssl.org/Ticket/Display.html?id=2860&user=guest&pass=guest (and more specifically for this problem - https://rt.openssl.org/Ticket/Display.html?id=2860#txn-34620). This issue has been fixed in the upstream Git repository in the master branch (https://github.com/openssl/openssl/blob/fbf08b79ff33110c242849e836aeb494bc03a132/apps/s_client.c#L1620).

Please consider including these patches.

Also please update the man page for s_client, it is for a previous version of the utility and doesn't mention STARTTLS XMPP support at all.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: openssl 1.0.1f-1ubuntu2.8
ProcVersionSignature: Ubuntu 3.13.0-45.74-generic 3.13.11-ckt13
Uname: Linux 3.13.0-45-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
CurrentDesktop: Unity
Date: Tue Feb 10 21:59:30 2015
InstallationDate: Installed on 2014-07-07 (218 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
SourcePackage: openssl
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Hristo Erinin (zorlem) wrote :
Revision history for this message
Hristo Erinin (zorlem) wrote :

There is a similar bug report open in Red Hat's BugZilla - https://bugzilla.redhat.com/show_bug.cgi?id=608239 and it has been fixed in the openssl package included in Fedora Core 16 and CentOS since openssl-1.0.1e-23.el7.src.rpm - https://git.centos.org/blob/!!!!rpms!openssl.git/a5ef24ffb32f05cda7549bde8c2565250342fa4f/SOURCES!openssl-1.0.0d-xmpp-starttls.patch;jsessionid=14o35zzbs7w0suuc6ufvezi4n.

The patches in OpenSSL RT deal with https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/654493 as well.

Bug Watch Updater (bug-watch-updater)
Changed in openssl:
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssl (Ubuntu):
status: New → Confirmed
Paulo Matias (paulo-matias)
tags: added: vivid
Alberto Salvia Novella (es20490446e)
Changed in openssl (Ubuntu):
importance: Undecided → Medium
Bug Watch Updater (bug-watch-updater)
Changed in openssl:
status: New → Fix Released
Revision history for this message
Adrien Nader (adrien) wrote :

I'm marking this bug as Fix Released for the openssl package too because we've incorporated this already and I can't reproduce the issue (I used conference.igniterealtime.org:5222 since the original testcase doesn't resolve anymore).

Changed in openssl (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.