New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
s_client seems to hang with -starttls xmpp #3980
Comments
Can you see if s_client is spinning while waiting for the server response? |
Looking at the code, it seems that the client is waiting for a success response, indefinitely. Possible error responses don't seem to be considered, at all. (side note: for the s2s protocol, the argument |
Errrr... I just tested a build of master, and it worked without hickups, so errrr, going back to analysis and will open my big mouth later |
Ok, analysis done, it would seem that this could happen if the server didn't give any response at all, even to the first XML line openssl throws at it. May I suggest, as a test, to add the command line options
|
On Thu, 2017-07-20 at 15:22 +0000, Rich Salz wrote:
Can you see if s_client is spinning while waiting for the server
response?
If I add a -debug on there, I see a bunch of continuous output like
this:
```
read from 0x20f9170 [0x1ff2150] (8192 bytes => 0 (0x0))
read from 0x20f9170 [0x1ff2150] (8192 bytes => 0 (0x0))
read from 0x20f9170 [0x1ff2150] (8192 bytes => 0 (0x0))
```
So yeah, I'd describe that as "spinning".
|
Oh I should have mentioned this - this is |
Yes, that’s spinning ☺
The server sounds borked, sorry technical term.
|
Ah, 1.0.2 doesn't break out of the loop on a zero read, 1.1.0 and on does. Ok, that should be easy to fix. |
@richsalz The server does seem to function correctly - I am able to s2s with many other servers and a variety of users are connecting with a variety of clients. However, I maaaaay be using
I tried to use the |
Oh here's another interesting thing - does |
I do also happen to have a |
The following patch fixes the issue: diff --git a/apps/s_client.c b/apps/s_client.c
index 85c1b6b579..dc467994f8 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1667,6 +1667,8 @@ int MAIN(int argc, char **argv)
if (strstr(mbuf, "/stream:features>"))
goto shut;
seen = BIO_read(sbio, mbuf, BUFSIZZ);
+ if (seen <= 0)
+ goto shut;
mbuf[seen] = 0;
}
BIO_printf(sbio, The reason you're successful on port 5222 is that it's the client port (i.e. c2s), which the 1.0.2 s_client speaks (and therefore doesn't get a zero read in the starttls handshake) |
When an error occurs during the starttls handskake, s_client gets stuck looping around zero bytes reads, because the server won't sent anything more after its error tag. Shutting down on the first zero byte read fixes this. Fixes openssl#3980
I think there could be more going on than just the spinning - it's not so much the port 5222 thing as the servername bit - should the
This does work, but possibly only because of port forwarding on port 5222 (I don't have access to an external IPv6 host to test with at the moment):
Are my expectations around the |
Nope. It's like this; with
The 1.0.2 s_client reads from the server and tries to find
|
Nowm that was for port 5269. You haven't told us what problems you're getting with port 5222. |
As far as I can tell, the issue is fixed and the fix will appear in the next 1.0.2 letter release (1.0.2m). How that will affect your Fedora installation, I cannot tell. |
@levitte As you noted, I was actually doing c2s on the cs2 port. The issue I think that might remain is that the client isn't telling the server what host name it wants to connect to. xmpp is like http in that a single port can handle many domain names, and the client needs to request a domain name. So if the user's name is This is why my server is upset - the Fixing the spinning issue will help with the client hanging, but it still doesn't make it possible to check my server with the client since the client won't use the correct "vhost" upon connecting and the server will say that the requested host isn't valid. What do you think? I'd be happy to open a new issue about this if you like. |
Like I said earlier, |
Ah, the |
You're welcome! |
Backport from levitte@4f309de . "When an error occurs during the starttls handskake, s_client gets stuck looping around zero bytes reads, because the server won't sent anything more after its error tag. Shutting down on the first zero byte read fixes this. Fixes openssl#3980"
When I run s_client against my xmpp server (ejabberd), it seems to hang and does not print out the certificate info that I see when I connect to other types of servers (like http):
Other TLS checkers do seem to be OK with the servers I've tried, and clients and other servers also seem to approve of the connections so I think there might be something going on in s_client's xmpp code.
I also found someone talking about this in Debian's bug tracker:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747469#5
The text was updated successfully, but these errors were encountered: