Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1356178 - s_client hangs connecting to some hosts with XMPP STARTTLS
s_client hangs connecting to some hosts with XMPP STARTTLS
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssl (Show other bugs)
7.3
Unspecified Unspecified
low Severity medium
: rc
: ---
Assigned To: Tomas Mraz
Stefan Dordevic
: Reopened
Depends On: 1356176
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-13 11:04 EDT by Alois Mahdal
Modified: 2017-08-01 14:16 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1356176
Environment:
Last Closed: 2017-08-01 14:16:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1929 normal SHIPPED_LIVE openssl bug fix and enhancement update 2017-08-01 14:08:01 EDT

  None (edit)
Description Alois Mahdal 2016-07-13 11:04:40 EDT
+++ This bug was initially created as a clone of Bug #1356176 +++

Description of problem
======================

When s_client is used to connect to some XMPP hosts vira STARTTLS,
it will hang forever.  For example:

    openssl s_client -connect hektar.jabbim.cz:5222 -starttls xmpp

Turns out this has been already fixed in upstream some time ago:

    https://rt.openssl.org/Ticket/Display.html?id=2860

This ticket is to backport that change to Fedora/RHEL.


Version-Release number of selected component
============================================

openssl-1.0.1e-58.el7


How reproducible
================

Always (with certain host configurations)


Steps to Reproduce
==================

 1. for example:

        openssl s_client -connect hektar.jabbim.cz:5222 -starttls xmpp </dev/null


Actual results
==============

Client loops forever even though server tried to close the connection
(explanation from Hubert Kario).


Expected results
================

Client quits after server closes the connection.
Comment 1 Tomas Mraz 2017-04-03 10:27:56 EDT
I cannot reproduce it with openssl-1.0.2. So this seems to be handled by the rebase.

*** This bug has been marked as a duplicate of bug 1276310 ***
Comment 2 Alois Mahdal 2017-04-03 19:47:51 EDT
(In reply to Tomas Mraz from comment #1)
> I cannot reproduce it with openssl-1.0.2. So this seems to be handled by the
> rebase.

Just note that my steps above rely on server configuration which may have changed; I don't know details but I was not able to reproduce it with just any server, hektar.jabbim.cz was the only one I knew about, and it seems to be dead now:

    [0 root@qeos-184 ~]# rpm -q openssl
    openssl-1.0.1e-60.el7.x86_64
    [0 root@qeos-184 ~]# openssl s_client -connect hektar.jabbim.cz:5222 -starttls xmpp
    socket: Connection refused
    connect:errno=111
    [0 root@qeos-184 ~]# 

Newer openssl just gives different error:

    [0 root@qeos-180 ~]# rpm -q openssl
    openssl-1.0.2k-4.el7.x86_64
    [0 root@qeos-180 ~]# openssl s_client -connect hektar.jabbim.cz:5222 -starttls xmpp
    socket: Bad file descriptor
    connect:errno=9
    [0 root@qeos-180 ~]# 

Do you have alternate reproduction steps that leave the dead server out of the equation?
Comment 3 Alois Mahdal 2017-04-03 19:53:46 EDT
Forget it, I just found out that the bug is still reproducible with a new server Jabbim uses these days:

    [0 root@qeos-184 ~]# time timeout 10 openssl s_client -connect lb.jabb.im:5222 -starttls xmpp <.; echo $?
    CONNECTED(00000003)

    real	0m10.003s
    user	0m1.994s
    sys	0m7.798s
    124
    [0 root@qeos-184 ~]# 

...aaand the new openssl:

    [0 root@qeos-180 ~]# time timeout 10 openssl s_client -connect lb.jabb.im:5222 -starttls xmpp <.; echo $?
    CONNECTED(00000003)
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 298 bytes and written 115 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    ---

    real	0m0.241s
    user	0m0.010s
    sys	0m0.002s
    1
    [0 root@qeos-180 ~]#
Comment 11 errata-xmlrpc 2017-08-01 14:16:10 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1929

Note You need to log in before you can comment on or make changes to this bug.