Description of problem: The openssl starttls support for XMPP only recognises the starttls information in XML data stream from the XMPP server by scanning for the string <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls' but in XML attribute values are contained within either single quotes or double quotes. The current code does not pick up on <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" and thus incorrectly reports "no peer certificate available" if the server happens to be using double quotes. Version-Release number of selected component (if applicable): openssl-1.0.0a-1.fc14.x86_64 How reproducible: 100% Steps to Reproduce: 1. Identify an XMPP server that supports starttls and that uses double quotes around the attribute value urn:ietf:params:xml:ns:xmpp-tls , say chat.corp.redhat.com 2. Use openssl s_client to connect to it: $ openssl s_client -starttls xmpp -connect chat.corp.redhat.com:5222 Actual results: $ openssl s_client -starttls xmpp -connect chat.corp.redhat.com:5222 CONNECTED(00000003) --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 413 bytes and written 125 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- A network trace of this, decoded: <stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' to='chat.corp.redhat.com' version='1.0'><?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="redhat.com" id="8f3ea6aa" xml:lang="en" version="1.0"><stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism><mechanism>PLAIN</mechanism></mechanisms></stream:features> i.e. ending with a "</stream:features>" from the server. Expected results: openssl s_client -starttls xmpp -connect chat.corp.redhat.com:5222 CONNECTED(00000003) without a "no peer certificate available" message. A network trace of this, decoded: <stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' to='chat.corp.redhat.com' version='1.0'><?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="redhat.com" id="2e0418a9" xml:lang="en" version="1.0"><stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>GSSAPI</mechanism><mechanism>PLAIN</mechanism></mechanisms></stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/><proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>........... i.e. the client responds with a "<starttls" after receiving "</stream:features>" from the server. Additional info: -
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle. Changing version to '14'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Created attachment 513537 [details] Proposed patch
This issue is still reproducible with current rawhide (openssl-1.0.0d-5.fc16.x86_64). I have attached a patch that fixes it in my testing. If you agree with it, please propose it for upstream inclusion.
Yes, that seems correct. I'll add it to the current rawhide and submit it to upstream tracker.