Force SNI to be the --xmpphost if passed
XMPP can be used with SNI in two contexts: - Standard RFC 6120 STARTTLS-based connections; in that case, SNI is most likely to be ignored, as XMPP uses another way to signal the target domain name (via the @to attribute on the stream header, which is already set correctly by testssl.sh). However, setting SNI to a different value than the @to attribute may lead to confusion. - XEP-0368 (XMPP-over-TLS) connections which omit the STARTTLS phase and go right for TLS (and inside that, XMPP). In that case, SNI is obviously required to be correct. XEP-0368 specifies that the SNI name MUST be the domain name of the service (not necessarily the host name of the endpoint, thanks to SRV records). Hence, this patch forces the SNI name to be the --xmpphost value, if --xmpphost is given. Note that it blatantly ignores whether XMPP is used otherwise.
This commit is contained in:
parent
b4c9437e95
commit
769837bdaf
17
testssl.sh
17
testssl.sh
|
@ -4522,10 +4522,11 @@ modify_clienthello() {
|
|||
# the SNI extension or replace it with the correct server name.
|
||||
sni_extension_found=true
|
||||
if [[ -n "$SNI" ]]; then
|
||||
servername=${XMPP_HOST:-${NODE}}
|
||||
# Create a server name extension that corresponds to $SNI
|
||||
len_servername=${#NODE}
|
||||
len_servername=${#servername}
|
||||
hexdump_format_str="$len_servername/1 \"%02x\""
|
||||
servername_hexstr=$(printf $NODE | hexdump -v -e "${hexdump_format_str}")
|
||||
servername_hexstr=$(printf $servername | hexdump -v -e "${hexdump_format_str}")
|
||||
# convert lengths we need to fill in from dec to hex:
|
||||
len_servername_hex=$(printf "%02x\n" $len_servername)
|
||||
len_sni_listlen=$(printf "%02x\n" $((len_servername+3)))
|
||||
|
@ -14514,9 +14515,10 @@ prepare_tls_clienthello() {
|
|||
#00 # server_name type (hostname)
|
||||
#00 15 # server_name length
|
||||
#66 66 66 66 66 66 2e 66 66 66 66 66 66 66 66 66 66 2e 66 66 66 target.mydomain1.tld # server_name target
|
||||
len_servername=${#NODE}
|
||||
servername=${XMPP_HOST:-${NODE}}
|
||||
len_servername=${#servername}
|
||||
hexdump_format_str="$len_servername/1 \"%02x,\""
|
||||
servername_hexstr=$(printf $NODE | hexdump -v -e "${hexdump_format_str}" | sed 's/,$//')
|
||||
servername_hexstr=$(printf $servername | hexdump -v -e "${hexdump_format_str}" | sed 's/,$//')
|
||||
# convert lengths we need to fill in from dec to hex:
|
||||
len_servername_hex=$(printf "%02x\n" $len_servername)
|
||||
len_sni_listlen=$(printf "%02x\n" $((len_servername+3)))
|
||||
|
@ -19710,7 +19712,12 @@ parse_hn_port() {
|
|||
fi
|
||||
|
||||
debugme echo $NODE:$PORT
|
||||
SNI="-servername $NODE"
|
||||
if [[ -n "$XMPP_HOST" ]]; then
|
||||
# XMPP host is set, force SNI to be that
|
||||
SNI="-servername $XMPP_HOST"
|
||||
else
|
||||
SNI="-servername $NODE"
|
||||
fi
|
||||
URL_PATH=$(sed 's/https:\/\///' <<< "$1" | sed 's/'"${NODE}"'//' | sed 's/.*'"${PORT}"'//') # remove protocol and node part and port
|
||||
URL_PATH=$(sed 's/\/\//\//g' <<< "$URL_PATH") # we rather want // -> /
|
||||
URL_PATH=${URL_PATH%%.} # strip trailing "." so that it is not interpreted as URL
|
||||
|
|
Loading…
Reference in New Issue