Merge pull request #1601 from drwetter/xmpp_server_polish

STARTTLS xmpp-server polish
2025-01-31 04:41:15 +01:00 · 2020-05-02 19:41:24 +02:00 · 2020-05-02 19:41:24 +02:00 · 8e6c80ffba
commit 8e6c80ffba
parent 2b174821e4 7981a238a5
7 changed files with 24 additions and 5 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -1,4 +1,5 @@
 language: perl
+dist: bionic
 perl:
   - "5.26"
 addons:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -13,6 +13,7 @@
 * Several display/output fixes
 * Security fix: DNS input
 * Don't use external pwd anymore
+* STARTTLS: XMPP server support
 * Rating (SSL Labs, not complete)

 ### Features implemented / improvements in 3.0
--- a/CREDITS.md
+++ b/CREDITS.md
@ -143,6 +143,9 @@ Full contribution, see git log.
 * Dmitri S
  - inspiration & help for Darwin port

+* Jonas Schäfer
+  - XMPP server patch
+
 * Marcin Szychowski
  - Quick'n'dirty client certificate support

--- a/doc/testssl.1.html
+++ b/doc/testssl.1.html
@ -189,7 +189,7 @@ The same can be achieved by setting the environment variable <code>WARNINGS</cod

 <h3 id="SPECIAL-INVOCATIONS">SPECIAL INVOCATIONS</h3>

-<p><code>-t &lt;protocol>, --starttls &lt;protocol></code>    does a default run against a STARTTLS enabled <code>protocol</code>. <code>protocol</code> must be one of <code>ftp</code>, <code>smtp</code>,  <code>pop3</code>, <code>imap</code>, <code>xmpp</code>, <code>telnet</code>, <code>ldap</code>, <code>irc</code>, <code>lmtp</code>, <code>nntp</code>, <code>postgres</code>, <code>mysql</code>. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with <code>--ssl-native</code>. <code>telnet</code> and <code>irc</code> is WIP.</p>
+<p><code>-t &lt;protocol>, --starttls &lt;protocol></code>    does a default run against a STARTTLS enabled <code>protocol</code>. <code>protocol</code> must be one of <code>ftp</code>, <code>smtp</code>,  <code>pop3</code>, <code>imap</code>, <code>xmpp</code>,<code>xmpp-server<code>, <code>telnet</code>, <code>ldap</code>, <code>irc</code>, <code>lmtp</code>, <code>nntp</code>, <code>postgres</code>, <code>mysql</code>. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with <code>--ssl-native</code>. <code>telnet</code> and <code>irc</code> is WIP.</p>

 <p><code>--xmpphost &lt;jabber_domain></code> is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied.</p>

--- a/doc/testssl.1.md
+++ b/doc/testssl.1.md
@ -113,7 +113,7 @@ The same can be achieved by setting the environment variable `WARNINGS`.

 ### SPECIAL INVOCATIONS

-`-t <protocol>, --starttls <protocol>`    does a default run against a STARTTLS enabled `protocol`. `protocol` must be one of `ftp`, `smtp`,  `pop3`, `imap`, `xmpp`, `telnet`, `ldap`, `irc`, `lmtp`, `nntp`, `postgres`, `mysql`. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with `--ssl-native`. `telnet` and `irc` is WIP.
+`-t <protocol>, --starttls <protocol>`    does a default run against a STARTTLS enabled `protocol`. `protocol` must be one of `ftp`, `smtp`,  `pop3`, `imap`, `xmpp`, `xmpp-server`, `telnet`, `ldap`, `irc`, `lmtp`, `nntp`, `postgres`, `mysql`. For the latter four you need e.g. the supplied OpenSSL or OpenSSL version 1.1.1. Please note: MongoDB doesn't offer a STARTTLS connection, LDAP currently only works with `--ssl-native`. `telnet` and `irc` is WIP.

 `--xmpphost <jabber_domain>` is an additional option for STARTTLS enabled XMPP: It expects the jabber domain as a parameter. This is only needed if the domain is different from the URI supplied.

--- a/t/25_baseline_starttls.t
+++ b/t/25_baseline_starttls.t
@ -99,6 +99,13 @@ $openssl_out = `./testssl.sh --ssl-native $check2run -t xmpp $uri 2>&1`;
 unlike($openssl_out, qr/$openssl_regex_bl/, "");
 $tests++;

+# $uri="jabber.ccc.de:5269";
+# printf "\n%s\n", "Quick STARTTLS XMPP S2S unit tests via sockets --> $uri ...";
+# $openssl_out = `./testssl.sh --openssl=/usr/bin/openssl -p $check2run -t xmpp-server $uri 2>&1`;
+# # $openssl_json = json('tmp.json');
+# unlike($openssl_out, qr/$openssl_regex_bl/, "");
+# $tests++;
+

 $uri="ldap.uni-rostock.de:21";

--- a/testssl.sh
+++ b/testssl.sh
@ -317,6 +317,7 @@ HAS_NPN=false
 HAS_FALLBACK_SCSV=false
 HAS_PROXY=false
 HAS_XMPP=false
+HAS_XMPP_SERVER=false
 HAS_POSTGRES=false
 HAS_MYSQL=false
 HAS_LMTP=false
@ -5181,7 +5182,6 @@ run_protocols() {
               5)   prln_svrty_high "CVE-2015-3197: $supported_no_ciph2";
                    fileout "$jsonID" "HIGH" "offered, no cipher" "CVE-2015-3197" "CWE-310"
                    add_proto_offered ssl2 yes
-                    add_tls_offered ssl2 yes
                    set_grade_cap "F" "SSLv2 is offered"
                    ;;
               7)   prln_local_problem "$OPENSSL doesn't support \"s_client -ssl2\""
@ -5210,7 +5210,6 @@ run_protocols() {
                    latest_supported_string="SSLv3"
               fi
               add_proto_offered ssl3 yes
-               add_tls_offered ssl3 yes
               set_grade_cap "B" "SSLv3 is offered"
               ;;
          1)   prln_svrty_best "not offered (OK)"
@ -18214,6 +18213,7 @@ find_openssl_binary() {
     HAS_FALLBACK_SCSV=false
     HAS_PROXY=false
     HAS_XMPP=false
+     HAS_XMPP_SERVER=false
     HAS_POSTGRES=false
     HAS_MYSQL=false
     HAS_LMTP=false
@ -18298,9 +18298,12 @@ find_openssl_binary() {
     grep -q '\-proxy' $s_client_has && \
          HAS_PROXY=true

-     grep -q '\-xmpp' $s_client_has && \
+     grep -q 'xmpp' $s_client_starttls_has && \
          HAS_XMPP=true

+     grep -q 'xmpp-server' $s_client_starttls_has && \
+          HAS_XMPP_SERVER=true
+
     grep -q 'postgres' $s_client_starttls_has && \
          HAS_POSTGRES=true

@ -18623,6 +18626,7 @@ HAS_PKEY: $HAS_PKEY
 HAS_PKUTIL: $HAS_PKUTIL
 HAS_PROXY: $HAS_PROXY
 HAS_XMPP: $HAS_XMPP
+HAS_XMPP_SERVER: $HAS_XMPP_SERVER
 HAS_POSTGRES: $HAS_POSTGRES
 HAS_MYSQL: $HAS_MYSQL
 HAS_LMTP: $HAS_LMTP
@ -19811,6 +19815,9 @@ determine_service() {
                                   fi
                              fi
                         fi
+                         if [[ "$protocol" == xmpp-server ]] && ! "$HAS_XMPP_SERVER"; then
+                              fatal "Your $OPENSSL does not support the \"-xmpphost\" option" $ERR_OSSLBIN
+                         fi
                    elif [[ "$protocol" == postgres ]]; then
                         # Check if openssl version supports postgres.
                         if ! "$HAS_POSTGRES"; then