From 769837bdaf8a21a754b8755960ad3da3e1549f99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?= Date: Thu, 15 Oct 2020 21:54:38 +0200 Subject: [PATCH] Force SNI to be the --xmpphost if passed XMPP can be used with SNI in two contexts: - Standard RFC 6120 STARTTLS-based connections; in that case, SNI is most likely to be ignored, as XMPP uses another way to signal the target domain name (via the @to attribute on the stream header, which is already set correctly by testssl.sh). However, setting SNI to a different value than the @to attribute may lead to confusion. - XEP-0368 (XMPP-over-TLS) connections which omit the STARTTLS phase and go right for TLS (and inside that, XMPP). In that case, SNI is obviously required to be correct. XEP-0368 specifies that the SNI name MUST be the domain name of the service (not necessarily the host name of the endpoint, thanks to SRV records). Hence, this patch forces the SNI name to be the --xmpphost value, if --xmpphost is given. Note that it blatantly ignores whether XMPP is used otherwise. --- testssl.sh | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/testssl.sh b/testssl.sh index adb5401..af7ea83 100755 --- a/testssl.sh +++ b/testssl.sh @@ -4522,10 +4522,11 @@ modify_clienthello() { # the SNI extension or replace it with the correct server name. sni_extension_found=true if [[ -n "$SNI" ]]; then + servername=${XMPP_HOST:-${NODE}} # Create a server name extension that corresponds to $SNI - len_servername=${#NODE} + len_servername=${#servername} hexdump_format_str="$len_servername/1 \"%02x\"" - servername_hexstr=$(printf $NODE | hexdump -v -e "${hexdump_format_str}") + servername_hexstr=$(printf $servername | hexdump -v -e "${hexdump_format_str}") # convert lengths we need to fill in from dec to hex: len_servername_hex=$(printf "%02x\n" $len_servername) len_sni_listlen=$(printf "%02x\n" $((len_servername+3))) @@ -14514,9 +14515,10 @@ prepare_tls_clienthello() { #00 # server_name type (hostname) #00 15 # server_name length #66 66 66 66 66 66 2e 66 66 66 66 66 66 66 66 66 66 2e 66 66 66 target.mydomain1.tld # server_name target - len_servername=${#NODE} + servername=${XMPP_HOST:-${NODE}} + len_servername=${#servername} hexdump_format_str="$len_servername/1 \"%02x,\"" - servername_hexstr=$(printf $NODE | hexdump -v -e "${hexdump_format_str}" | sed 's/,$//') + servername_hexstr=$(printf $servername | hexdump -v -e "${hexdump_format_str}" | sed 's/,$//') # convert lengths we need to fill in from dec to hex: len_servername_hex=$(printf "%02x\n" $len_servername) len_sni_listlen=$(printf "%02x\n" $((len_servername+3))) @@ -19710,7 +19712,12 @@ parse_hn_port() { fi debugme echo $NODE:$PORT - SNI="-servername $NODE" + if [[ -n "$XMPP_HOST" ]]; then + # XMPP host is set, force SNI to be that + SNI="-servername $XMPP_HOST" + else + SNI="-servername $NODE" + fi URL_PATH=$(sed 's/https:\/\///' <<< "$1" | sed 's/'"${NODE}"'//' | sed 's/.*'"${PORT}"'//') # remove protocol and node part and port URL_PATH=$(sed 's/\/\//\//g' <<< "$URL_PATH") # we rather want // -> / URL_PATH=${URL_PATH%%.} # strip trailing "." so that it is not interpreted as URL