I'm fairly certain this will be applied to 1.1.0 and not necessarily backported to 1.0.2, so this hack might be useful to some of you who want to test for the preservation of the SSLEngine optional Upgrade: TLS/1.0 behavior on trunk and 2.4.x branch...
---------- Forwarded message ---------- From: William A. Rowe Jr. via RT <r...@openssl.org> Date: Tue, Nov 17, 2015 at 5:26 PM Subject: [openssl-dev] [openssl.org #4145] Enhancement: patch to support s_client -starttls http To: Cc: openssl-...@openssl.org RFC 2817 defines upgrading HTTP/1.1 to TLS (or SSL). Because Apache httpd supports Connection: Upgrade and Upgrade: TLS/1.x I've gone ahead and instrumented s_client to support this behavior (and noted a small optimization in the same logic stream for starttls support). Attached is the patch to introduce this behavior. It is a bit crufty, but lacking a CUPS client that did connection upgrade to TLS, I needed something for testing and experimentation. I don't know that there is a justification for implementing Upgrade: h2 since this is a binary protocol that is not conducive to terminal mode :) Source licensed by me under the OpenSSL license at https://www.openssl.org/source/license.txt - don't see a need for a CLA, but email me privately if so. _______________________________________________ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
diff --git a/apps/s_client.c b/apps/s_client.c index f80711f..4fe908d 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -403,7 +403,7 @@ static void sc_usage(void) BIO_printf(bio_err, " 'prot' defines which one to assume. Currently,\n"); BIO_printf(bio_err, - " only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); + " only \"smtp\", \"pop3\", \"imap\", \"ftp\", \"xmpp\" and \"http\"\n"); BIO_printf(bio_err, " are supported.\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, @@ -655,7 +655,8 @@ enum { PROTO_POP3, PROTO_IMAP, PROTO_FTP, - PROTO_XMPP + PROTO_XMPP, + PROTO_HTTP }; int MAIN(int, char **); @@ -1077,6 +1078,8 @@ int MAIN(int argc, char **argv) starttls_proto = PROTO_FTP; else if (strcmp(*argv, "xmpp") == 0) starttls_proto = PROTO_XMPP; + else if (strcmp(*argv, "http") == 0) + starttls_proto = PROTO_HTTP; else goto bad; } @@ -1632,8 +1635,7 @@ int MAIN(int argc, char **argv) BIO_free(fbio); BIO_printf(sbio, "AUTH TLS\r\n"); BIO_read(sbio, sbuf, BUFSIZZ); - } - if (starttls_proto == PROTO_XMPP) { + } else if (starttls_proto == PROTO_XMPP) { int seen = 0; BIO_printf(sbio, "<stream:stream " "xmlns:stream='http://etherx.jabber.org/streams' " @@ -1654,6 +1656,54 @@ int MAIN(int argc, char **argv) if (!strstr(sbuf, "<proceed")) goto shut; mbuf[0] = 0; + } else if (starttls_proto == PROTO_HTTP) { + int foundit = 0; + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + BIO_printf(fbio, "OPTIONS * HTTP/1.1\r\n"); + BIO_printf(fbio, "Connection: Upgrade\r\n"); + BIO_printf(fbio, "Host: %s\r\n", host); + if (0) + ; /* to gracefully resume below... */ +#ifndef OPENSSL_NO_SSL2 + else if (meth == SSLv2_client_method()) + BIO_printf(fbio, "Upgrade: SSL/2.0\r\n"); +#endif +#ifndef OPENSSL_NO_SSL3_METHOD + else if (meth == SSLv3_client_method()) + BIO_printf(fbio, "Upgrade: SSL/3.0\r\n"); +#endif +#ifndef OPENSSL_NO_TLS1 + else if (meth = TLSv1_2_client_method()) + BIO_printf(fbio, "Upgrade: TLS/1.2\r\n"); + else if (meth = TLSv1_1_client_method()) + BIO_printf(fbio, "Upgrade: TLS/1.1\r\n"); + else if (meth = TLSv1_client_method()) + BIO_printf(fbio, "Upgrade: TLS/1.0\r\n"); +#endif + /* BIO_printf(fbio, "Upgrade: TLS/1.2,TLS/1.1,TLS/1.0\r\n"); + */ + BIO_printf(fbio, "User-Agent: s_client/%s OpenSSL/%s\r\n", + OPENSSL_VERSION_TEXT, SSLeay_version(SSLEAY_VERSION)); + BIO_printf(fbio, "\r\n"); + (void)BIO_flush(fbio); + /* wait for multi-line HTTP/1.1 101 Switching Protocols response */ + mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); + BIO_printf(bio_err, "%s", mbuf); + if (strstr(mbuf, " 101 ")) + foundit = 1; + do { + mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); + BIO_printf(bio_err, "%s", mbuf); + } + while (mbuf_len >= 2 && mbuf[0] != '\r' && mbuf[1] != '\n'); + (void)BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (!foundit) + BIO_printf(bio_err, + "Server response was not 101 Switching Protocols" + " try anyway...\n"); } for (;;) {