Fwd: [openssl-dev] [openssl.org #4145] Enhancement: patch to support s_client -starttls http

Tue, 17 Nov 2015 16:10:47 -0800 

I'm fairly certain this will be applied to 1.1.0 and not necessarily
backported to 1.0.2, so this hack might be useful to some of you
who want to test for the preservation of the SSLEngine optional
Upgrade: TLS/1.0 behavior on trunk and 2.4.x branch...



---------- Forwarded message ----------
From: William A. Rowe Jr. via RT <r...@openssl.org>
Date: Tue, Nov 17, 2015 at 5:26 PM
Subject: [openssl-dev] [openssl.org #4145] Enhancement: patch to support
s_client -starttls http
To:
Cc: openssl-...@openssl.org


RFC 2817 defines upgrading HTTP/1.1 to TLS (or SSL).

Because Apache httpd supports Connection: Upgrade and Upgrade: TLS/1.x I've
gone ahead and instrumented s_client to support this behavior (and noted a
small optimization in the same logic stream for starttls support).

Attached is the patch to introduce this behavior.  It is a bit crufty, but
lacking a CUPS client that did connection upgrade to TLS, I needed
something for testing and experimentation.

I don't know that there is a justification for implementing Upgrade: h2
since this is a binary protocol that is not conducive to terminal mode :)

Source licensed by me under the OpenSSL license at
https://www.openssl.org/source/license.txt - don't see a need for a CLA,
but email me privately if so.


_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

diff --git a/apps/s_client.c b/apps/s_client.c
index f80711f..4fe908d 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -403,7 +403,7 @@ static void sc_usage(void)
     BIO_printf(bio_err,
                "                 'prot' defines which one to assume.  Currently,\n");
     BIO_printf(bio_err,
-               "                 only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
+               "                 only \"smtp\", \"pop3\", \"imap\", \"ftp\", \"xmpp\" and \"http\"\n");
     BIO_printf(bio_err, "                 are supported.\n");
 #ifndef OPENSSL_NO_ENGINE
     BIO_printf(bio_err,
@@ -655,7 +655,8 @@ enum {
     PROTO_POP3,
     PROTO_IMAP,
     PROTO_FTP,
-    PROTO_XMPP
+    PROTO_XMPP,
+    PROTO_HTTP
 };
 
 int MAIN(int, char **);
@@ -1077,6 +1078,8 @@ int MAIN(int argc, char **argv)
                 starttls_proto = PROTO_FTP;
             else if (strcmp(*argv, "xmpp") == 0)
                 starttls_proto = PROTO_XMPP;
+            else if (strcmp(*argv, "http") == 0)
+                starttls_proto = PROTO_HTTP;
             else
                 goto bad;
         }
@@ -1632,8 +1635,7 @@ int MAIN(int argc, char **argv)
         BIO_free(fbio);
         BIO_printf(sbio, "AUTH TLS\r\n");
         BIO_read(sbio, sbuf, BUFSIZZ);
-    }
-    if (starttls_proto == PROTO_XMPP) {
+    } else if (starttls_proto == PROTO_XMPP) {
         int seen = 0;
         BIO_printf(sbio, "<stream:stream "
                    "xmlns:stream='http://etherx.jabber.org/streams' "
@@ -1654,6 +1656,54 @@ int MAIN(int argc, char **argv)
         if (!strstr(sbuf, "<proceed"))
             goto shut;
         mbuf[0] = 0;
+    } else if (starttls_proto == PROTO_HTTP) {
+        int foundit = 0;
+        BIO *fbio = BIO_new(BIO_f_buffer());
+        BIO_push(fbio, sbio);
+        BIO_printf(fbio, "OPTIONS * HTTP/1.1\r\n");
+        BIO_printf(fbio, "Connection: Upgrade\r\n");
+        BIO_printf(fbio, "Host: %s\r\n", host);
+        if (0)
+            ; /* to gracefully resume below... */
+#ifndef OPENSSL_NO_SSL2
+        else if (meth == SSLv2_client_method())
+            BIO_printf(fbio, "Upgrade: SSL/2.0\r\n");
+#endif
+#ifndef OPENSSL_NO_SSL3_METHOD
+        else if (meth == SSLv3_client_method())
+            BIO_printf(fbio, "Upgrade: SSL/3.0\r\n");
+#endif
+#ifndef OPENSSL_NO_TLS1
+        else if (meth = TLSv1_2_client_method())
+            BIO_printf(fbio, "Upgrade: TLS/1.2\r\n");
+        else if (meth = TLSv1_1_client_method())
+            BIO_printf(fbio, "Upgrade: TLS/1.1\r\n");
+        else if (meth = TLSv1_client_method())
+            BIO_printf(fbio, "Upgrade: TLS/1.0\r\n");
+#endif
+        /* BIO_printf(fbio, "Upgrade: TLS/1.2,TLS/1.1,TLS/1.0\r\n");
+         */
+        BIO_printf(fbio, "User-Agent: s_client/%s OpenSSL/%s\r\n",
+                   OPENSSL_VERSION_TEXT, SSLeay_version(SSLEAY_VERSION));
+        BIO_printf(fbio, "\r\n");
+        (void)BIO_flush(fbio);
+        /* wait for multi-line HTTP/1.1 101 Switching Protocols response */
+        mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+        BIO_printf(bio_err, "%s", mbuf);
+        if (strstr(mbuf, " 101 "))
+            foundit = 1;
+        do {
+            mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+            BIO_printf(bio_err, "%s", mbuf);
+        }
+        while (mbuf_len >= 2 && mbuf[0] != '\r' && mbuf[1] != '\n');
+        (void)BIO_flush(fbio);
+        BIO_pop(fbio);
+        BIO_free(fbio);
+        if (!foundit)
+            BIO_printf(bio_err,
+                       "Server response was not 101 Switching Protocols"
+                       " try anyway...\n");
     }
 
     for (;;) {

Reply via email to