s_client's R "feature"

Tue, 17/07/2007 - 2:28pm — tumbleweed

I’ve just spent a few hours brain-haemorrhaging over why my new Postfix server wasn’t allowing me to enter “RCPT TO:” over a STARTTLS connection. Instead it would renegotiate the TLS.

Eventually I found an e-mail by Wietse Venema saying:

Victor Duchovni:
> On Mon, Jan 22, 2007 at 04:31:12PM -0500, Wietse Venema wrote: 
> > RCPT TO:<postmaster>
> > RENEGOTIATING
>
> You got bit by the "s_client" "R" feature... try "rcpt to:" lower case,
> then it hangs up.

What utter brain damage, a non-transparent SSL client program.

Read this and be warned — we are all stupid, in the eyes of the truly mad s_client

Comments

Wed, 06/08/2008 - 11:35am — lou z (not verified)

no way

Thank you. I can’t believe that was the problem.

Wed, 10/09/2008 - 1:15pm — Calum (not verified)

I’ve just

I’ve just “encountered” this.

How insane.

Wed, 17/12/2008 - 3:28am — Peter (not verified)

OMG, you are a life saver!!

OMG, you are a life saver!! :D
Thanks. I just got bit ;)

Fri, 20/03/2009 - 6:29am — benizi (not verified)

For future reference, also note that Q is 'q'uit. That one got me while I was trying to diagnose a complicated IMAP problem, where I was prefixing my commands in alphabetical order. Apparently I'd've only gotten one command further...

(This one just bit me with Postfix.)

Fri, 20/03/2009 - 7:55pm — benizi (not verified)

...and a workaround + patch/bug-report

From looking at the code I figured out that the '-ign_eof' flag will short-circuit this behavior (with the side-effect of not being able to Ctrl+D out of the session).

But the initial surprise is pretty great, and I didn't see why anyone would ever want this particular behavior, so I also filed a bug with two patches against OpenSSL.

"#1872: [PATCH] Change 'Q' and 'R' behavior in s_client" at http://rt.openssl.org/Ticket/Display.html?id=1872

Thu, 13/01/2011 - 11:30pm — tmo (not verified)

me too

ridiculous..

Wed, 27/04/2011 - 12:36am — Wilmer (not verified)

Hilarious

Wow. So glad this was result #1 on Google for "postfix rcpt renegotiating". If there were elections for "stupidest feature ever" I would nominate this R "hotkey". Thanks for sharing this here.

Fri, 09/09/2011 - 7:30am — Richard (not verified)

What is this I don't even

After much frustration I ended up posting on Serverfault where somebody linked me to your page. I find it a little amusing that after trawling half the internet I end up finding the answer on a fellow South African's blog. :) Thanks for this post!

Fri, 09/09/2011 - 7:35am — Exim TLS and Secure SMTP - Admins Goodies (not verified)

Pingback

[...] I found this in 30 seconds by Googling “openssl s_client RENEGOTIATING”: s_client’s R “feature” [...]

Tue, 20/09/2011 - 1:18pm — Anonymous (not verified)

You just made a spaniard happy

Sólo quería decir que te quiero mucho

Thu, 22/03/2012 - 12:36am — Michael Kropat (not verified)

Two workarounds

It’s surprisingly hard to find workarounds for this online, at least besides “use lowercase” (which doesn’t work, for example, if you’re doing SMTP AUTH LOGIN and your username is “A” which must be entered as “QQ==”).

Anyway, the workarounds:

1. Use the “-quiet” or “-ign_eof” flags when invoking s_client, which both have the side-effect of disabling the “R” and “Q” “features.” (At least this works in some versions* of OpenSSL.)

2. Ditch openssl s_client, and instead use gnutls-cli (https://www.gnu.org/software/gnutls/). Added bonus: you get complete control over all the commands pre-STARTTLS as well.

* $ openssl version OpenSSL 1.0.0e 6 Sep 2011

Navigation