Skip to content

smtp does not accept EHLO keywords in lowercase #18588

New issue
New issue
Closed
Closed
smtp does not accept EHLO keywords in lowercase#18588
Labels
SMTP
@MegaManSec

Description

@MegaManSec
MegaManSec
opened on Sep 17, 2025

I did this

RFC5321 states that " Although EHLO keywords may be specified in upper, lower, or mixedcase, they MUST always be recognized and processed in a case-insensitive manner. " (src)

curl does not do this, and works with only uppercase:

curl/lib/smtp.c

Lines 992 to 1056 in af7d67d

if(len >= 8 && !memcmp(line, "STARTTLS", 8))
smtpc->tls_supported = TRUE;
/* Does the server support the SIZE capability? */
else if(len >= 4 && !memcmp(line, "SIZE", 4))
smtpc->size_supported = TRUE;
/* Does the server support the UTF-8 capability? */
else if(len >= 8 && !memcmp(line, "SMTPUTF8", 8))
smtpc->utf8_supported = TRUE;
/* Does the server support authentication? */
else if(len >= 5 && !memcmp(line, "AUTH ", 5)) {
smtpc->auth_supported = TRUE;
/* Advance past the AUTH keyword */
line += 5;
len -= 5;
/* Loop through the data line */
for(;;) {
size_t llen;
size_t wordlen;
unsigned short mechbit;
while(len &&
(*line == ' ' || *line == '\t' ||
*line == '\r' || *line == '\n')) {
line++;
len--;
}
if(!len)
break;
/* Extract the word */
for(wordlen = 0; wordlen < len && line[wordlen] != ' ' &&
line[wordlen] != '\t' && line[wordlen] != '\r' &&
line[wordlen] != '\n';)
wordlen++;
/* Test the word for a matching authentication mechanism */
mechbit = Curl_sasl_decode_mech(line, wordlen, &llen);
if(mechbit && llen == wordlen)
smtpc->sasl.authmechs |= mechbit;
line += wordlen;
len -= wordlen;
}
}
if(smtpcode != 1) {
if(data->set.use_ssl && !Curl_conn_is_ssl(data->conn, FIRSTSOCKET)) {
/* We do not have an SSL/TLS connection yet, but SSL is requested */
if(smtpc->tls_supported)
/* Switch to TLS connection now */
result = smtp_perform_starttls(data, smtpc);
else if(data->set.use_ssl == CURLUSESSL_TRY)
/* Fallback and carry on with authentication */
result = smtp_perform_authentication(data, smtpc);
else {
failf(data, "STARTTLS not supported.");
result = CURLE_USE_SSL_FAILED;
}
which means if a server advertises for e.g. STARTTLS as starttls, it is skipped (sad-face).

I expected the following

starttls to work when the server advertises it in lowercase

curl/libcurl version

curl 8.2.0

operating system

All of them

Metadata

Metadata

Assignees

No one assigned

    Labels

    SMTP

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions