upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd

Bug #1832933 reported by sles
22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
erlang-p1-tls (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Won't Fix
Undecided
Unassigned

Bug Description

[Impact]

 * Clients cannot connect to ejabberd server, due to incompatibility with openssl 1.1.1. Specifically, client renegotiation is marked as not-supported in openssl, yet it is attempted by ejabberd.

[Test Case]

 * Stand-up ejabberd server and connect to it, from bionic and prior releases. Connection should not fail.

[Fixes]
== erlang-p1-tls ==

Looking at all upstream patches since 1.0.20 (current bionic) these are the useful ones:

0002-Specify-accepted-Client-CAs-during-handshake.patch
- quite small fixes Client CA negotiation

0013-Update-cert-used-by-test-to-use-sha256-signature.patch
- updates test cert to a stronger one

0014-Add-no_tlsv1_3-option-parsing-from-openssl1.1.patch
- tiny, andd "no_tlsv1_3" option

0016-Improve-tests-to-make-them-work-with-openssl1.1.patch
- testsuite fixes

0022-Use-SSL_OP_NO_RENEGOTIATION-when-available.patch
- needed to fix this bug, do not attempt renegotiation as that is no longer supported. Just ifdefs.

There are also patches that add new apis, to rebuild cert caches, and query negotiated protocols, but meh.

[Regression Potential]

 * All fixes are very small cherrypick patches against the tls glue code library used by ejabberd which have been used in production builds as advertised on ejabberd for a long time. They use ifdefs to comment out client renegotiation, and update testsuite. Given the opportunity, cherrypicking a patch to fix client cert authentication too.

[Other Info]

 * Original bug report:

Hello!

After upgrade to

libssl1.1 1.1.1-1ubuntu2.1~18.04.2
openssl 1.1.1-1ubuntu2.1~18.04.2

on Ubuntu 18.04 server clients can't connect to ejabberd server:

2019-06-15 15:56:26.431 [warning] <0.858.0>@ejabberd_c2s:process_terminated:290 (tls|<0.858.0>) Failed to secure c2s connection: TLS failed: client renegotiations forbidden

ejabberd version is 18.01-2

which is from Ubuntu 18.04.

As far as I know ejabberd can work with openssl 1.1.1 only from 18.09
https://blog.process-one.net/ejabberd-18-09/

OpenSSL 1.1.1 support

Either ejabberd in 18.04 should be updated or openssl should not be upgraded to 1.1.1 on 18.04 .

Thank you!

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

I wonder if https://github.com/processone/fast_tls/commit/9b25543cf1200e3b216996598771962461ea51c8 is enough to fix connectivity.

Things to test:
- ejabberd server works and accepts various clients
- ejabberd clinet works and connects to various servers

Changed in erlang-p1-tls (Ubuntu):
status: New → Confirmed
description: updated
Changed in erlang-p1-tls (Ubuntu):
status: Confirmed → Fix Released
no longer affects: openssl (Ubuntu Bionic)
no longer affects: openssl (Ubuntu)
no longer affects: ejabberd (Ubuntu Bionic)
no longer affects: ejabberd (Ubuntu)
Changed in erlang-p1-tls (Ubuntu Bionic):
status: New → Confirmed
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Could you please try:
sudo add-apt-repository ppa:ci-train-ppa-service/3743
sudo apt update
sudo apt full-upgrade

And let me know if that fixes everything?

It's PPA with updated erlang-p1-tls package that should hopefully fix everything.

More details at https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3743

Revision history for this message
sles (slesru) wrote :

Hello!

Installed erlang-p1-tls_1.0.20-1ubuntu0.1_amd64.deb from ppa you mentioned.

Now I can connect my psi to my ejabberd.

Thank you!

It's early morning here, I need to wait when most users will try to use ejabberd.
I'll report in next several hours.

Revision history for this message
sles (slesru) wrote :

There are no complains from users, so I assume erlang-p1-tls_1.0.20-1ubuntu0.1_amd64.deb fixed problem.
Thank you!

description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello sles, or anyone else affected,

Accepted erlang-p1-tls into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/erlang-p1-tls/1.0.20-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in erlang-p1-tls (Ubuntu Bionic):
status: Confirmed → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

From what I see one or more commits that are cherry-picked to fixed this issue are only available from version 1.0.26. Seeing that cosmic also has openssl 1.1.1 and an older erlang-p1-tls 1.0.23, do you think it makes sense to also get that fixed there as well? I know cosmic will be going EOL soonish, which is why I am not making this a forced requirement, but was just wondering if it would be a lot of work and (most importantly) if we have anyone that could test it then.

Revision history for this message
sles (slesru) wrote :

Hello!

Currently I run 1.0.20-1ubuntu0.1 and it works.

Thank you!

tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

@sil2100 yes

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Cosmic is in unapproved now. And I hope we can release bionic into -updates ahead of cosmic fix landing.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package erlang-p1-tls - 1.0.20-1ubuntu0.1

---------------
erlang-p1-tls (1.0.20-1ubuntu0.1) bionic; urgency=medium

  * Cherrypick upstream patches for openssl1.1 support:
    - fix client cert authentication
    - update test certificates
    - add support for 'no_tlsv1_3' option
    - testsuite fixes
    - do not attempt unsupported renegotiation LP: #1832933

 -- Dimitri John Ledkov <email address hidden> Sun, 16 Jun 2019 01:48:12 +0100

Changed in erlang-p1-tls (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for erlang-p1-tls has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello sles, or anyone else affected,

Accepted erlang-p1-tls into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/erlang-p1-tls/1.0.23-2ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in erlang-p1-tls (Ubuntu Cosmic):
status: New → Fix Committed
tags: added: verification-needed-cosmic
Revision history for this message
Robie Basak (racb) wrote :

The security pocket was also regressed separately but is now fixed. See duplicate bug 1840902.

tags: added: regression-update
Revision history for this message
Brian Murray (brian-murray) wrote :

Ubuntu 18.10 (Cosmic Cuttlefish) has reached end of life, so this bug will not be fixed for that specific release.

Changed in erlang-p1-tls (Ubuntu Cosmic):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.