upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
erlang-p1-tls (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Cosmic |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* Clients cannot connect to ejabberd server, due to incompatibility with openssl 1.1.1. Specifically, client renegotiation is marked as not-supported in openssl, yet it is attempted by ejabberd.
[Test Case]
* Stand-up ejabberd server and connect to it, from bionic and prior releases. Connection should not fail.
[Fixes]
== erlang-p1-tls ==
Looking at all upstream patches since 1.0.20 (current bionic) these are the useful ones:
0002-Specify-
- quite small fixes Client CA negotiation
0013-Update-
- updates test cert to a stronger one
0014-Add-
- tiny, andd "no_tlsv1_3" option
0016-Improve-
- testsuite fixes
0022-Use-
- needed to fix this bug, do not attempt renegotiation as that is no longer supported. Just ifdefs.
There are also patches that add new apis, to rebuild cert caches, and query negotiated protocols, but meh.
[Regression Potential]
* All fixes are very small cherrypick patches against the tls glue code library used by ejabberd which have been used in production builds as advertised on ejabberd for a long time. They use ifdefs to comment out client renegotiation, and update testsuite. Given the opportunity, cherrypicking a patch to fix client cert authentication too.
[Other Info]
* Original bug report:
Hello!
After upgrade to
libssl1.1 1.1.1-1ubuntu2.
openssl 1.1.1-1ubuntu2.
on Ubuntu 18.04 server clients can't connect to ejabberd server:
2019-06-15 15:56:26.431 [warning] <0.858.
ejabberd version is 18.01-2
which is from Ubuntu 18.04.
As far as I know ejabberd can work with openssl 1.1.1 only from 18.09
https:/
OpenSSL 1.1.1 support
Either ejabberd in 18.04 should be updated or openssl should not be upgraded to 1.1.1 on 18.04 .
Thank you!
Changed in erlang-p1-tls (Ubuntu): | |
status: | New → Confirmed |
description: | updated |
Changed in erlang-p1-tls (Ubuntu): | |
status: | Confirmed → Fix Released |
no longer affects: | openssl (Ubuntu Bionic) |
no longer affects: | openssl (Ubuntu) |
no longer affects: | ejabberd (Ubuntu Bionic) |
no longer affects: | ejabberd (Ubuntu) |
Changed in erlang-p1-tls (Ubuntu Bionic): | |
status: | New → Confirmed |
description: | updated |
I wonder if https:/ /github. com/processone/ fast_tls/ commit/ 9b25543cf1200e3 b21699659877196 2461ea51c8 is enough to fix connectivity.
Things to test:
- ejabberd server works and accepts various clients
- ejabberd clinet works and connects to various servers