| 2019-06-15 12:41:24 |
sles |
bug |
|
|
added bug |
| 2019-06-15 23:46:05 |
Dimitri John Ledkov |
bug task added |
|
ejabberd (Ubuntu) |
|
| 2019-06-16 00:43:49 |
Dimitri John Ledkov |
bug task added |
|
erlang-p1-tls (Ubuntu) |
|
| 2019-06-16 00:43:54 |
Dimitri John Ledkov |
erlang-p1-tls (Ubuntu): status |
New |
Confirmed |
|
| 2019-06-16 00:49:59 |
Dimitri John Ledkov |
description |
Hello!
After upgrade to
libssl1.1 1.1.1-1ubuntu2.1~18.04.2
openssl 1.1.1-1ubuntu2.1~18.04.2
on Ubuntu 18.04 server clients can't connect to ejabberd server:
2019-06-15 15:56:26.431 [warning] <0.858.0>@ejabberd_c2s:process_terminated:290 (tls|<0.858.0>) Failed to secure c2s connection: TLS failed: client renegotiations forbidden
ejabberd version is 18.01-2
which is from Ubuntu 18.04.
As far as I know ejabberd can work with openssl 1.1.1 only from 18.09
https://blog.process-one.net/ejabberd-18-09/
OpenSSL 1.1.1 support
Either ejabberd in 18.04 should be updated or openssl should not be upgraded to 1.1.1 on 18.04 .
Thank you! |
Hello!
After upgrade to
libssl1.1 1.1.1-1ubuntu2.1~18.04.2
openssl 1.1.1-1ubuntu2.1~18.04.2
on Ubuntu 18.04 server clients can't connect to ejabberd server:
2019-06-15 15:56:26.431 [warning] <0.858.0>@ejabberd_c2s:process_terminated:290 (tls|<0.858.0>) Failed to secure c2s connection: TLS failed: client renegotiations forbidden
ejabberd version is 18.01-2
which is from Ubuntu 18.04.
As far as I know ejabberd can work with openssl 1.1.1 only from 18.09
https://blog.process-one.net/ejabberd-18-09/
OpenSSL 1.1.1 support
Either ejabberd in 18.04 should be updated or openssl should not be upgraded to 1.1.1 on 18.04 .
Thank you!
== erlang-p1-tls ==
Looking at all upstream patches since 1.0.20 (current bionic) these are the useful ones:
0002-Specify-accepted-Client-CAs-during-handshake.patch
- quite small fixes Client CA negotiation
0013-Update-cert-used-by-test-to-use-sha256-signature.patch
- updates test cert to a stronger one
0014-Add-no_tlsv1_3-option-parsing-from-openssl1.1.patch
- tiny, andd "no_tlsv1_3" option
0016-Improve-tests-to-make-them-work-with-openssl1.1.patch
- testsuite fixes
0022-Use-SSL_OP_NO_RENEGOTIATION-when-available.patch
- needed to fix this bug, do not attempt renegotiation as that is no longer supported. Just ifdefs.
There are also patches that add new apis, to rebuild cert caches, and query negotiated protocols, but meh. |
|
| 2019-06-16 00:53:22 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Bionic |
|
| 2019-06-16 00:53:22 |
Dimitri John Ledkov |
bug task added |
|
openssl (Ubuntu Bionic) |
|
| 2019-06-16 00:53:22 |
Dimitri John Ledkov |
bug task added |
|
ejabberd (Ubuntu Bionic) |
|
| 2019-06-16 00:53:22 |
Dimitri John Ledkov |
bug task added |
|
erlang-p1-tls (Ubuntu Bionic) |
|
| 2019-06-16 00:53:33 |
Dimitri John Ledkov |
erlang-p1-tls (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2019-06-16 00:53:47 |
Dimitri John Ledkov |
bug task deleted |
openssl (Ubuntu Bionic) |
|
|
| 2019-06-16 00:53:51 |
Dimitri John Ledkov |
bug task deleted |
openssl (Ubuntu) |
|
|
| 2019-06-16 00:54:05 |
Dimitri John Ledkov |
bug task deleted |
ejabberd (Ubuntu Bionic) |
|
|
| 2019-06-16 00:54:09 |
Dimitri John Ledkov |
bug task deleted |
ejabberd (Ubuntu) |
|
|
| 2019-06-16 00:54:17 |
Dimitri John Ledkov |
erlang-p1-tls (Ubuntu Bionic): status |
New |
Confirmed |
|
| 2019-06-17 09:03:28 |
Dimitri John Ledkov |
description |
Hello!
After upgrade to
libssl1.1 1.1.1-1ubuntu2.1~18.04.2
openssl 1.1.1-1ubuntu2.1~18.04.2
on Ubuntu 18.04 server clients can't connect to ejabberd server:
2019-06-15 15:56:26.431 [warning] <0.858.0>@ejabberd_c2s:process_terminated:290 (tls|<0.858.0>) Failed to secure c2s connection: TLS failed: client renegotiations forbidden
ejabberd version is 18.01-2
which is from Ubuntu 18.04.
As far as I know ejabberd can work with openssl 1.1.1 only from 18.09
https://blog.process-one.net/ejabberd-18-09/
OpenSSL 1.1.1 support
Either ejabberd in 18.04 should be updated or openssl should not be upgraded to 1.1.1 on 18.04 .
Thank you!
== erlang-p1-tls ==
Looking at all upstream patches since 1.0.20 (current bionic) these are the useful ones:
0002-Specify-accepted-Client-CAs-during-handshake.patch
- quite small fixes Client CA negotiation
0013-Update-cert-used-by-test-to-use-sha256-signature.patch
- updates test cert to a stronger one
0014-Add-no_tlsv1_3-option-parsing-from-openssl1.1.patch
- tiny, andd "no_tlsv1_3" option
0016-Improve-tests-to-make-them-work-with-openssl1.1.patch
- testsuite fixes
0022-Use-SSL_OP_NO_RENEGOTIATION-when-available.patch
- needed to fix this bug, do not attempt renegotiation as that is no longer supported. Just ifdefs.
There are also patches that add new apis, to rebuild cert caches, and query negotiated protocols, but meh. |
[Impact]
* Clients cannot connect to ejabberd server, due to incompatibility with openssl 1.1.1. Specifically, client renegotiation is marked as not-supported in openssl, yet it is attempted by ejabberd.
[Test Case]
* Stand-up ejabberd server and connect to it, from bionic and prior releases. Connection should not fail.
[Fixes]
== erlang-p1-tls ==
Looking at all upstream patches since 1.0.20 (current bionic) these are the useful ones:
0002-Specify-accepted-Client-CAs-during-handshake.patch
- quite small fixes Client CA negotiation
0013-Update-cert-used-by-test-to-use-sha256-signature.patch
- updates test cert to a stronger one
0014-Add-no_tlsv1_3-option-parsing-from-openssl1.1.patch
- tiny, andd "no_tlsv1_3" option
0016-Improve-tests-to-make-them-work-with-openssl1.1.patch
- testsuite fixes
0022-Use-SSL_OP_NO_RENEGOTIATION-when-available.patch
- needed to fix this bug, do not attempt renegotiation as that is no longer supported. Just ifdefs.
There are also patches that add new apis, to rebuild cert caches, and query negotiated protocols, but meh.
[Regression Potential]
* All fixes are very small cherrypick patches against the tls glue code library used by ejabberd which have been used in production builds as advertised on ejabberd for a long time. They use ifdefs to comment out client renegotiation, and update testsuite. Given the opportunity, cherrypicking a patch to fix client cert authentication too.
[Other Info]
* Original bug report:
Hello!
After upgrade to
libssl1.1 1.1.1-1ubuntu2.1~18.04.2
openssl 1.1.1-1ubuntu2.1~18.04.2
on Ubuntu 18.04 server clients can't connect to ejabberd server:
2019-06-15 15:56:26.431 [warning] <0.858.0>@ejabberd_c2s:process_terminated:290 (tls|<0.858.0>) Failed to secure c2s connection: TLS failed: client renegotiations forbidden
ejabberd version is 18.01-2
which is from Ubuntu 18.04.
As far as I know ejabberd can work with openssl 1.1.1 only from 18.09
https://blog.process-one.net/ejabberd-18-09/
OpenSSL 1.1.1 support
Either ejabberd in 18.04 should be updated or openssl should not be upgraded to 1.1.1 on 18.04 .
Thank you! |
|
| 2019-06-17 10:21:53 |
Łukasz Zemczak |
erlang-p1-tls (Ubuntu Bionic): status |
Confirmed |
Fix Committed |
|
| 2019-06-17 10:21:54 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2019-06-17 10:21:55 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
| 2019-06-17 10:21:59 |
Łukasz Zemczak |
tags |
ejabberd openssl |
ejabberd openssl verification-needed verification-needed-bionic |
|
| 2019-06-17 10:46:47 |
sles |
tags |
ejabberd openssl verification-needed verification-needed-bionic |
ejabberd openssl verification-done-bionic verification-needed |
|
| 2019-06-20 20:42:34 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Cosmic |
|
| 2019-06-20 20:42:34 |
Dimitri John Ledkov |
bug task added |
|
erlang-p1-tls (Ubuntu Cosmic) |
|
| 2019-06-24 10:01:31 |
Launchpad Janitor |
erlang-p1-tls (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2019-06-24 10:01:34 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2019-06-24 10:11:13 |
Łukasz Zemczak |
erlang-p1-tls (Ubuntu Cosmic): status |
New |
Fix Committed |
|
| 2019-06-24 10:11:14 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2019-06-24 10:11:16 |
Łukasz Zemczak |
tags |
ejabberd openssl verification-done-bionic verification-needed |
ejabberd openssl verification-done-bionic verification-needed verification-needed-cosmic |
|
| 2019-08-22 09:46:48 |
Robie Basak |
tags |
ejabberd openssl verification-done-bionic verification-needed verification-needed-cosmic |
ejabberd openssl regression-update verification-done-bionic verification-needed verification-needed-cosmic |
|
| 2024-07-26 16:51:36 |
Brian Murray |
erlang-p1-tls (Ubuntu Cosmic): status |
Fix Committed |
Won't Fix |
|
