--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:erlang-p1-tls
User: [email protected]
Usertags: pu
[ Reason ]
Let's Encrypt has recently ended the support for TLS Client
Authentication in their certificates, see
https://letsencrypt.org/2025/05/14/ending-tls-client-authentication
and https://blog.prosody.im/2026-letsencrypt-changes/, as well as
Debian bugs #1127369 + #1128568.
This breaks communication with ejabberd servers, as they use the
certificate also in client mode for server-to-server connections.
To permit s2s communication with the new certifcates, both the erlang-p1-tls
package and the ejabberd package must be updated. If the ejabberd-contrib
package is used, that one must also be updated to a version built
against the updated ejabberd package.
[ Impact ]
Without addressing this, federation between XMPP servers (s2s) will become
more and more broken as more and more servers renew certificates which are
then missing the client authentication flag.
[ Tests ]
I have deployed the updated package to my own server together with
updated ejabberd + ejabberd-contrib packages, after which I could
finally contact other ejabberd servers again that already run recent
Let's Encrypt certificates without the client authentication flag.
[ Risks ]
None. Changes are trivial.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Add upstream commit as patch which allows accepting client certificates without
the client purpose flag.
[ Other info ]
The fix is already part of current ejabberd releases and thereby also fixed in
unstable.
I will upload to proposed-updates right away.
diff -Nru erlang-p1-tls-1.1.22/debian/changelog
erlang-p1-tls-1.1.22/debian/changelog
--- erlang-p1-tls-1.1.22/debian/changelog 2025-02-09 11:09:55.000000000
+0100
+++ erlang-p1-tls-1.1.22/debian/changelog 2026-02-10 19:41:06.000000000
+0100
@@ -1,3 +1,10 @@
+erlang-p1-tls (1.1.22-1+deb13u1) trixie; urgency=medium
+
+ * Add upstream commit which allows accepting client certificates without
+ the sslclient purpose flag (Closes: #1127369)
+
+ -- Philipp Huebner <[email protected]> Tue, 10 Feb 2026 19:41:06 +0100
+
erlang-p1-tls (1.1.22-1) unstable; urgency=medium
* New upstream version 1.1.22
diff -Nru
erlang-p1-tls-1.1.22/debian/patches/f1e55d6d6bdf109ebc48dda880d028c95f349c3b.patch
erlang-p1-tls-1.1.22/debian/patches/f1e55d6d6bdf109ebc48dda880d028c95f349c3b.patch
---
erlang-p1-tls-1.1.22/debian/patches/f1e55d6d6bdf109ebc48dda880d028c95f349c3b.patch
1970-01-01 01:00:00.000000000 +0100
+++
erlang-p1-tls-1.1.22/debian/patches/f1e55d6d6bdf109ebc48dda880d028c95f349c3b.patch
2026-02-10 19:41:06.000000000 +0100
@@ -0,0 +1,111 @@
+From f1e55d6d6bdf109ebc48dda880d028c95f349c3b Mon Sep 17 00:00:00 2001
+From: Pawel Chmielowski <[email protected]>
+Date: Mon, 7 Jul 2025 10:13:50 +0200
+Subject: [PATCH] Add flag to allow accepting client cert without sslclient
+ purpose flag
+
+---
+ c_src/fast_tls.c | 22 ++++++++++++++++++++--
+ src/fast_tls.erl | 7 ++++++-
+ 2 files changed, 26 insertions(+), 3 deletions(-)
+
+Index: erlang-p1-tls/c_src/fast_tls.c
+===================================================================
+--- erlang-p1-tls.orig/c_src/fast_tls.c
++++ erlang-p1-tls/c_src/fast_tls.c
+@@ -26,6 +26,7 @@
+ #include <openssl/decoder.h>
+ #include <openssl/provider.h>
+ #endif
++#include <openssl/x509v3.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <stdint.h>
+@@ -263,6 +264,19 @@ static int verify_callback(int preverify
+ }
+
+ /*
++ * Override cert purpose, to accept certificates that have only
++ * server purpose flag as client certificate (needed for s2s authentication).
++ */
++static int cert_verify_callback(X509_STORE_CTX *x509, void *ptr) {
++ X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(x509);
++ if (param) {
++ X509_VERIFY_PARAM_set_purpose(param, X509_PURPOSE_SSL_SERVER);
++ X509_VERIFY_PARAM_set_trust(param, X509_TRUST_SSL_SERVER);
++ }
++ return X509_verify_cert(x509);
++}
++
++/*
+ * ECDHE is enabled only on OpenSSL 1.0.0e and later.
+ * See http://www.openssl.org/news/secadv_20110906.txt
+ * for details.
+@@ -549,6 +563,7 @@ static int ssl_sni_callback(const SSL *s
+ #define SET_CERTIFICATE_FILE_CONNECT 2
+ #define VERIFY_NONE 0x10000
+ #define COMPRESSION_NONE 0x100000
++#define OVERRIDE_CERT_PURPOSE 0x200000
+
+ static ERL_NIF_TERM ssl_error(ErlNifEnv *env, const char *errstr) {
+ size_t rlen;
+@@ -579,6 +594,7 @@ static SSL_CTX *create_new_ctx(char *cer
+ char *ciphers, unsigned char *dh, size_t
dh_size,
+ char *dh_file, char *ca_file,
+ unsigned int command,
++ unsigned long flags,
+ char **err_str) {
+ long verifyopts;
+ int res = 0;
+@@ -650,6 +666,8 @@ static SSL_CTX *create_new_ctx(char *cer
+ SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
+ #endif
+ SSL_CTX_set_verify(ctx, verifyopts, verify_callback);
++ if (flags & OVERRIDE_CERT_PURPOSE)
++ SSL_CTX_set_cert_verify_callback(ctx, cert_verify_callback, NULL);
+
+ #ifndef SSL_OP_NO_RENEGOTIATION
+ SSL_CTX_set_info_callback(ctx, &ssl_info_callback);
+@@ -721,7 +739,7 @@ static char *create_ssl_for_cert(char *c
+
+ enif_rwlock_rwlock(certs_map_lock);
+ SSL_CTX *ctx = create_new_ctx(cert_file, key_file, ciphers, dh,
dh_size,
+- dh_file, ca_file, command, &ret);
++ dh_file, ca_file, command,options &
OVERRIDE_CERT_PURPOSE, &ret);
+ if (ret == NULL) {
+ new_info = enif_alloc(sizeof(cert_info_t));
+ if (new_info) {
+@@ -839,7 +857,7 @@ static ERL_NIF_TERM open_nif(ErlNifEnv *
+ state->dh_file = (char*)(state->dh + dh_bin.size + 1);
+ state->ca_file = state->dh_file + dhfile_bin.size + 1;
+ sni = state->ca_file + cafile_bin.size + 1;
+- state->options = options;
++ state->options = options | (flags & OVERRIDE_CERT_PURPOSE);
+ state->command = command;
+
+ memcpy(state->cert_file, certfile_bin.data, certfile_bin.size);
+Index: erlang-p1-tls/src/fast_tls.erl
+===================================================================
+--- erlang-p1-tls.orig/src/fast_tls.erl
++++ erlang-p1-tls/src/fast_tls.erl
+@@ -67,6 +67,7 @@
+ -define(VERIFY_NONE, 16#10000).
+
+ -define(COMPRESSION_NONE, 16#100000).
++-define(OVERRIDE_CERT_PURPOSE, 16#200000).
+
+ -define(PRINT(Format, Args), io:format(Format, Args)).
+
+@@ -148,7 +149,11 @@ tcp_to_tls(TCPSocket, Options) ->
+ true -> ?COMPRESSION_NONE;
+ false -> 0
+ end,
+- Flags = Flags1 bor Flags2,
++ Flags3 = case lists:member(override_cert_purpose, Options) of
++ true -> ?OVERRIDE_CERT_PURPOSE;
++ false -> 0
++ end,
++ Flags = Flags1 bor Flags2 bor Flags3,
+ Ciphers =
+ case lists:keysearch(ciphers, 1, Options) of
+ {value, {ciphers, C}} ->
diff -Nru erlang-p1-tls-1.1.22/debian/patches/series
erlang-p1-tls-1.1.22/debian/patches/series
--- erlang-p1-tls-1.1.22/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ erlang-p1-tls-1.1.22/debian/patches/series 2026-02-10 19:41:06.000000000
+0100
@@ -0,0 +1 @@
+f1e55d6d6bdf109ebc48dda880d028c95f349c3b.patch
--- End Message ---
