Re: jabberd-2.3.0 release
These are the changes I made jabberd-2.3.0/sx/ssl.c 660 - SSL_set_ssl_method(sc->ssl, TLSv1_2_client_method()); 660 + SSL_set_ssl_method(sc->ssl, TLSv1_client_method()); ... 899 - ctx = SSL_CTX_new(TLSv1_2_method()); 899 + ctx = SSL_CTX_new(SSLv23_method()); ... 757 SSL_set_accept_state(sc->ssl); 758 + SSL_set_options(sc->ssl, SSL_OP_NO_SSLv3); El 26/11/13 11:45, Tomasz Sterna escribió: Dnia 2013-11-26, wto o godzinie 07:40 +0100, Christof Meerwald pisze: I tried upgrading from 2.2.17 to 2.3.0 yesterday, but that left me with a broken server. The s2s component now just connects to a remote server, switches the stream to TLS, gets the certificate, disconnects and immediately connects again. I guess the network is not that ready for 'TLS Everywhere' [1] yet. Maybe it is worth releasing 2.2.18 without that change. [1] https://github.com/jabberd2/jabberd2/commit/ad9ead7816
Re: jabberd-2.3.0 release
Dnia 2013-11-26, wto o godzinie 07:40 +0100, Christof Meerwald pisze: > I tried upgrading from 2.2.17 to 2.3.0 yesterday, but that left me > with a broken server. The s2s component now just connects to a remote > server, switches the stream to TLS, gets the certificate, disconnects > and immediately connects again. I guess the network is not that ready for 'TLS Everywhere' [1] yet. Maybe it is worth releasing 2.2.18 without that change. [1] https://github.com/jabberd2/jabberd2/commit/ad9ead7816 -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: jabberd-2.3.0 release
If you are interested you can try the changes I made in http://suchat.org/sx/ssl.c For protocols TLS v1.0, v1.1 and v1.2. Carlos El 26/11/13 10:11, Eric Koldeweij escribió: Christof, I had the same problem, luckily I ran on a test server. I could not even login with my client. There has been a change in sx/ssl.c line 899. The line now reads ctx = SSL_CTX_new(TLSv1_2_method()); This means that it will support TLS v1.2 only. Connections using SSLv3 or TLS v1.1 and earlier are not accepted any more. There is also another issue that if a secure connection cannot be established for any reason (incompatible protocol or verification failed or similar) it will retry many times in very rapid succession for 10 minutes. You can get the old behavior back by changing the line above back to the 2.2.17 version: ctx = SSL_CTX_new(SSLv23_method()); I think a better solution would be to use the SSLv23_method and disable SSLv3 with an option immediately after: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); I have not tested this yet but as far as I can see it will leave you with support for TLS v1.0, v1.1 and v1.2. An even better solution would be to make the SSL settings user-configurable. This is not trivial to do though. Regards, Eric. On 11/26/13 07:40, Christof Meerwald wrote: On Mon, 18 Nov 2013 17:18:07 +0100, Tomasz Sterna wrote: Next jabberd2 release is finally available. Get 2.3.0 release at GitHub: https://github.com/jabberd2/jabberd2/releases I tried upgrading from 2.2.17 to 2.3.0 yesterday, but that left me with a broken server. The s2s component now just connects to a remote server, switches the stream to TLS, gets the certificate, disconnects and immediately connects again. The log file doesn't give any reason for this connection/disconnection loop and it's not clear what configuration settings need to be updated to make it work again (as the NEWS file isn't that helpful). But as there is no delay between the connects/disconnects (and no useful error message), this behaviour might be considered a bug anyway... Guess I'll have to do some debugging and code reviewing in the next few days... Christof
Re: jabberd-2.3.0 release
Christof, I had the same problem, luckily I ran on a test server. I could not even login with my client. There has been a change in sx/ssl.c line 899. The line now reads ctx = SSL_CTX_new(TLSv1_2_method()); This means that it will support TLS v1.2 only. Connections using SSLv3 or TLS v1.1 and earlier are not accepted any more. There is also another issue that if a secure connection cannot be established for any reason (incompatible protocol or verification failed or similar) it will retry many times in very rapid succession for 10 minutes. You can get the old behavior back by changing the line above back to the 2.2.17 version: ctx = SSL_CTX_new(SSLv23_method()); I think a better solution would be to use the SSLv23_method and disable SSLv3 with an option immediately after: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); I have not tested this yet but as far as I can see it will leave you with support for TLS v1.0, v1.1 and v1.2. An even better solution would be to make the SSL settings user-configurable. This is not trivial to do though. Regards, Eric. On 11/26/13 07:40, Christof Meerwald wrote: On Mon, 18 Nov 2013 17:18:07 +0100, Tomasz Sterna wrote: Next jabberd2 release is finally available. Get 2.3.0 release at GitHub: https://github.com/jabberd2/jabberd2/releases I tried upgrading from 2.2.17 to 2.3.0 yesterday, but that left me with a broken server. The s2s component now just connects to a remote server, switches the stream to TLS, gets the certificate, disconnects and immediately connects again. The log file doesn't give any reason for this connection/disconnection loop and it's not clear what configuration settings need to be updated to make it work again (as the NEWS file isn't that helpful). But as there is no delay between the connects/disconnects (and no useful error message), this behaviour might be considered a bug anyway... Guess I'll have to do some debugging and code reviewing in the next few days... Christof
Re: jabberd-2.3.0 release
On Tue, 26 Nov 2013 07:40:14 +0100 Christof Meerwald wrote: > On Mon, 18 Nov 2013 17:18:07 +0100, Tomasz Sterna wrote: > > Next jabberd2 release is finally available. > > > > Get 2.3.0 release at GitHub: https://github.com/jabberd2/jabberd2/releases > > I tried upgrading from 2.2.17 to 2.3.0 yesterday, but that left me > with a broken server. The s2s component now just connects to a remote > server, switches the stream to TLS, gets the certificate, disconnects > and immediately connects again. Same here with 2.2.17 and "TLS Everywhere" (https://github.com/jabberd2/jabberd2/commit/ad9ead7816e23f48d9b46905bcbe17b7b4b6a910) jabber.ru / yandex.ru doesn't work with TLSv1_2 jabber.ru doesn't work with TLSv1_1 TLSv1 work with both jabber.ru and yandex.ru Have to use TLSv1 here
Re: jabberd-2.3.0 release
On Mon, 18 Nov 2013 17:18:07 +0100, Tomasz Sterna wrote: > Next jabberd2 release is finally available. > > Get 2.3.0 release at GitHub: https://github.com/jabberd2/jabberd2/releases I tried upgrading from 2.2.17 to 2.3.0 yesterday, but that left me with a broken server. The s2s component now just connects to a remote server, switches the stream to TLS, gets the certificate, disconnects and immediately connects again. The log file doesn't give any reason for this connection/disconnection loop and it's not clear what configuration settings need to be updated to make it work again (as the NEWS file isn't that helpful). But as there is no delay between the connects/disconnects (and no useful error message), this behaviour might be considered a bug anyway... Guess I'll have to do some debugging and code reviewing in the next few days... Christof -- http://cmeerw.org sip:cmeerw at cmeerw.org mailto:cmeerw at cmeerw.org xmpp:cmeerw at cmeerw.org
jabberd-2.3.0 release
Next jabberd2 release is finally available. Get 2.3.0 release at GitHub: https://github.com/jabberd2/jabberd2/releases This release packs many new features and load of bugfixes. Also introducing Semantic Versioning scheme and TLS Everywhere recommendation. Many, many thanks to all contributors. :-) Changes: * Renamed non-standard UPGRADE file overwriting outdated NEWS file * Semantic Versioning: http://semver.org/ * TLS Everywhere: https://github.com/stpeter/manifesto * Required GSASL >=1.1 * jabberd should compile without warnings * out-of-source builds should work * pgsql: authreg password_type support * pgsql: schema support * ldapvcard: groupattr works even if no groupattr_regex defined * ldapfull: checks for ldap group membership on login * vCard: Assume tel phone is voice phone * MySQL: default password hashing algorithm changed to SHA512 * out-conn-reuse s2s.xml option naming unified * XML parse error will log buffer details * CRAM-MD5 auth support * router private key cachain and password support * hashed passwords support in SQLite3 storage For a full change log see: https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.0 -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/