[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
Ubuntu 18.10 (Cosmic Cuttlefish) has reached end of life, so this bug will not be fixed for that specific release. ** Changed in: erlang-p1-tls (Ubuntu Cosmic) Status: Fix Committed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/erlang-p1-tls/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
The security pocket was also regressed separately but is now fixed. See duplicate bug 1840902. ** Tags added: regression-update -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/erlang-p1-tls/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
Hello sles, or anyone else affected, Accepted erlang-p1-tls into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/erlang-p1-tls/1.0.23-2ubuntu0.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: erlang-p1-tls (Ubuntu Cosmic) Status: New => Fix Committed ** Tags added: verification-needed-cosmic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/erlang-p1-tls/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
This bug was fixed in the package erlang-p1-tls - 1.0.20-1ubuntu0.1 --- erlang-p1-tls (1.0.20-1ubuntu0.1) bionic; urgency=medium * Cherrypick upstream patches for openssl1.1 support: - fix client cert authentication - update test certificates - add support for 'no_tlsv1_3' option - testsuite fixes - do not attempt unsupported renegotiation LP: #1832933 -- Dimitri John Ledkov Sun, 16 Jun 2019 01:48:12 +0100 ** Changed in: erlang-p1-tls (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/erlang-p1-tls/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
Cosmic is in unapproved now. And I hope we can release bionic into -updates ahead of cosmic fix landing. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/erlang-p1-tls/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
@sil2100 yes ** Also affects: erlang-p1-tls (Ubuntu Cosmic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/erlang-p1-tls/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
Hello! Currently I run 1.0.20-1ubuntu0.1 and it works. Thank you! ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/erlang-p1-tls/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
Hello sles, or anyone else affected, Accepted erlang-p1-tls into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/erlang-p1-tls/1.0.20-1ubuntu0.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: erlang-p1-tls (Ubuntu Bionic) Status: Confirmed => Fix Committed ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/erlang-p1-tls/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
>From what I see one or more commits that are cherry-picked to fixed this issue are only available from version 1.0.26. Seeing that cosmic also has openssl 1.1.1 and an older erlang-p1-tls 1.0.23, do you think it makes sense to also get that fixed there as well? I know cosmic will be going EOL soonish, which is why I am not making this a forced requirement, but was just wondering if it would be a lot of work and (most importantly) if we have anyone that could test it then. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/erlang-p1-tls/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
** Description changed: + [Impact] + + * Clients cannot connect to ejabberd server, due to incompatibility + with openssl 1.1.1. Specifically, client renegotiation is marked as not- + supported in openssl, yet it is attempted by ejabberd. + + [Test Case] + + * Stand-up ejabberd server and connect to it, from bionic and prior + releases. Connection should not fail. + + [Fixes] + == erlang-p1-tls == + + Looking at all upstream patches since 1.0.20 (current bionic) these are + the useful ones: + + 0002-Specify-accepted-Client-CAs-during-handshake.patch + - quite small fixes Client CA negotiation + + 0013-Update-cert-used-by-test-to-use-sha256-signature.patch + - updates test cert to a stronger one + + 0014-Add-no_tlsv1_3-option-parsing-from-openssl1.1.patch + - tiny, andd "no_tlsv1_3" option + + 0016-Improve-tests-to-make-them-work-with-openssl1.1.patch + - testsuite fixes + + 0022-Use-SSL_OP_NO_RENEGOTIATION-when-available.patch + - needed to fix this bug, do not attempt renegotiation as that is no longer supported. Just ifdefs. + + There are also patches that add new apis, to rebuild cert caches, and + query negotiated protocols, but meh. + + [Regression Potential] + + * All fixes are very small cherrypick patches against the tls glue code + library used by ejabberd which have been used in production builds as + advertised on ejabberd for a long time. They use ifdefs to comment out + client renegotiation, and update testsuite. Given the opportunity, + cherrypicking a patch to fix client cert authentication too. + + [Other Info] + + * Original bug report: + + Hello! After upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 openssl 1.1.1-1ubuntu2.1~18.04.2 on Ubuntu 18.04 server clients can't connect to ejabberd server: 2019-06-15 15:56:26.431 [warning] <0.858.0>@ejabberd_c2s:process_terminated:290 (tls|<0.858.0>) Failed to secure c2s connection: TLS failed: client renegotiations forbidden ejabberd version is18.01-2 which is from Ubuntu 18.04. As far as I know ejabberd can work with openssl 1.1.1 only from 18.09 https://blog.process-one.net/ejabberd-18-09/ OpenSSL 1.1.1 support Either ejabberd in 18.04 should be updated or openssl should not be upgraded to 1.1.1 on 18.04 . Thank you! - - - == erlang-p1-tls == - - Looking at all upstream patches since 1.0.20 (current bionic) these are - the useful ones: - - 0002-Specify-accepted-Client-CAs-during-handshake.patch - - quite small fixes Client CA negotiation - - 0013-Update-cert-used-by-test-to-use-sha256-signature.patch - - updates test cert to a stronger one - - 0014-Add-no_tlsv1_3-option-parsing-from-openssl1.1.patch - - tiny, andd "no_tlsv1_3" option - - 0016-Improve-tests-to-make-them-work-with-openssl1.1.patch - - testsuite fixes - - 0022-Use-SSL_OP_NO_RENEGOTIATION-when-available.patch - - needed to fix this bug, do not attempt renegotiation as that is no longer supported. Just ifdefs. - - - There are also patches that add new apis, to rebuild cert caches, and query negotiated protocols, but meh. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/erlang-p1-tls/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
There are no complains from users, so I assume erlang-p1-tls_1.0.20-1ubuntu0.1_amd64.deb fixed problem. Thank you! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/erlang-p1-tls/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
Hello! Installed erlang-p1-tls_1.0.20-1ubuntu0.1_amd64.deb from ppa you mentioned. Now I can connect my psi to my ejabberd. Thank you! It's early morning here, I need to wait when most users will try to use ejabberd. I'll report in next several hours. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/erlang-p1-tls/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
Could you please try: sudo add-apt-repository ppa:ci-train-ppa-service/3743 sudo apt update sudo apt full-upgrade And let me know if that fixes everything? It's PPA with updated erlang-p1-tls package that should hopefully fix everything. More details at https://launchpad.net/~ci-train-ppa- service/+archive/ubuntu/3743 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/erlang-p1-tls/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
** Description changed: Hello! After upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 openssl 1.1.1-1ubuntu2.1~18.04.2 on Ubuntu 18.04 server clients can't connect to ejabberd server: 2019-06-15 15:56:26.431 [warning] <0.858.0>@ejabberd_c2s:process_terminated:290 (tls|<0.858.0>) Failed to secure c2s connection: TLS failed: client renegotiations forbidden - ejabberd version is18.01-2 which is from Ubuntu 18.04. - As far as I know ejabberd can work with openssl 1.1.1 only from 18.09 + As far as I know ejabberd can work with openssl 1.1.1 only from 18.09 https://blog.process-one.net/ejabberd-18-09/ OpenSSL 1.1.1 support Either ejabberd in 18.04 should be updated or openssl should not be upgraded to 1.1.1 on 18.04 . Thank you! + + + == erlang-p1-tls == + + Looking at all upstream patches since 1.0.20 (current bionic) these are + the useful ones: + + 0002-Specify-accepted-Client-CAs-during-handshake.patch + - quite small fixes Client CA negotiation + + 0013-Update-cert-used-by-test-to-use-sha256-signature.patch + - updates test cert to a stronger one + + 0014-Add-no_tlsv1_3-option-parsing-from-openssl1.1.patch + - tiny, andd "no_tlsv1_3" option + + 0016-Improve-tests-to-make-them-work-with-openssl1.1.patch + - testsuite fixes + + 0022-Use-SSL_OP_NO_RENEGOTIATION-when-available.patch + - needed to fix this bug, do not attempt renegotiation as that is no longer supported. Just ifdefs. + + + There are also patches that add new apis, to rebuild cert caches, and query negotiated protocols, but meh. ** Also affects: openssl (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: ejabberd (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: erlang-p1-tls (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: erlang-p1-tls (Ubuntu) Status: Confirmed => Fix Released ** No longer affects: openssl (Ubuntu Bionic) ** No longer affects: openssl (Ubuntu) ** No longer affects: ejabberd (Ubuntu Bionic) ** No longer affects: ejabberd (Ubuntu) ** Changed in: erlang-p1-tls (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/erlang-p1-tls/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
** Also affects: erlang-p1-tls (Ubuntu) Importance: Undecided Status: New ** Changed in: erlang-p1-tls (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ejabberd/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
I wonder if https://github.com/processone/fast_tls/commit/9b25543cf1200e3b216996598771962461ea51c8 is enough to fix connectivity. Things to test: - ejabberd server works and accepts various clients - ejabberd clinet works and connects to various servers -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ejabberd/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd
** Also affects: ejabberd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ejabberd/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
