** Description changed: + [Impact] + + * Clients cannot connect to ejabberd server, due to incompatibility + with openssl 1.1.1. Specifically, client renegotiation is marked as not- + supported in openssl, yet it is attempted by ejabberd. + + [Test Case] + + * Stand-up ejabberd server and connect to it, from bionic and prior + releases. Connection should not fail. + + [Fixes] + == erlang-p1-tls == + + Looking at all upstream patches since 1.0.20 (current bionic) these are + the useful ones: + + 0002-Specify-accepted-Client-CAs-during-handshake.patch + - quite small fixes Client CA negotiation + + 0013-Update-cert-used-by-test-to-use-sha256-signature.patch + - updates test cert to a stronger one + + 0014-Add-no_tlsv1_3-option-parsing-from-openssl1.1.patch + - tiny, andd "no_tlsv1_3" option + + 0016-Improve-tests-to-make-them-work-with-openssl1.1.patch + - testsuite fixes + + 0022-Use-SSL_OP_NO_RENEGOTIATION-when-available.patch + - needed to fix this bug, do not attempt renegotiation as that is no longer supported. Just ifdefs. + + There are also patches that add new apis, to rebuild cert caches, and + query negotiated protocols, but meh. + + [Regression Potential] + + * All fixes are very small cherrypick patches against the tls glue code + library used by ejabberd which have been used in production builds as + advertised on ejabberd for a long time. They use ifdefs to comment out + client renegotiation, and update testsuite. Given the opportunity, + cherrypicking a patch to fix client cert authentication too. + + [Other Info] + + * Original bug report: + + Hello! After upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 openssl 1.1.1-1ubuntu2.1~18.04.2 on Ubuntu 18.04 server clients can't connect to ejabberd server: 2019-06-15 15:56:26.431 [warning] <0.858.0>@ejabberd_c2s:process_terminated:290 (tls|<0.858.0>) Failed to secure c2s connection: TLS failed: client renegotiations forbidden ejabberd version is 18.01-2 which is from Ubuntu 18.04. As far as I know ejabberd can work with openssl 1.1.1 only from 18.09 https://blog.process-one.net/ejabberd-18-09/ OpenSSL 1.1.1 support Either ejabberd in 18.04 should be updated or openssl should not be upgraded to 1.1.1 on 18.04 . Thank you! - - - == erlang-p1-tls == - - Looking at all upstream patches since 1.0.20 (current bionic) these are - the useful ones: - - 0002-Specify-accepted-Client-CAs-during-handshake.patch - - quite small fixes Client CA negotiation - - 0013-Update-cert-used-by-test-to-use-sha256-signature.patch - - updates test cert to a stronger one - - 0014-Add-no_tlsv1_3-option-parsing-from-openssl1.1.patch - - tiny, andd "no_tlsv1_3" option - - 0016-Improve-tests-to-make-them-work-with-openssl1.1.patch - - testsuite fixes - - 0022-Use-SSL_OP_NO_RENEGOTIATION-when-available.patch - - needed to fix this bug, do not attempt renegotiation as that is no longer supported. Just ifdefs. - - - There are also patches that add new apis, to rebuild cert caches, and query negotiated protocols, but meh.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832933 Title: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/erlang-p1-tls/+bug/1832933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
