[Bug 1832933] Re: upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd

Dimitri John Ledkov launchpad at surgut.co.uk
Sun Jun 16 00:43:49 UTC 2019 

** Also affects: erlang-p1-tls (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: erlang-p1-tls (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1832933

Title:
  upgrade to libssl1.1 1.1.1-1ubuntu2.1~18.04.2 breaks ejabbrd

Status in ejabberd package in Ubuntu:
  New
Status in erlang-p1-tls package in Ubuntu:
  Confirmed
Status in openssl package in Ubuntu:
  New

Bug description:
  Hello!

  After upgrade to

  libssl1.1 1.1.1-1ubuntu2.1~18.04.2
  openssl 1.1.1-1ubuntu2.1~18.04.2

  on Ubuntu 18.04 server clients can't connect to ejabberd server:

  2019-06-15 15:56:26.431 [warning]
  <0.858.0>@ejabberd_c2s:process_terminated:290 (tls|<0.858.0>) Failed
  to secure c2s connection: TLS failed: client renegotiations forbidden

  ejabberd       version is                                18.01-2

  which is from Ubuntu 18.04.

  As far as I know ejabberd can work with openssl 1.1.1 only from 18.09
  https://blog.process-one.net/ejabberd-18-09/

  OpenSSL 1.1.1 support

  Either ejabberd in 18.04 should be updated or openssl should not be
  upgraded to 1.1.1 on 18.04 .

  Thank you!

  
  == erlang-p1-tls ==

  Looking at all upstream patches since 1.0.20 (current bionic) these
  are the useful ones:

  0002-Specify-accepted-Client-CAs-during-handshake.patch
  - quite small fixes Client CA negotiation

  0013-Update-cert-used-by-test-to-use-sha256-signature.patch
  - updates test cert to a stronger one

  0014-Add-no_tlsv1_3-option-parsing-from-openssl1.1.patch
  - tiny, andd "no_tlsv1_3" option

  0016-Improve-tests-to-make-them-work-with-openssl1.1.patch
  - testsuite fixes

  0022-Use-SSL_OP_NO_RENEGOTIATION-when-available.patch
  - needed to fix this bug, do not attempt renegotiation as that is no longer supported. Just ifdefs.

  
  There are also patches that add new apis, to rebuild cert caches, and query negotiated protocols, but meh.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ejabberd/+bug/1832933/+subscriptions

More information about the foundations-bugs mailing list