Closed luizluca closed 2 years ago
This looks like the TLS connection is failing early in the handshake before certificate verification.
Presumably along with the ejabberd upgrade you are upgrading to a newer Erlang/OTP version?
I suspect there is no overlap of accepted TLS versions and ciphers between your LDAP server and the Erlang/OTP ejabberd client. Can you run a test against your LDAP server to see which ciphers the server is offering? (replace ldap.mydomain.com with correct hostname or IP address of LDAP server).
$ nmap --script ssl-enum-ciphers ldap.mydomain.com -p 636
This looks like the TLS connection is failing early in the handshake before certificate verification.
Presumably along with the ejabberd upgrade you are upgrading to a newer Erlang/OTP version?
The Official RPM package bundles everything. I didn't install any erlang package but ejabberd. Does it still use the system SSL libraries?
I suspect there is no overlap of accepted TLS versions and ciphers between your LDAP server and the Erlang/OTP ejabberd client. Can you run a test against your LDAP server to see which ciphers the server is offering? (replace ldap.mydomain.com with correct hostname or IP address of LDAP server).
$ nmap --script ssl-enum-ciphers ldap.mydomain.com -p 636
It is a standard AD system. We did not changed SSL settings:
PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| CBC-mode cipher in SSLv3 (CVE-2014-3566)
| Ciphersuite uses MD5 for message integrity
| Forward Secrecy not supported by any cipher
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| Key exchange (dh 1024) of lower strength than certificate key
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| Key exchange (dh 1024) of lower strength than certificate key
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| Key exchange (dh 1024) of lower strength than certificate key
|_ least strength: C
The Official RPM package bundles everything. I didn't install any erlang package but ejabberd. Does it still use the system SSL libraries?
I must confess to not knowing exactly what is included in the official ejabberd RPMs (I have now checked and they are actually statically linked to private copy of OpenSSL), but my point was that you are using a newer Erlang/OTP than you were with 14.07, so it might be new more stringent TLS/SSL requirements that are no longer compatible with your LDAP server even if you made no changes there.
BTW, this log message is just a warning to indicate that the certificate will not be verified, it is NOT the cause of connection failure:
set 08 22:14:52 ejabberdctl[6837]: 2022-09-08 22:14:51.861837-03:00 [warning] Description: "Authenticity is not established by certificate path validation"
set 08 22:14:52 ejabberdctl[6837]: Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing"
It could definitely be phrased better but it is coming from Erlang/OTP. I think that log was introduced in OTP 25 (erts-13), but the official RPMs use OTP 24, so that's another puzzle. Exacly which RPM did you install?
Could you open ejabberd debug console: ejabberdctl debug
and execute this: ssl:connect("ldap.mydomain.com", 636, [{log_level, debug}]).
and share the output? You can close console with double ctrl-c.
The output from openssl s_client -connect ldap.mydomain.com:636
might also be informative, as would a debug log from ejabberd startup to failure point.
The Official RPM package bundles everything. I didn't install any erlang package but ejabberd. Does it still use the system SSL libraries?
I must confess to not knowing exactly what is included in the official ejabberd RPMs (I have now checked and they are actually statically linked to private copy of OpenSSL), but my point was that you are using a newer Erlang/OTP than you were with 14.07, so it might be new more stringent TLS/SSL requirements that are no longer compatible with your LDAP server even if you made no changes there.
BTW, this log message is just a warning to indicate that the certificate will not be verified, it is NOT the cause of connection failure:
set 08 22:14:52 ejabberdctl[6837]: 2022-09-08 22:14:51.861837-03:00 [warning] Description: "Authenticity is not established by certificate path validation" set 08 22:14:52 ejabberdctl[6837]: Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing"
It could definitely be phrased better but it is coming from Erlang/OTP. I think that log was introduced in OTP 25 (erts-13), but the official RPMs use OTP 24, so that's another puzzle. Exacly which RPM did you install?
This one: https://repo.process-one.net/rpm/ejabberd-22.05.78-1.x86_64.rpm
And yes, it is "Erlang/OTP 24 [erts-12.3.2] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [jit]"
Could you open ejabberd debug console:
ejabberdctl debug
and execute this:ssl:connect("ldap.mydomain.com", 636, [{log_level, debug}]).
and share the output? You can close console with double ctrl-c.
It does not give anything new:
=WARNING REPORT==== 12-Sep-2022::14:58:42.413276 ===
Description: "Authenticity is not established by certificate path validation"
Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing"
{error,{tls_alert,{handshake_failure,"TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure\n {unknown_or_malformed_handshake,13}"}}}
I also tried some variants:
(ejabberd@localhost)1> ssl:connect("ldap.mydomain.com", 636, [{log_level, debug},{verify,verify_peer},{cacertfile,["/etc/ssl/certs/MyCA.pem"]}]).
{error,{tls_alert,{handshake_failure,"TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure\n {unknown_or_malformed_handshake,13}"}}}
(ejabberd@localhost)1> ssl:connect("ldap.mydomain.com", 636, [{log_level, debug},{verify,verify_peer},{cacertfile,["/etc/ssl/certs/NotMyCA.pem"]}]).
{error,{tls_alert,{handshake_failure,"TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure\n {unknown_or_malformed_handshake,13}"}}}
(ejabberd@localhost)2> ssl:connect("ldap.mydomain.com", 636, [{log_level, debug},{verify,verify_none}]).
{error,{tls_alert,{handshake_failure,"TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure\n {unknown_or_malformed_handshake,13}"}}}
It looks like it sends the debug output somewhere else.
The output from
openssl s_client -connect ldap.mydomain.com:636
might also be informative, as would a debug log from ejabberd startup to failure point.
CONNECTED(00000003)
depth=2 C = BR, ST = Santa Catarina, L = Florianopolis, O = MYCA, emailAddress = root@mydomain.com
verify return:1
depth=1 DC = COM, DC = mydomain, CN = SUBCA
verify return:1
depth=0 DC = COM, DC = mydomain, CN = DC01
verify return:1
---
Certificate chain
0 s:DC = COM, DC = mydomain, CN = DC01
i:DC = COM, DC = mydomain, CN = SUBCA
1 s:DC = COM, DC = mydomain, CN = SUBCA
i:C = BR, ST = Santa Catarina, L = Florianopolis, O = MYCA, emailAddress = root@mydomain.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJDCCBAygAwIBAgITHwAACVWvr8UXqiD1DAACAAAJVTANBgkqhkiG9w0BAQsF
...
DPyJjqVFL0vfvem2xXdSf3Woc5fAge7B
-----END CERTIFICATE-----
subject=DC = COM, DC = mydomain, CN = DC01
issuer=DC = COM, DC = mydomain, CN = SUBCA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Peer signing digest: SHA1
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3740 bytes and written 508 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-SHA256
Session-ID: 9C3A0000C469BBAC62DB32218BDD1AF4B925F70C632A0114DAC461F40E7E6779
Session-ID-ctx:
Master-Key: E03AA9E9F1BEE5F905F20C6ACDAE73F58A2B6C956F99B592AF464F84FC2FE9928FF7338CA20C9FEDAE46092FBB8552CA
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1663005662
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
My distribution (SLES) does provide a erlang runtime package (Erlang/OTP 22 [erts-10.7] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [hipe]). With that, it seems to work. I also tried with OpenSUSE Tumbleweed (Erlang/OTP 25 [erts-13.0.3] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] [jit:ns]) with also good results:
Erlang/OTP 25 [erts-13.0.3] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] [jit:ns]
Eshell V13.0.3 (abort with ^G)
1> application:ensure_all_started(ssl).
{ok,[crypto,asn1,public_key,ssl]}
2> ssl:connect("ldap.mydomain.com", 636, [{verify, verify_none}]).
{ok,{sslsocket,{gen_tcp,#Port<0.5>,tls_connection,undefined},
[<0.115.0>,<0.114.0>]}}
Erlang/OTP 22 [erts-10.7] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [hipe]
Eshell V10.7 (abort with ^G)
1> application:ensure_all_started(ssl).
{ok,[crypto,asn1,public_key,ssl]}
2> ssl:connect("ldap.mydomain.com", 636, [{verify, verify_none}]).
{ok,{sslsocket,{gen_tcp,#Port<0.6>,tls_connection,undefined},
[<0.109.0>,<0.108.0>]}}
I also edited a copy of ejabberdctl to run the bundled erl:
=ERROR REPORT==== 12-Sep-2022::15:46:32.498695 ===
inet_config: file /inetrc not found
Erlang/OTP 24 [erts-12.3.2] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [jit]
=ERROR REPORT==== 12-Sep-2022::15:46:32.498695 ===
inet_config: file /inetrc not found
Eshell V12.3.2 (abort with ^G)
1> application:ensure_all_started(ssl).
{ok,[crypto,asn1,public_key,ssl]}
2> ssl:connect("ldap.mydomain.com", 636, [{verify, verify_none}]).
=NOTICE REPORT==== 12-Sep-2022::15:46:41.825983 ===
TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure
- {unknown_or_malformed_handshake,13}
{error,{tls_alert,{handshake_failure,"TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure\n {unknown_or_malformed_handshake,13}"}}}
And then, the error is back. It is either a regression introduced between 22 and 25 or a packaging issue (or maybe something SUSE erlang packaging fixed).
https://build.opensuse.org/package/view_file/openSUSE:Factory/erlang/erlang.spec?expand=1 lines 254 and 269 shows that it will try to use dynamic libssl. It also has a patch Makefile https://build.opensuse.org/package/view_file/openSUSE:Factory/erlang/otp-R16B-rpath.patch?expand=1
Is using Erlang/OTP 22 enough for ejabberd? If so, how can I ask ejabberd to use system erlang runtime instead of RPM one?
Could you open ejabberd debug console:
ejabberdctl debug
and execute this:ssl:connect("ldap.mydomain.com", 636, [{log_level, debug}]).
and share the output? You can close console with double ctrl-c.
Using my modified ejabberdctl, I could get the debug output:
=ERROR REPORT==== 12-Sep-2022::16:08:37.852929 ===
inet_config: file /inetrc not found
Erlang/OTP 24 [erts-12.3.2] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [jit]
=ERROR REPORT==== 12-Sep-2022::16:08:37.852929 ===
inet_config: file /inetrc not found
Eshell V12.3.2 (abort with ^G)
1> application:ensure_all_started(ssl).
{ok,[crypto,asn1,public_key,ssl]}
2> ssl:connect("ldap.mydomain.com", 636, [{log_level, all}]).
=WARNING REPORT==== 12-Sep-2022::16:08:50.141645 ===
Description: "Authenticity is not established by certificate path validation"
Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing"
>>> TLS 1.3 Handshake, ClientHello
[{client_version,{3,3}},
{random,
<<130,116,62,240,84,211,202,245,194,162,186,22,195,209,92,157,196,40,46,
147,142,208,136,255,12,223,67,23,112,199,139,191>>},
{session_id,<<>>},
{cookie,undefined},
{cipher_suites,
["TLS_EMPTY_RENEGOTIATION_INFO_SCSV","TLS_AES_256_GCM_SHA384",
"TLS_AES_128_GCM_SHA256","TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_CCM_SHA256","TLS_AES_128_CCM_8_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CCM","TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CCM","TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA"]},
{compression_methods,[0]},
{extensions,
#{alpn => undefined,
client_hello_versions => {client_hello_versions,[{3,4},{3,3}]},
ec_point_formats => {ec_point_formats,[0]},
elliptic_curves => {supported_groups,[x25519,x448,secp256r1,secp384r1]},
key_share =>
{key_share_client_hello,
[{key_share_entry,x25519,
<<15,111,156,182,49,124,236,187,152,247,31,2,198,173,
241,89,106,217,146,176,5,56,56,135,217,69,184,248,6,
79,198,113>>}]},
max_frag_enum => undefined,next_protocol_negotiation => undefined,
renegotiation_info => {renegotiation_info,undefined},
signature_algs =>
{signature_algorithms,
[ecdsa_secp521r1_sha512,ecdsa_secp384r1_sha384,
ecdsa_secp256r1_sha256,rsa_pss_pss_sha512,rsa_pss_pss_sha384,
rsa_pss_pss_sha256,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,
rsa_pss_rsae_sha256,eddsa_ed25519,eddsa_ed448,
{sha512,ecdsa},
{sha512,rsa},
{sha384,ecdsa},
{sha384,rsa},
{sha256,ecdsa},
{sha256,rsa},
{sha224,ecdsa},
{sha224,rsa},
{sha,ecdsa},
{sha,rsa},
{sha,dsa}]},
signature_algs_cert => undefined,
sni => {sni,"ldap.mydomain.com"},
srp => undefined}}]
writing (298 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 01 25 01 00 01 21 03 03 82 74 3e f0 54 ....%...!...t>.T
0010 - d3 ca f5 c2 a2 ba 16 c3 d1 5c 9d c4 28 2e 93 8e .........\..(...
0020 - d0 88 ff 0c df 43 17 70 c7 8b bf 00 00 62 00 ff .....C.p.....b..
....
0e20 - 01 02 40 00 12 06 01 06 03 04 01 05 01 02 01 04 ..@.............
0e30 - 03 05 03 02 03 02 02 00 00 0e 00 00 00 .............
<<< TLS 1.2 Handshake, ServerHello
[{server_version,{3,3}},
{random,<<99,31,131,194,137,40,6,60,141,116,10,166,200,52,68,214,34,122,244,
135,248,196,213,184,231,224,100,240,34,52,216,224>>},
{session_id,<<229,74,0,0,104,172,29,142,3,55,80,29,32,15,113,249,62,162,138,
200,208,196,54,137,233,156,220,196,231,48,42,75>>},
{cipher_suite,"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
{compression_method,0},
{extensions,#{alpn => undefined,ec_point_formats => undefined,
next_protocol_negotiation => undefined,
renegotiation_info => {renegotiation_info,<<0>>}}}]
<<< Handshake, Certificate
[{asn1_certificates,[<<48,130,5,36,48,130,4,12,160,3,2,1,2,2,19,31,0,0,9,85,
175,175,197,23,170,32,245,12,0,2,0,0,9,85,48,13,6,9,42,
134,72,134,247,13,1,1,11,5,0,48,118,49,18,48,16,6,10,9,
146,38,137,147,242,44,100,1,25,22,2,98,114,49,19,48,17,
6,10,9,146,38,137,147,242,44,100,1,25,22,3,103,111,118,
49,22,48,20,6,10,9,146,38,137,147,242,44,100,1,25,22,6,
116,114,101,45,115,99,49,25,48,23,6,10,9,146,38,137,147,
242,44,100,1,25,22,9,114,101,100,101,116,114,101,115,99,
49,24,48,22,6,3,85,4,3,19,15,82,69,68,69,84,82,69,83,67,
32,67,65,32,118,49,48,30,23,13,50,49,48,56,49,50,50,48,
52,57,53,49,90,23,13,50,51,48,56,49,50,50,48,52,57,53,
49,90,48,111,49,18,48,16,6,10,9,146,38,137,147,242,44,
100,1,25,22,2,98,114,49,19,48,17,6,10,9,146,38,137,147,
242,44,100,1,25,22,3,103,111,118,49,22,48,20,6,10,9,146,
38,137,147,242,44,100,1,25,22,6,116,114,101,45,115,99,
49,27,48,25,6,3,85,4,11,19,18,68,111,109,97,105,110,32,
67,111,110,116,114,111,108,108,101,114,115,49,15,48,13,
6,3,85,4,3,19,6,83,67,68,67,48,51,48,130,1,34,48,13,6,9,
42,134,72,134,247,13,1,1,1,5,0,3,130,1,15,0,48,130,1,10,
2,130,1,1,0,181,239,85,30,190,54,169,127,111,126,142,
133,227,118,210,123,83,86,202,25,216,115,221,28,213,35,
246,25,81,202,89,47,211,249,62,205,189,93,3,224,46,102,
82,18,247,90,48,105,17,45,29,25,225,53,10,32,232,51,228,
59,2,53,44,96,81,102,233,100,19,95,8,129,155,105,103,
185,160,204,49,109,146,4,233,42,48,229,160,129,108,126,
0,28,181,33,130,20,130,19,18,55,215,249,194,235,189,252,
84,193,205,172,181,90,47,215,42,197,111,105,109,21,247,
106,81,38,154,151,67,195,187,141,118,209,249,18,89,0,
107,195,156,104,42,139,254,248,128,184,158,24,140,55,
200,231,193,178,242,98,222,58,100,143,233,162,22,245,14,
93,232,131,167,12,185,139,207,58,25,108,36,226,108,101,
148,133,200,173,116,138,88,231,56,211,145,44,217,219,30,
220,147,236,24,72,37,102,80,108,185,38,107,202,146,74,1,
63,71,98,171,32,77,59,226,15,144,245,75,224,33,139,236,
29,169,226,118,4,96,151,236,123,49,169,191,214,67,148,
97,15,47,116,220,21,77,33,107,106,79,253,108,35,2,3,1,0,
1,163,130,1,176,48,130,1,172,48,60,6,9,43,6,1,4,1,130,
55,21,7,4,47,48,45,6,37,43,6,1,4,1,130,55,21,8,135,181,
185,28,129,188,185,48,130,133,133,27,134,191,173,24,135,
199,138,72,44,134,209,145,93,250,181,47,2,1,100,2,1,14,
48,41,6,3,85,29,37,4,34,48,32,6,10,43,6,1,4,1,130,55,20,
2,2,6,8,43,6,1,5,5,7,3,1,6,8,43,6,1,5,5,7,3,2,48,11,6,3,
85,29,15,4,4,3,2,5,160,48,53,6,9,43,6,1,4,1,130,55,21,
10,4,40,48,38,48,12,6,10,43,6,1,4,1,130,55,20,2,2,48,10,
6,8,43,6,1,5,5,7,3,1,48,10,6,8,43,6,1,5,5,7,3,2,48,46,6,
3,85,29,17,4,39,48,37,130,13,116,114,101,45,115,99,46,
103,111,118,46,98,114,130,20,115,99,100,99,48,51,46,116,
114,101,45,115,99,46,103,111,118,46,98,114,48,29,6,3,85,
29,14,4,22,4,20,67,29,42,118,130,198,224,130,5,248,200,
98,243,19,125,158,251,29,188,34,48,31,6,3,85,29,35,4,24,
48,22,128,20,145,111,143,227,8,230,95,159,20,158,247,3,
210,55,186,106,168,46,248,55,48,61,6,3,85,29,31,4,54,48,
52,48,50,160,48,160,46,134,44,104,116,116,112,58,47,47,
99,114,108,46,116,114,101,45,115,99,46,103,111,118,46,
98,114,47,114,101,100,101,116,114,101,115,99,45,118,49,
40,50,41,46,99,114,108,48,78,6,8,43,6,1,5,5,7,1,1,4,66,
48,64,48,62,6,8,43,6,1,5,5,7,48,2,134,50,104,116,116,
112,58,47,47,99,97,46,116,114,101,45,115,99,46,103,111,
118,46,98,114,47,82,69,68,69,84,82,69,83,67,37,50,48,67,
65,37,50,48,118,49,40,50,41,46,99,114,116,48,13,6,9,42,
134,72,134,247,13,1,1,11,5,0,3,130,1,1,0,129,73,36,7,
208,19,90,41,149,196,236,143,192,17,147,250,143,14,92,
198,103,32,158,172,146,238,251,140,31,107,130,130,216,
15,1,121,204,37,174,3,124,79,226,155,61,189,199,35,202,
97,17,124,107,13,221,163,195,63,160,0,108,59,241,67,215,
222,10,112,231,188,55,38,108,145,245,237,86,126,68,225,
55,148,155,8,204,178,191,67,9,166,97,8,17,109,181,158,
210,86,230,233,134,134,230,129,254,198,239,111,136,238,
33,146,28,42,155,104,187,12,163,29,130,210,50,131,1,67,
68,251,54,12,234,21,55,173,42,54,206,211,162,168,186,52,
108,136,203,102,113,14,247,2,249,118,245,21,188,52,210,
211,17,23,14,116,108,31,126,51,95,80,43,30,149,134,12,
221,49,137,39,187,241,136,250,252,210,63,190,32,190,237,
36,100,169,58,107,54,175,88,31,211,105,66,170,27,19,106,
190,153,90,179,61,174,3,129,135,188,96,36,237,150,151,
46,94,33,236,14,70,232,54,89,208,41,86,199,12,252,137,
142,165,69,47,75,223,189,233,182,197,119,82,127,117,168,
115,151,192,129,238,193>>,
<<48,130,7,63,48,130,5,39,160,3,2,1,2,2,17,0,210,99,
208,161,221,144,48,97,213,205,107,177,194,200,83,253,
48,13,6,9,42,134,72,134,247,13,1,1,13,5,0,48,130,1,0,
49,11,48,9,6,3,85,4,6,19,2,66,82,49,23,48,21,6,3,85,
4,8,12,14,83,97,110,116,97,32,67,97,116,97,114,105,
110,97,49,22,48,20,6,3,85,4,7,12,13,70,108,111,114,
105,97,110,111,112,111,108,105,115,49,54,48,52,6,3,
85,4,10,12,45,84,114,105,98,117,110,97,108,32,82,101,
103,105,111,110,97,108,32,69,108,101,105,116,111,114,
97,108,32,100,101,32,83,97,110,116,97,32,67,97,116,
97,114,105,110,97,49,56,48,54,6,3,85,4,11,12,47,83,
101,99,97,111,32,100,101,32,65,100,109,105,110,105,
115,116,114,97,99,97,111,32,100,101,32,82,101,100,
101,115,32,101,32,100,101,32,83,101,114,118,105,100,
111,114,101,115,49,43,48,41,6,3,85,4,3,12,34,65,117,
116,111,114,105,100,97,100,101,32,67,101,114,116,105,
102,105,99,97,100,111,114,97,32,84,82,69,45,83,67,32,
118,51,49,33,48,31,6,9,42,134,72,134,247,13,1,9,1,22,
18,114,111,111,116,64,116,114,101,45,115,99,46,106,
117,115,46,98,114,48,32,23,13,50,48,48,50,50,49,50,
48,48,51,49,53,90,24,15,50,48,53,48,48,50,49,51,50,
48,48,51,49,53,90,48,118,49,18,48,16,6,10,9,146,38,
137,147,242,44,100,1,25,22,2,98,114,49,19,48,17,6,10,
9,146,38,137,147,242,44,100,1,25,22,3,103,111,118,49,
22,48,20,6,10,9,146,38,137,147,242,44,100,1,25,22,6,
116,114,101,45,115,99,49,25,48,23,6,10,9,146,38,137,
147,242,44,100,1,25,22,9,114,101,100,101,116,114,101,
115,99,49,24,48,22,6,3,85,4,3,19,15,82,69,68,69,84,
82,69,83,67,32,67,65,32,118,49,48,130,1,34,48,13,6,9,
42,134,72,134,247,13,1,1,1,5,0,3,130,1,15,0,48,130,1,
10,2,130,1,1,0,164,201,27,247,115,4,64,235,69,49,186,
205,96,178,188,35,53,187,25,128,43,32,209,67,147,57,
71,97,220,71,163,254,164,179,164,14,182,242,149,230,
100,30,127,68,116,56,38,200,159,131,113,222,205,53,
84,152,30,168,138,161,81,15,188,66,29,86,238,230,157,
223,209,178,58,5,59,84,36,105,242,113,136,233,87,109,
208,8,187,215,131,226,35,2,247,49,198,130,250,197,
160,220,7,95,170,37,176,238,249,199,111,116,217,5,76,
136,65,11,220,79,138,177,204,202,174,36,2,159,199,
138,78,32,87,176,25,111,212,119,233,242,225,127,165,
33,222,70,2,18,46,167,236,76,11,215,26,204,63,47,93,
96,4,203,57,67,33,194,214,127,143,162,125,129,18,69,
152,247,135,115,81,18,187,164,75,206,127,139,253,25,
224,208,17,51,33,252,141,208,117,231,53,29,109,77,31,
87,228,63,18,76,200,245,231,173,200,205,145,8,9,86,
243,212,203,119,77,92,200,235,156,161,108,70,148,116,
133,190,247,28,147,94,164,165,107,101,187,236,183,
250,144,122,118,253,10,193,227,127,193,172,170,153,2,
3,1,0,1,163,130,2,56,48,130,2,52,48,12,6,3,85,29,19,
4,5,48,3,1,1,255,48,29,6,3,85,29,14,4,22,4,20,145,
111,143,227,8,230,95,159,20,158,247,3,210,55,186,106,
168,46,248,55,48,130,1,58,6,3,85,29,35,4,130,1,49,48,
130,1,45,128,20,160,81,173,48,36,136,92,158,136,167,
193,90,186,159,245,71,25,21,35,249,161,130,1,8,164,
130,1,4,48,130,1,0,49,11,48,9,6,3,85,4,6,19,2,66,82,
49,23,48,21,6,3,85,4,8,12,14,83,97,110,116,97,32,67,
97,116,97,114,105,110,97,49,22,48,20,6,3,85,4,7,12,
13,70,108,111,114,105,97,110,111,112,111,108,105,115,
49,54,48,52,6,3,85,4,10,12,45,84,114,105,98,117,110,
97,108,32,82,101,103,105,111,110,97,108,32,69,108,
101,105,116,111,114,97,108,32,100,101,32,83,97,110,
116,97,32,67,97,116,97,114,105,110,97,49,56,48,54,6,
3,85,4,11,12,47,83,101,99,97,111,32,100,101,32,65,
100,109,105,110,105,115,116,114,97,99,97,111,32,100,
101,32,82,101,100,101,115,32,101,32,100,101,32,83,
101,114,118,105,100,111,114,101,115,49,43,48,41,6,3,
85,4,3,12,34,65,117,116,111,114,105,100,97,100,101,
32,67,101,114,116,105,102,105,99,97,100,111,114,97,
32,84,82,69,45,83,67,32,118,51,49,33,48,31,6,9,42,
134,72,134,247,13,1,9,1,22,18,114,111,111,116,64,116,
114,101,45,115,99,46,106,117,115,46,98,114,130,9,0,
224,101,103,105,172,66,17,97,48,11,6,3,85,29,15,4,4,
3,2,1,6,48,53,6,3,85,29,31,4,46,48,44,48,42,160,40,
160,38,134,36,104,116,116,112,58,47,47,99,97,46,116,
114,101,45,115,99,46,103,111,118,46,98,114,47,116,
114,101,115,99,45,118,51,46,99,114,108,48,47,6,3,85,
29,18,4,40,48,38,134,36,104,116,116,112,58,47,47,99,
97,46,116,114,101,45,115,99,46,103,111,118,46,98,114,
47,116,114,101,115,99,45,118,51,46,99,114,116,48,18,
6,9,43,6,1,4,1,130,55,21,1,4,5,2,3,2,0,2,48,35,6,9,
43,6,1,4,1,130,55,21,2,4,22,4,20,242,227,116,134,222,
152,229,132,54,20,137,213,79,180,104,56,49,209,108,
54,48,25,6,9,43,6,1,4,1,130,55,20,2,4,12,30,10,0,83,
0,117,0,98,0,67,0,65,48,13,6,9,42,134,72,134,247,13,
1,1,13,5,0,3,130,2,1,0,139,238,221,29,191,168,141,
219,192,9,195,24,181,75,221,86,34,50,96,109,146,99,
57,136,227,186,0,132,110,50,121,63,250,231,129,39,79,
34,80,144,78,81,66,210,52,82,213,251,50,9,198,76,225,
76,33,86,57,108,210,194,93,226,114,16,119,204,215,
143,73,45,218,65,25,126,183,133,70,239,141,111,55,79,
164,61,157,92,242,129,83,27,121,97,168,241,146,211,
211,131,73,17,88,103,117,65,239,164,180,173,214,141,
11,28,103,135,202,11,146,90,219,255,67,44,100,44,113,
250,7,179,89,217,192,25,3,183,222,97,138,205,232,103,
247,22,230,215,188,166,68,255,51,64,177,42,66,108,
216,228,107,97,255,54,148,108,198,82,111,130,87,195,
245,185,138,16,106,108,59,45,48,250,6,233,211,199,13,
181,126,71,55,63,26,12,53,133,253,41,57,170,115,173,
182,38,215,85,72,48,58,214,191,25,134,137,214,213,
112,160,151,92,133,235,113,143,74,91,22,52,198,72,16,
229,255,71,218,172,105,25,245,243,111,147,176,110,
252,139,171,14,238,246,231,157,172,27,180,218,208,
122,54,244,231,60,51,67,81,130,2,199,229,212,13,197,
53,89,206,250,26,145,48,160,186,100,122,134,133,192,
223,32,242,135,94,164,9,228,105,39,188,28,205,220,
118,19,182,140,250,32,223,110,167,171,38,246,236,26,
187,36,63,31,246,153,138,79,69,75,1,82,7,161,91,174,
213,0,151,65,48,234,21,121,79,157,118,151,40,39,150,
154,173,63,236,131,105,133,119,44,88,71,175,7,102,
242,127,104,232,75,252,64,181,9,139,104,129,26,232,
82,21,12,122,161,152,154,250,186,125,35,114,22,95,14,
150,117,59,7,236,157,214,24,105,49,88,61,146,56,142,
109,90,225,163,206,84,70,135,196,127,176,28,31,243,
78,72,161,41,129,191,141,94,201,219,12,158,250,146,
254,172,221,184,65,49,22,180,31,198,168,10,60,14,172,
121,250,123,102,186,25,121,10,215,249,139,44,85,90,
37,17,56,38,240,221,15,8,182,45,69,217,201,192,168,
130,168,243,18,6,220,167,52,159,82,240,182,86,22,206,
216,233,174,22,61,121,106,112,206,13,31,108,160,176,
245,231,238,232,98,149,12,203,25,111,64,170>>]}]
<<< Handshake, ServerKeyExchange
[{exchange_keys,<<3,0,23,65,4,231,222,71,59,151,176,41,153,219,95,142,124,41,
151,47,119,190,159,225,244,32,32,67,221,144,216,179,23,131,
234,136,98,153,21,162,227,73,95,4,5,90,10,114,235,202,245,
58,107,210,115,46,139,103,45,159,7,6,203,233,212,129,145,7,
67,2,1,1,0,40,98,40,207,59,160,61,172,56,7,235,215,248,218,
251,129,182,165,122,80,97,247,253,18,183,90,119,74,229,41,
137,9,61,100,3,249,112,171,69,176,211,63,140,64,227,123,30,
71,231,188,15,88,47,175,192,66,226,160,120,57,219,179,115,
23,126,186,1,159,35,73,144,243,203,26,144,148,198,136,239,
238,146,135,59,135,150,58,235,135,162,152,232,106,32,48,
118,184,100,125,116,136,235,200,138,71,216,218,236,114,58,
250,30,9,178,237,143,240,8,194,220,157,166,218,134,62,185,
209,94,218,233,124,67,224,50,129,234,108,56,65,140,40,198,
254,191,34,138,4,19,131,254,33,188,166,134,143,57,105,140,
97,229,91,29,115,17,46,205,23,7,110,117,29,208,114,194,226,
54,89,90,194,23,138,203,134,142,85,188,147,72,18,191,98,
186,246,100,116,109,212,141,125,205,128,206,196,187,178,3,
252,104,173,56,203,143,102,9,71,254,214,20,19,10,179,112,
95,12,126,187,145,201,10,20,122,191,57,172,6,86,109,172,
107,104,49,85,88,165,249,63,101,42,200,171,208,146,164,152,
205,34,39>>}]
writing (7 bytes) TLS 1.2 Record Protocol, alert
0000 - 15 03 03 00 02 02 28 ......(
=NOTICE REPORT==== 12-Sep-2022::16:08:50.389195 ===
TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure
- {unknown_or_malformed_handshake,13}
{error,{tls_alert,{handshake_failure,"TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure\n {unknown_or_malformed_handshake,13}"}}}
Erlang/OTP 24 [erts-12.3.2] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [jit]
I think this is the issue: https://github.com/erlang/otp/issues/5961 and official ejabberd RPMs are hardcoded to bundle OTP 24.3.4 :(
Is there any chance of getting this fixed in the official ejabberd RPMs? It could either patch the OTP or upgrade it to 25.
It seems that version is used by portable binaries:
We just need it to be otp_vsn='24.3.4.1'
or even otp_vsn='24.3.4.4'
.
Is there any chance of getting this fixed in the official ejabberd RPMs? It could either patch the OTP or upgrade it to 25.
I have submitted #3904 which should address this for future releases but I don't know if there is any chance of rebuilding RPM for existing relesse.
You could download ejabberd-packages
from the Artifacts for the CI run on that PR (https://github.com/processone/ejabberd/actions/runs/3043222294) and install the RPM contained in that zip, but note this is a snapshot of current ejabberd git repo, not a release version.
Environment
Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml
Errors from error.log/crash.log
Bug description
The LDAP access is failing when I use TLS, no matter what I put in the ldap_tls_verify field. We have an internal RootCA and I tried to add it to ca_file top-level property. However, I was expecting that "ldap_tls_verify: false" would make it work independently from a valid root certificate. Our internal root CA uses some name restrictions that might be messing with ejabberd libssl. When I use "ldap_encrypt: none", and configure LDAP to accept insecure bindings, it also works (but it is not secure).
Is there any special trick to make it work?
I'm upgrading from a very old system (14.07) and just this SSL issue is holding me back.
This is the output with debug loglevel: