Ejabberd cannot connect to LDAPS independently from ldap_tls_verify value

[luizluca]

Environment

• ejabberd version: 22.05.78-1 (from RPM repo)
• Erlang version: 12.3.2
• OS: Linux (SLES 15SP4)
• Installed from: official deb/rpm

Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml

auth_method: [ldap]
ldap_servers:
  - "mydomain.com"
ldap_encrypt: tls
#ldap_encrypt: none
ldap_rootdn: "mydomain\\ejabberd"
ldap_password: "secret"
ldap_base: "dc=mydomain,dc=com"
ldap_uids: { "sAMAccountName": "%u" }
ldap_tls_verify: false

loglevel: 4
...

Errors from error.log/crash.log

set 08 19:33:59 ejabberdctl[29213]: 2022-09-08 19:33:59.822252-03:00 [notice] TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure
set 08 19:33:59 ejabberdctl[29213]:  - {unknown_or_malformed_handshake,13}
set 08 19:33:59 ejabberdctl[29213]: 2022-09-08 19:33:59.823589-03:00 [warning] Description: "Authenticity is not established by certificate path validation"
set 08 19:33:59 ejabberdctl[29213]:      Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing"

Bug description

The LDAP access is failing when I use TLS, no matter what I put in the ldap_tls_verify field. We have an internal RootCA and I tried to add it to ca_file top-level property. However, I was expecting that "ldap_tls_verify: false" would make it work independently from a valid root certificate. Our internal root CA uses some name restrictions that might be messing with ejabberd libssl. When I use "ldap_encrypt: none", and configure LDAP to accept insecure bindings, it also works (but it is not secure).

Is there any special trick to make it work?

I'm upgrading from a very old system (14.07) and just this SSL issue is holding me back.

This is the output with debug loglevel:

``` set 08 22:14:52 ejabberdctl[6837]: 2022-09-08 22:14:51.860367-03:00 [notice] TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure set 08 22:14:52 ejabberdctl[6837]: - {unknown_or_malformed_handshake,13} set 08 22:14:52 ejabberdctl[6837]: 2022-09-08 22:14:51.861837-03:00 [warning] Description: "Authenticity is not established by certificate path validation" set 08 22:14:52 ejabberdctl[6837]: Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing" set 08 22:14:52 ejabberdctl[6837]: 2022-09-08 22:14:51.863764-03:00 [debug] PROGRESS REPORT: set 08 22:14:52 ejabberdctl[6837]: supervisor: {<0.840.0>,tls_dyn_connection_sup} set 08 22:14:52 ejabberdctl[6837]: started: [{pid,<0.841.0>}, set 08 22:14:52 ejabberdctl[6837]: {id,sender}, set 08 22:14:52 ejabberdctl[6837]: {mfargs,{tls_sender,start_link,[]}}, set 08 22:14:52 ejabberdctl[6837]: {restart_type,temporary}, set 08 22:14:52 ejabberdctl[6837]: {significant,false}, set 08 22:14:52 ejabberdctl[6837]: {shutdown,5000}, set 08 22:14:52 ejabberdctl[6837]: {child_type,worker}] set 08 22:14:52 ejabberdctl[6837]: 2022-09-08 22:14:51.864349-03:00 [debug] PROGRESS REPORT: set 08 22:14:52 ejabberdctl[6837]: supervisor: {<0.840.0>,tls_dyn_connection_sup} set 08 22:14:52 ejabberdctl[6837]: started: [{pid,<0.842.0>}, set 08 22:14:52 ejabberdctl[6837]: {id,receiver}, set 08 22:14:52 ejabberdctl[6837]: {mfargs, set 08 22:14:52 ejabberdctl[6837]: {ssl_gen_statem,start_link, set 08 22:14:52 ejabberdctl[6837]: [client,<0.841.0>, set 08 22:14:52 ejabberdctl[6837]: {10,9,1,92}, set 08 22:14:52 ejabberdctl[6837]: 636,#Port<0.61>, set 08 22:14:52 ejabberdctl[6837]: {#{alpn_preferred_protocols => undefined, set 08 22:14:52 ejabberdctl[6837]: keyfile => <<>>,max_handshake_size => 262144, set 08 22:14:52 ejabberdctl[6837]: versions => [{3,4},{3,3}], set 08 22:14:52 ejabberdctl[6837]: supported_groups => set 08 22:14:52 ejabberdctl[6837]: {supported_groups, set 08 22:14:52 ejabberdctl[6837]: [x25519,x448,secp256r1,secp384r1]}, set 08 22:14:52 ejabberdctl[6837]: reuse_sessions => true,cookie => undefined, set 08 22:14:52 ejabberdctl[6837]: certfile => <<>>, set 08 22:14:52 ejabberdctl[6837]: beast_mitigation => one_n_minus_one,sni_hosts => [], set 08 22:14:52 ejabberdctl[6837]: password => [],cert => undefined, set 08 22:14:52 ejabberdctl[6837]: secure_renegotiate => true,dh => undefined, set 08 22:14:52 ejabberdctl[6837]: padding_check => true,depth => 10, set 08 22:14:52 ejabberdctl[6837]: early_data => undefined,fallback => false, set 08 22:14:52 ejabberdctl[6837]: anti_replay => undefined, set 08 22:14:52 ejabberdctl[6837]: customize_hostname_check => [], set 08 22:14:52 ejabberdctl[6837]: honor_ecc_order => undefined, set 08 22:14:52 ejabberdctl[6837]: ciphers => set 08 22:14:52 ejabberdctl[6837]: [<<19,2>>, set 08 22:14:52 ejabberdctl[6837]: <<19,1>>, set 08 22:14:52 ejabberdctl[6837]: <<19,3>>, set 08 22:14:52 ejabberdctl[6837]: <<19,4>>, set 08 22:14:52 ejabberdctl[6837]: <<19,5>>, set 08 22:14:52 ejabberdctl[6837]: <<"À,">>,<<"À0">>,<<"À­">>,<<"À¯">>,<<"À$">>, set 08 22:14:52 ejabberdctl[6837]: <<"À(">>, set 08 22:14:52 ejabberdctl[6837]: <<204,169>>, set 08 22:14:52 ejabberdctl[6837]: <<204,168>>, set 08 22:14:52 ejabberdctl[6837]: <<"À+">>,<<"À/">>,<<"À¬">>,<<"À®">>,<<"À.">>, set 08 22:14:52 ejabberdctl[6837]: <<"À2">>,<<"À&">>,<<"À*">>,<<"À-">>,<<"À1">>, set 08 22:14:52 ejabberdctl[6837]: <<"À#">>,<<"À'">>,<<"À%">>,<<"À)">>, set 08 22:14:52 ejabberdctl[6837]: <<0,159>>, set 08 22:14:52 ejabberdctl[6837]: <<0,163>>, set 08 22:14:52 ejabberdctl[6837]: <<0,107>>, set 08 22:14:52 ejabberdctl[6837]: <<0,106>>, set 08 22:14:52 ejabberdctl[6837]: <<0,158>>, set 08 22:14:52 ejabberdctl[6837]: <<0,162>>, set 08 22:14:52 ejabberdctl[6837]: <<204,170>>, set 08 22:14:52 ejabberdctl[6837]: <<0,103>>, set 08 22:14:52 ejabberdctl[6837]: <<0,64>>, set 08 22:14:52 ejabberdctl[6837]: <<"À\n">>, set 08 22:14:52 ejabberdctl[6837]: <<192,20>>, set 08 22:14:52 ejabberdctl[6837]: <<192,5>>, set 08 22:14:52 ejabberdctl[6837]: <<192,15>>, set 08 22:14:52 ejabberdctl[6837]: <<"À\t">>, set 08 22:14:52 ejabberdctl[6837]: <<192,19>>, set 08 22:14:52 ejabberdctl[6837]: <<192,4>>, set 08 22:14:52 ejabberdctl[6837]: <<192,14>>, set 08 22:14:52 ejabberdctl[6837]: <<0,57>>, set 08 22:14:52 ejabberdctl[6837]: <<0,56>>, set 08 22:14:52 ejabberdctl[6837]: <<0,51>>, set 08 22:14:52 ejabberdctl[6837]: <<0,50>>], set 08 22:14:52 ejabberdctl[6837]: signature_algs => set 08 22:14:52 ejabberdctl[6837]: [ecdsa_secp521r1_sha512,ecdsa_secp384r1_sha384, set 08 22:14:52 ejabberdctl[6837]: ecdsa_secp256r1_sha256,rsa_pss_pss_sha512, set 08 22:14:52 ejabberdctl[6837]: rsa_pss_pss_sha384,rsa_pss_pss_sha256, set 08 22:14:52 ejabberdctl[6837]: rsa_pss_rsae_sha512,rsa_pss_rsae_sha384, set 08 22:14:52 ejabberdctl[6837]: rsa_pss_rsae_sha256,eddsa_ed25519,eddsa_ed448, set 08 22:14:52 ejabberdctl[6837]: {sha512,ecdsa}, set 08 22:14:52 ejabberdctl[6837]: {sha512,rsa}, set 08 22:14:52 ejabberdctl[6837]: {sha384,ecdsa}, set 08 22:14:52 ejabberdctl[6837]: {sha384,rsa}, set 08 22:14:52 ejabberdctl[6837]: {sha256,ecdsa}, set 08 22:14:52 ejabberdctl[6837]: {sha256,rsa}, set 08 22:14:52 ejabberdctl[6837]: {sha224,ecdsa}, set 08 22:14:52 ejabberdctl[6837]: {sha224,rsa}, set 08 22:14:52 ejabberdctl[6837]: {sha,ecdsa}, set 08 22:14:52 ejabberdctl[6837]: {sha,rsa}, set 08 22:14:52 ejabberdctl[6837]: {sha,dsa}], set 08 22:14:52 ejabberdctl[6837]: key => undefined,sni_fun => undefined, set 08 22:14:52 ejabberdctl[6837]: cacerts => undefined, set 08 22:14:52 ejabberdctl[6837]: max_fragment_length => undefined, set 08 22:14:52 ejabberdctl[6837]: use_ticket => undefined,ocsp_stapling => false, set 08 22:14:52 ejabberdctl[6837]: ocsp_responder_certs => [],dhfile => undefined, set 08 22:14:52 ejabberdctl[6837]: honor_cipher_order => undefined,crl_check => false, set 08 22:14:52 ejabberdctl[6837]: middlebox_comp_mode => true, set 08 22:14:52 ejabberdctl[6837]: partial_chain => #Fun, set 08 22:14:52 ejabberdctl[6837]: fail_if_no_peer_cert => false, set 08 22:14:52 ejabberdctl[6837]: hibernate_after => infinity, set 08 22:14:52 ejabberdctl[6837]: next_protocols_advertised => undefined, set 08 22:14:52 ejabberdctl[6837]: verify => verify_none,user_lookup_fun => undefined, set 08 22:14:52 ejabberdctl[6837]: session_tickets => disabled, set 08 22:14:52 ejabberdctl[6837]: psk_identity => undefined, set 08 22:14:52 ejabberdctl[6837]: renegotiate_at => 268435456, set 08 22:14:52 ejabberdctl[6837]: client_renegotiation => undefined, set 08 22:14:52 ejabberdctl[6837]: certificate_authorities => false, set 08 22:14:52 ejabberdctl[6837]: eccs => set 08 22:14:52 ejabberdctl[6837]: {elliptic_curves, set 08 22:14:52 ejabberdctl[6837]: [{1,3,132,0,39}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,38}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,35}, set 08 22:14:52 ejabberdctl[6837]: {1,3,36,3,3,2,8,1,1,13}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,36}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,37}, set 08 22:14:52 ejabberdctl[6837]: {1,3,36,3,3,2,8,1,1,11}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,34}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,16}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,17}, set 08 22:14:52 ejabberdctl[6837]: {1,3,36,3,3,2,8,1,1,7}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,10}, set 08 22:14:52 ejabberdctl[6837]: {1,2,840,10045,3,1,7}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,3}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,26}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,27}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,32}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,33}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,24}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,25}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,31}, set 08 22:14:52 ejabberdctl[6837]: {1,2,840,10045,3,1,1}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,1}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,2}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,15}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,9}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,8}, set 08 22:14:52 ejabberdctl[6837]: {1,3,132,0,30}]}, set 08 22:14:52 ejabberdctl[6837]: crl_cache => {ssl_crl_cache,{internal,[]}}, set 08 22:14:52 ejabberdctl[6837]: verify_fun => {#Fun,[]}, set 08 22:14:52 ejabberdctl[6837]: signature_algs_cert => undefined,protocol => tls, set 08 22:14:52 ejabberdctl[6837]: reuse_session => undefined,ocsp_nonce => true, set 08 22:14:52 ejabberdctl[6837]: erl_dist => false,srp_identity => undefined, set 08 22:14:52 ejabberdctl[6837]: alpn_advertised_protocols => undefined, set 08 22:14:52 ejabberdctl[6837]: log_level => notice,handshake => full, set 08 22:14:52 ejabberdctl[6837]: next_protocol_selector => undefined, set 08 22:14:52 ejabberdctl[6837]: keep_secrets => false,cacertfile => <<>>, set 08 22:14:52 ejabberdctl[6837]: key_update_at => 388736063997, set 08 22:14:52 ejabberdctl[6837]: server_name_indication => undefined}, set 08 22:14:52 ejabberdctl[6837]: {socket_options,binary,asn1,0,0,true}, set 08 22:14:52 ejabberdctl[6837]: undefined}, set 08 22:14:52 ejabberdctl[6837]: <0.682.0>, set 08 22:14:52 ejabberdctl[6837]: {gen_tcp,tcp,tcp_closed,tcp_error,tcp_passive}]}}, set 08 22:14:52 ejabberdctl[6837]: {restart_type,temporary}, set 08 22:14:52 ejabberdctl[6837]: {significant,true}, set 08 22:14:52 ejabberdctl[6837]: {shutdown,5000}, set 08 22:14:52 ejabberdctl[6837]: {child_type,worker}] set 08 22:14:52 ejabberdctl[6837]: 2022-09-08 22:14:51.873067-03:00 [notice] TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure set 08 22:14:52 ejabberdctl[6837]: - {unknown_or_malformed_handshake,13} ```

[nosnilmot]

This looks like the TLS connection is failing early in the handshake before certificate verification.

Presumably along with the ejabberd upgrade you are upgrading to a newer Erlang/OTP version?

I suspect there is no overlap of accepted TLS versions and ciphers between your LDAP server and the Erlang/OTP ejabberd client. Can you run a test against your LDAP server to see which ciphers the server is offering? (replace ldap.mydomain.com with correct hostname or IP address of LDAP server).

$ nmap --script ssl-enum-ciphers ldap.mydomain.com -p 636

[luizluca]

This looks like the TLS connection is failing early in the handshake before certificate verification.

Presumably along with the ejabberd upgrade you are upgrading to a newer Erlang/OTP version?

The Official RPM package bundles everything. I didn't install any erlang package but ejabberd. Does it still use the system SSL libraries?

I suspect there is no overlap of accepted TLS versions and ciphers between your LDAP server and the Erlang/OTP ejabberd client. Can you run a test against your LDAP server to see which ciphers the server is offering? (replace ldap.mydomain.com with correct hostname or IP address of LDAP server).

$ nmap --script ssl-enum-ciphers ldap.mydomain.com -p 636

It is a standard AD system. We did not changed SSL settings:

PORT    STATE SERVICE
636/tcp open  ldapssl
| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Broken cipher RC4 is deprecated by RFC 7465
|       CBC-mode cipher in SSLv3 (CVE-2014-3566)
|       Ciphersuite uses MD5 for message integrity
|       Forward Secrecy not supported by any cipher
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Broken cipher RC4 is deprecated by RFC 7465
|       Ciphersuite uses MD5 for message integrity
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Broken cipher RC4 is deprecated by RFC 7465
|       Ciphersuite uses MD5 for message integrity
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Broken cipher RC4 is deprecated by RFC 7465
|       Ciphersuite uses MD5 for message integrity
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: C

[nosnilmot]

The Official RPM package bundles everything. I didn't install any erlang package but ejabberd. Does it still use the system SSL libraries?

I must confess to not knowing exactly what is included in the official ejabberd RPMs (I have now checked and they are actually statically linked to private copy of OpenSSL), but my point was that you are using a newer Erlang/OTP than you were with 14.07, so it might be new more stringent TLS/SSL requirements that are no longer compatible with your LDAP server even if you made no changes there.

BTW, this log message is just a warning to indicate that the certificate will not be verified, it is NOT the cause of connection failure:

set 08 22:14:52 ejabberdctl[6837]: 2022-09-08 22:14:51.861837-03:00 [warning] Description: "Authenticity is not established by certificate path validation"
set 08 22:14:52 ejabberdctl[6837]:      Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing"

It could definitely be phrased better but it is coming from Erlang/OTP. I think that log was introduced in OTP 25 (erts-13), but the official RPMs use OTP 24, so that's another puzzle. Exacly which RPM did you install?

Could you open ejabberd debug console: ejabberdctl debug and execute this: ssl:connect("ldap.mydomain.com", 636, [{log_level, debug}]). and share the output? You can close console with double ctrl-c.

The output from openssl s_client -connect ldap.mydomain.com:636 might also be informative, as would a debug log from ejabberd startup to failure point.

[luizluca]

The Official RPM package bundles everything. I didn't install any erlang package but ejabberd. Does it still use the system SSL libraries?

I must confess to not knowing exactly what is included in the official ejabberd RPMs (I have now checked and they are actually statically linked to private copy of OpenSSL), but my point was that you are using a newer Erlang/OTP than you were with 14.07, so it might be new more stringent TLS/SSL requirements that are no longer compatible with your LDAP server even if you made no changes there.

BTW, this log message is just a warning to indicate that the certificate will not be verified, it is NOT the cause of connection failure:

set 08 22:14:52 ejabberdctl[6837]: 2022-09-08 22:14:51.861837-03:00 [warning] Description: "Authenticity is not established by certificate path validation"
set 08 22:14:52 ejabberdctl[6837]:      Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing"

It could definitely be phrased better but it is coming from Erlang/OTP. I think that log was introduced in OTP 25 (erts-13), but the official RPMs use OTP 24, so that's another puzzle. Exacly which RPM did you install?

This one: https://repo.process-one.net/rpm/ejabberd-22.05.78-1.x86_64.rpm

And yes, it is "Erlang/OTP 24 [erts-12.3.2] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [jit]"

Could you open ejabberd debug console: ejabberdctl debug and execute this: ssl:connect("ldap.mydomain.com", 636, [{log_level, debug}]). and share the output? You can close console with double ctrl-c.

It does not give anything new:

=WARNING REPORT==== 12-Sep-2022::14:58:42.413276 ===
Description: "Authenticity is not established by certificate path validation"
     Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing"

{error,{tls_alert,{handshake_failure,"TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure\n {unknown_or_malformed_handshake,13}"}}}

I also tried some variants:

(ejabberd@localhost)1> ssl:connect("ldap.mydomain.com", 636, [{log_level, debug},{verify,verify_peer},{cacertfile,["/etc/ssl/certs/MyCA.pem"]}]).
{error,{tls_alert,{handshake_failure,"TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure\n {unknown_or_malformed_handshake,13}"}}}

(ejabberd@localhost)1> ssl:connect("ldap.mydomain.com", 636, [{log_level, debug},{verify,verify_peer},{cacertfile,["/etc/ssl/certs/NotMyCA.pem"]}]).
{error,{tls_alert,{handshake_failure,"TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure\n {unknown_or_malformed_handshake,13}"}}}

(ejabberd@localhost)2> ssl:connect("ldap.mydomain.com", 636, [{log_level, debug},{verify,verify_none}]).
{error,{tls_alert,{handshake_failure,"TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure\n {unknown_or_malformed_handshake,13}"}}}

It looks like it sends the debug output somewhere else.

The output from openssl s_client -connect ldap.mydomain.com:636 might also be informative, as would a debug log from ejabberd startup to failure point.

CONNECTED(00000003)
depth=2 C = BR, ST = Santa Catarina, L = Florianopolis, O = MYCA, emailAddress = root@mydomain.com
verify return:1
depth=1 DC = COM, DC = mydomain, CN = SUBCA
verify return:1
depth=0 DC = COM, DC = mydomain, CN = DC01
verify return:1
---
Certificate chain
 0 s:DC = COM, DC = mydomain, CN = DC01
   i:DC = COM, DC = mydomain, CN = SUBCA
 1 s:DC = COM, DC = mydomain, CN = SUBCA
   i:C = BR, ST = Santa Catarina, L = Florianopolis, O = MYCA, emailAddress = root@mydomain.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJDCCBAygAwIBAgITHwAACVWvr8UXqiD1DAACAAAJVTANBgkqhkiG9w0BAQsF
...
DPyJjqVFL0vfvem2xXdSf3Woc5fAge7B
-----END CERTIFICATE-----
subject=DC = COM, DC = mydomain, CN = DC01

issuer=DC = COM, DC = mydomain, CN = SUBCA

---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1
Peer signing digest: SHA1
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3740 bytes and written 508 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-SHA256
    Session-ID: 9C3A0000C469BBAC62DB32218BDD1AF4B925F70C632A0114DAC461F40E7E6779
    Session-ID-ctx: 
    Master-Key: E03AA9E9F1BEE5F905F20C6ACDAE73F58A2B6C956F99B592AF464F84FC2FE9928FF7338CA20C9FEDAE46092FBB8552CA
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1663005662
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

My distribution (SLES) does provide a erlang runtime package (Erlang/OTP 22 [erts-10.7] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [hipe]). With that, it seems to work. I also tried with OpenSUSE Tumbleweed (Erlang/OTP 25 [erts-13.0.3] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] [jit:ns]) with also good results:

Erlang/OTP 25 [erts-13.0.3] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] [jit:ns]

Eshell V13.0.3  (abort with ^G)
1> application:ensure_all_started(ssl).
{ok,[crypto,asn1,public_key,ssl]}
2> ssl:connect("ldap.mydomain.com", 636, [{verify, verify_none}]).
{ok,{sslsocket,{gen_tcp,#Port<0.5>,tls_connection,undefined},
               [<0.115.0>,<0.114.0>]}}

Erlang/OTP 22 [erts-10.7] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [hipe]

Eshell V10.7  (abort with ^G)
1> application:ensure_all_started(ssl).
{ok,[crypto,asn1,public_key,ssl]}
2> ssl:connect("ldap.mydomain.com", 636, [{verify, verify_none}]).
{ok,{sslsocket,{gen_tcp,#Port<0.6>,tls_connection,undefined},
               [<0.109.0>,<0.108.0>]}}

I also edited a copy of ejabberdctl to run the bundled erl:

=ERROR REPORT==== 12-Sep-2022::15:46:32.498695 ===
inet_config: file /inetrc not found

Erlang/OTP 24 [erts-12.3.2] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [jit]

=ERROR REPORT==== 12-Sep-2022::15:46:32.498695 ===
inet_config: file /inetrc not found

Eshell V12.3.2  (abort with ^G)
1> application:ensure_all_started(ssl).
{ok,[crypto,asn1,public_key,ssl]}
2> ssl:connect("ldap.mydomain.com", 636, [{verify, verify_none}]).
=NOTICE REPORT==== 12-Sep-2022::15:46:41.825983 ===
TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure
 - {unknown_or_malformed_handshake,13}
{error,{tls_alert,{handshake_failure,"TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure\n {unknown_or_malformed_handshake,13}"}}}

And then, the error is back. It is either a regression introduced between 22 and 25 or a packaging issue (or maybe something SUSE erlang packaging fixed).

https://build.opensuse.org/package/view_file/openSUSE:Factory/erlang/erlang.spec?expand=1 lines 254 and 269 shows that it will try to use dynamic libssl. It also has a patch Makefile https://build.opensuse.org/package/view_file/openSUSE:Factory/erlang/otp-R16B-rpath.patch?expand=1

Is using Erlang/OTP 22 enough for ejabberd? If so, how can I ask ejabberd to use system erlang runtime instead of RPM one?

[luizluca]

Could you open ejabberd debug console: ejabberdctl debug and execute this: ssl:connect("ldap.mydomain.com", 636, [{log_level, debug}]). and share the output? You can close console with double ctrl-c.

Using my modified ejabberdctl, I could get the debug output:

=ERROR REPORT==== 12-Sep-2022::16:08:37.852929 ===
inet_config: file /inetrc not found

Erlang/OTP 24 [erts-12.3.2] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [jit]

=ERROR REPORT==== 12-Sep-2022::16:08:37.852929 ===
inet_config: file /inetrc not found

Eshell V12.3.2  (abort with ^G)
1> application:ensure_all_started(ssl).
{ok,[crypto,asn1,public_key,ssl]}
2> ssl:connect("ldap.mydomain.com", 636, [{log_level, all}]).
=WARNING REPORT==== 12-Sep-2022::16:08:50.141645 ===
Description: "Authenticity is not established by certificate path validation"
     Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing"

>>> TLS 1.3 Handshake, ClientHello
[{client_version,{3,3}},
 {random,
     <<130,116,62,240,84,211,202,245,194,162,186,22,195,209,92,157,196,40,46,
       147,142,208,136,255,12,223,67,23,112,199,139,191>>},
 {session_id,<<>>},
 {cookie,undefined},
 {cipher_suites,
     ["TLS_EMPTY_RENEGOTIATION_INFO_SCSV","TLS_AES_256_GCM_SHA384",
      "TLS_AES_128_GCM_SHA256","TLS_CHACHA20_POLY1305_SHA256",
      "TLS_AES_128_CCM_SHA256","TLS_AES_128_CCM_8_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CCM","TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CCM","TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",
      "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
      "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
      "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
      "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
      "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
      "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
      "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
      "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
      "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
      "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
      "TLS_DHE_DSS_WITH_AES_256_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
      "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"]},
 {compression_methods,[0]},
 {extensions,
     #{alpn => undefined,
       client_hello_versions => {client_hello_versions,[{3,4},{3,3}]},
       ec_point_formats => {ec_point_formats,[0]},
       elliptic_curves => {supported_groups,[x25519,x448,secp256r1,secp384r1]},
       key_share =>
           {key_share_client_hello,
               [{key_share_entry,x25519,
                    <<15,111,156,182,49,124,236,187,152,247,31,2,198,173,
                      241,89,106,217,146,176,5,56,56,135,217,69,184,248,6,
                      79,198,113>>}]},
       max_frag_enum => undefined,next_protocol_negotiation => undefined,
       renegotiation_info => {renegotiation_info,undefined},
       signature_algs =>
           {signature_algorithms,
               [ecdsa_secp521r1_sha512,ecdsa_secp384r1_sha384,
                ecdsa_secp256r1_sha256,rsa_pss_pss_sha512,rsa_pss_pss_sha384,
                rsa_pss_pss_sha256,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,
                rsa_pss_rsae_sha256,eddsa_ed25519,eddsa_ed448,
                {sha512,ecdsa},
                {sha512,rsa},
                {sha384,ecdsa},
                {sha384,rsa},
                {sha256,ecdsa},
                {sha256,rsa},
                {sha224,ecdsa},
                {sha224,rsa},
                {sha,ecdsa},
                {sha,rsa},
                {sha,dsa}]},
       signature_algs_cert => undefined,
       sni => {sni,"ldap.mydomain.com"},
       srp => undefined}}]
writing (298 bytes) TLS 1.2 Record Protocol, handshake
0000 - 16 03 03 01 25 01 00 01  21 03 03 82 74 3e f0 54    ....%...!...t>.T
0010 - d3 ca f5 c2 a2 ba 16 c3  d1 5c 9d c4 28 2e 93 8e    .........\..(...
0020 - d0 88 ff 0c df 43 17 70  c7 8b bf 00 00 62 00 ff    .....C.p.....b..
....
0e20 - 01 02 40 00 12 06 01 06  03 04 01 05 01 02 01 04    ..@.............
0e30 - 03 05 03 02 03 02 02 00  00 0e 00 00 00                .............
<<< TLS 1.2 Handshake, ServerHello
[{server_version,{3,3}},
 {random,<<99,31,131,194,137,40,6,60,141,116,10,166,200,52,68,214,34,122,244,
           135,248,196,213,184,231,224,100,240,34,52,216,224>>},
 {session_id,<<229,74,0,0,104,172,29,142,3,55,80,29,32,15,113,249,62,162,138,
               200,208,196,54,137,233,156,220,196,231,48,42,75>>},
 {cipher_suite,"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"},
 {compression_method,0},
 {extensions,#{alpn => undefined,ec_point_formats => undefined,
               next_protocol_negotiation => undefined,
               renegotiation_info => {renegotiation_info,<<0>>}}}]
<<< Handshake, Certificate
[{asn1_certificates,[<<48,130,5,36,48,130,4,12,160,3,2,1,2,2,19,31,0,0,9,85,
                       175,175,197,23,170,32,245,12,0,2,0,0,9,85,48,13,6,9,42,
                       134,72,134,247,13,1,1,11,5,0,48,118,49,18,48,16,6,10,9,
                       146,38,137,147,242,44,100,1,25,22,2,98,114,49,19,48,17,
                       6,10,9,146,38,137,147,242,44,100,1,25,22,3,103,111,118,
                       49,22,48,20,6,10,9,146,38,137,147,242,44,100,1,25,22,6,
                       116,114,101,45,115,99,49,25,48,23,6,10,9,146,38,137,147,
                       242,44,100,1,25,22,9,114,101,100,101,116,114,101,115,99,
                       49,24,48,22,6,3,85,4,3,19,15,82,69,68,69,84,82,69,83,67,
                       32,67,65,32,118,49,48,30,23,13,50,49,48,56,49,50,50,48,
                       52,57,53,49,90,23,13,50,51,48,56,49,50,50,48,52,57,53,
                       49,90,48,111,49,18,48,16,6,10,9,146,38,137,147,242,44,
                       100,1,25,22,2,98,114,49,19,48,17,6,10,9,146,38,137,147,
                       242,44,100,1,25,22,3,103,111,118,49,22,48,20,6,10,9,146,
                       38,137,147,242,44,100,1,25,22,6,116,114,101,45,115,99,
                       49,27,48,25,6,3,85,4,11,19,18,68,111,109,97,105,110,32,
                       67,111,110,116,114,111,108,108,101,114,115,49,15,48,13,
                       6,3,85,4,3,19,6,83,67,68,67,48,51,48,130,1,34,48,13,6,9,
                       42,134,72,134,247,13,1,1,1,5,0,3,130,1,15,0,48,130,1,10,
                       2,130,1,1,0,181,239,85,30,190,54,169,127,111,126,142,
                       133,227,118,210,123,83,86,202,25,216,115,221,28,213,35,
                       246,25,81,202,89,47,211,249,62,205,189,93,3,224,46,102,
                       82,18,247,90,48,105,17,45,29,25,225,53,10,32,232,51,228,
                       59,2,53,44,96,81,102,233,100,19,95,8,129,155,105,103,
                       185,160,204,49,109,146,4,233,42,48,229,160,129,108,126,
                       0,28,181,33,130,20,130,19,18,55,215,249,194,235,189,252,
                       84,193,205,172,181,90,47,215,42,197,111,105,109,21,247,
                       106,81,38,154,151,67,195,187,141,118,209,249,18,89,0,
                       107,195,156,104,42,139,254,248,128,184,158,24,140,55,
                       200,231,193,178,242,98,222,58,100,143,233,162,22,245,14,
                       93,232,131,167,12,185,139,207,58,25,108,36,226,108,101,
                       148,133,200,173,116,138,88,231,56,211,145,44,217,219,30,
                       220,147,236,24,72,37,102,80,108,185,38,107,202,146,74,1,
                       63,71,98,171,32,77,59,226,15,144,245,75,224,33,139,236,
                       29,169,226,118,4,96,151,236,123,49,169,191,214,67,148,
                       97,15,47,116,220,21,77,33,107,106,79,253,108,35,2,3,1,0,
                       1,163,130,1,176,48,130,1,172,48,60,6,9,43,6,1,4,1,130,
                       55,21,7,4,47,48,45,6,37,43,6,1,4,1,130,55,21,8,135,181,
                       185,28,129,188,185,48,130,133,133,27,134,191,173,24,135,
                       199,138,72,44,134,209,145,93,250,181,47,2,1,100,2,1,14,
                       48,41,6,3,85,29,37,4,34,48,32,6,10,43,6,1,4,1,130,55,20,
                       2,2,6,8,43,6,1,5,5,7,3,1,6,8,43,6,1,5,5,7,3,2,48,11,6,3,
                       85,29,15,4,4,3,2,5,160,48,53,6,9,43,6,1,4,1,130,55,21,
                       10,4,40,48,38,48,12,6,10,43,6,1,4,1,130,55,20,2,2,48,10,
                       6,8,43,6,1,5,5,7,3,1,48,10,6,8,43,6,1,5,5,7,3,2,48,46,6,
                       3,85,29,17,4,39,48,37,130,13,116,114,101,45,115,99,46,
                       103,111,118,46,98,114,130,20,115,99,100,99,48,51,46,116,
                       114,101,45,115,99,46,103,111,118,46,98,114,48,29,6,3,85,
                       29,14,4,22,4,20,67,29,42,118,130,198,224,130,5,248,200,
                       98,243,19,125,158,251,29,188,34,48,31,6,3,85,29,35,4,24,
                       48,22,128,20,145,111,143,227,8,230,95,159,20,158,247,3,
                       210,55,186,106,168,46,248,55,48,61,6,3,85,29,31,4,54,48,
                       52,48,50,160,48,160,46,134,44,104,116,116,112,58,47,47,
                       99,114,108,46,116,114,101,45,115,99,46,103,111,118,46,
                       98,114,47,114,101,100,101,116,114,101,115,99,45,118,49,
                       40,50,41,46,99,114,108,48,78,6,8,43,6,1,5,5,7,1,1,4,66,
                       48,64,48,62,6,8,43,6,1,5,5,7,48,2,134,50,104,116,116,
                       112,58,47,47,99,97,46,116,114,101,45,115,99,46,103,111,
                       118,46,98,114,47,82,69,68,69,84,82,69,83,67,37,50,48,67,
                       65,37,50,48,118,49,40,50,41,46,99,114,116,48,13,6,9,42,
                       134,72,134,247,13,1,1,11,5,0,3,130,1,1,0,129,73,36,7,
                       208,19,90,41,149,196,236,143,192,17,147,250,143,14,92,
                       198,103,32,158,172,146,238,251,140,31,107,130,130,216,
                       15,1,121,204,37,174,3,124,79,226,155,61,189,199,35,202,
                       97,17,124,107,13,221,163,195,63,160,0,108,59,241,67,215,
                       222,10,112,231,188,55,38,108,145,245,237,86,126,68,225,
                       55,148,155,8,204,178,191,67,9,166,97,8,17,109,181,158,
                       210,86,230,233,134,134,230,129,254,198,239,111,136,238,
                       33,146,28,42,155,104,187,12,163,29,130,210,50,131,1,67,
                       68,251,54,12,234,21,55,173,42,54,206,211,162,168,186,52,
                       108,136,203,102,113,14,247,2,249,118,245,21,188,52,210,
                       211,17,23,14,116,108,31,126,51,95,80,43,30,149,134,12,
                       221,49,137,39,187,241,136,250,252,210,63,190,32,190,237,
                       36,100,169,58,107,54,175,88,31,211,105,66,170,27,19,106,
                       190,153,90,179,61,174,3,129,135,188,96,36,237,150,151,
                       46,94,33,236,14,70,232,54,89,208,41,86,199,12,252,137,
                       142,165,69,47,75,223,189,233,182,197,119,82,127,117,168,
                       115,151,192,129,238,193>>, 
                     <<48,130,7,63,48,130,5,39,160,3,2,1,2,2,17,0,210,99,
                       208,161,221,144,48,97,213,205,107,177,194,200,83,253,
                       48,13,6,9,42,134,72,134,247,13,1,1,13,5,0,48,130,1,0,
                       49,11,48,9,6,3,85,4,6,19,2,66,82,49,23,48,21,6,3,85,
                       4,8,12,14,83,97,110,116,97,32,67,97,116,97,114,105,
                       110,97,49,22,48,20,6,3,85,4,7,12,13,70,108,111,114,
                       105,97,110,111,112,111,108,105,115,49,54,48,52,6,3,
                       85,4,10,12,45,84,114,105,98,117,110,97,108,32,82,101,
                       103,105,111,110,97,108,32,69,108,101,105,116,111,114,
                       97,108,32,100,101,32,83,97,110,116,97,32,67,97,116,
                       97,114,105,110,97,49,56,48,54,6,3,85,4,11,12,47,83,
                       101,99,97,111,32,100,101,32,65,100,109,105,110,105,
                       115,116,114,97,99,97,111,32,100,101,32,82,101,100,
                       101,115,32,101,32,100,101,32,83,101,114,118,105,100,
                       111,114,101,115,49,43,48,41,6,3,85,4,3,12,34,65,117,
                       116,111,114,105,100,97,100,101,32,67,101,114,116,105,
                       102,105,99,97,100,111,114,97,32,84,82,69,45,83,67,32,
                       118,51,49,33,48,31,6,9,42,134,72,134,247,13,1,9,1,22,
                       18,114,111,111,116,64,116,114,101,45,115,99,46,106,
                       117,115,46,98,114,48,32,23,13,50,48,48,50,50,49,50,
                       48,48,51,49,53,90,24,15,50,48,53,48,48,50,49,51,50,
                       48,48,51,49,53,90,48,118,49,18,48,16,6,10,9,146,38,
                       137,147,242,44,100,1,25,22,2,98,114,49,19,48,17,6,10,
                       9,146,38,137,147,242,44,100,1,25,22,3,103,111,118,49,
                       22,48,20,6,10,9,146,38,137,147,242,44,100,1,25,22,6,
                       116,114,101,45,115,99,49,25,48,23,6,10,9,146,38,137,
                       147,242,44,100,1,25,22,9,114,101,100,101,116,114,101,
                       115,99,49,24,48,22,6,3,85,4,3,19,15,82,69,68,69,84,
                       82,69,83,67,32,67,65,32,118,49,48,130,1,34,48,13,6,9,
                       42,134,72,134,247,13,1,1,1,5,0,3,130,1,15,0,48,130,1,
                       10,2,130,1,1,0,164,201,27,247,115,4,64,235,69,49,186,
                       205,96,178,188,35,53,187,25,128,43,32,209,67,147,57,
                       71,97,220,71,163,254,164,179,164,14,182,242,149,230,
                       100,30,127,68,116,56,38,200,159,131,113,222,205,53,
                       84,152,30,168,138,161,81,15,188,66,29,86,238,230,157,
                       223,209,178,58,5,59,84,36,105,242,113,136,233,87,109,
                       208,8,187,215,131,226,35,2,247,49,198,130,250,197,
                       160,220,7,95,170,37,176,238,249,199,111,116,217,5,76,
                       136,65,11,220,79,138,177,204,202,174,36,2,159,199,
                       138,78,32,87,176,25,111,212,119,233,242,225,127,165,
                       33,222,70,2,18,46,167,236,76,11,215,26,204,63,47,93,
                       96,4,203,57,67,33,194,214,127,143,162,125,129,18,69,
                       152,247,135,115,81,18,187,164,75,206,127,139,253,25,
                       224,208,17,51,33,252,141,208,117,231,53,29,109,77,31,
                       87,228,63,18,76,200,245,231,173,200,205,145,8,9,86,
                       243,212,203,119,77,92,200,235,156,161,108,70,148,116,
                       133,190,247,28,147,94,164,165,107,101,187,236,183, 
                       250,144,122,118,253,10,193,227,127,193,172,170,153,2,
                       3,1,0,1,163,130,2,56,48,130,2,52,48,12,6,3,85,29,19,
                       4,5,48,3,1,1,255,48,29,6,3,85,29,14,4,22,4,20,145,
                       111,143,227,8,230,95,159,20,158,247,3,210,55,186,106,
                       168,46,248,55,48,130,1,58,6,3,85,29,35,4,130,1,49,48,
                       130,1,45,128,20,160,81,173,48,36,136,92,158,136,167,
                       193,90,186,159,245,71,25,21,35,249,161,130,1,8,164,
                       130,1,4,48,130,1,0,49,11,48,9,6,3,85,4,6,19,2,66,82,
                       49,23,48,21,6,3,85,4,8,12,14,83,97,110,116,97,32,67,
                       97,116,97,114,105,110,97,49,22,48,20,6,3,85,4,7,12,
                       13,70,108,111,114,105,97,110,111,112,111,108,105,115,
                       49,54,48,52,6,3,85,4,10,12,45,84,114,105,98,117,110,
                       97,108,32,82,101,103,105,111,110,97,108,32,69,108,
                       101,105,116,111,114,97,108,32,100,101,32,83,97,110,
                       116,97,32,67,97,116,97,114,105,110,97,49,56,48,54,6,
                       3,85,4,11,12,47,83,101,99,97,111,32,100,101,32,65,
                       100,109,105,110,105,115,116,114,97,99,97,111,32,100,
                       101,32,82,101,100,101,115,32,101,32,100,101,32,83,
                       101,114,118,105,100,111,114,101,115,49,43,48,41,6,3,
                       85,4,3,12,34,65,117,116,111,114,105,100,97,100,101,
                       32,67,101,114,116,105,102,105,99,97,100,111,114,97,
                       32,84,82,69,45,83,67,32,118,51,49,33,48,31,6,9,42,
                       134,72,134,247,13,1,9,1,22,18,114,111,111,116,64,116,
                       114,101,45,115,99,46,106,117,115,46,98,114,130,9,0,
                       224,101,103,105,172,66,17,97,48,11,6,3,85,29,15,4,4,
                       3,2,1,6,48,53,6,3,85,29,31,4,46,48,44,48,42,160,40,
                       160,38,134,36,104,116,116,112,58,47,47,99,97,46,116,
                       114,101,45,115,99,46,103,111,118,46,98,114,47,116,
                       114,101,115,99,45,118,51,46,99,114,108,48,47,6,3,85,
                       29,18,4,40,48,38,134,36,104,116,116,112,58,47,47,99,
                       97,46,116,114,101,45,115,99,46,103,111,118,46,98,114,
                       47,116,114,101,115,99,45,118,51,46,99,114,116,48,18,
                       6,9,43,6,1,4,1,130,55,21,1,4,5,2,3,2,0,2,48,35,6,9,
                       43,6,1,4,1,130,55,21,2,4,22,4,20,242,227,116,134,222,
                       152,229,132,54,20,137,213,79,180,104,56,49,209,108,
                       54,48,25,6,9,43,6,1,4,1,130,55,20,2,4,12,30,10,0,83,
                       0,117,0,98,0,67,0,65,48,13,6,9,42,134,72,134,247,13,
                       1,1,13,5,0,3,130,2,1,0,139,238,221,29,191,168,141,
                       219,192,9,195,24,181,75,221,86,34,50,96,109,146,99,
                       57,136,227,186,0,132,110,50,121,63,250,231,129,39,79,
                       34,80,144,78,81,66,210,52,82,213,251,50,9,198,76,225,
                       76,33,86,57,108,210,194,93,226,114,16,119,204,215,
                       143,73,45,218,65,25,126,183,133,70,239,141,111,55,79,
                       164,61,157,92,242,129,83,27,121,97,168,241,146,211,
                       211,131,73,17,88,103,117,65,239,164,180,173,214,141,
                       11,28,103,135,202,11,146,90,219,255,67,44,100,44,113,
                       250,7,179,89,217,192,25,3,183,222,97,138,205,232,103,
                       247,22,230,215,188,166,68,255,51,64,177,42,66,108,
                       216,228,107,97,255,54,148,108,198,82,111,130,87,195,
                       245,185,138,16,106,108,59,45,48,250,6,233,211,199,13,
                       181,126,71,55,63,26,12,53,133,253,41,57,170,115,173,
                       182,38,215,85,72,48,58,214,191,25,134,137,214,213,
                       112,160,151,92,133,235,113,143,74,91,22,52,198,72,16,
                       229,255,71,218,172,105,25,245,243,111,147,176,110,
                       252,139,171,14,238,246,231,157,172,27,180,218,208,
                       122,54,244,231,60,51,67,81,130,2,199,229,212,13,197,
                       53,89,206,250,26,145,48,160,186,100,122,134,133,192,
                       223,32,242,135,94,164,9,228,105,39,188,28,205,220,
                       118,19,182,140,250,32,223,110,167,171,38,246,236,26,
                       187,36,63,31,246,153,138,79,69,75,1,82,7,161,91,174,
                       213,0,151,65,48,234,21,121,79,157,118,151,40,39,150,
                       154,173,63,236,131,105,133,119,44,88,71,175,7,102,
                       242,127,104,232,75,252,64,181,9,139,104,129,26,232,
                       82,21,12,122,161,152,154,250,186,125,35,114,22,95,14,
                       150,117,59,7,236,157,214,24,105,49,88,61,146,56,142,
                       109,90,225,163,206,84,70,135,196,127,176,28,31,243,
                       78,72,161,41,129,191,141,94,201,219,12,158,250,146,
                       254,172,221,184,65,49,22,180,31,198,168,10,60,14,172,
                       121,250,123,102,186,25,121,10,215,249,139,44,85,90,
                       37,17,56,38,240,221,15,8,182,45,69,217,201,192,168,
                       130,168,243,18,6,220,167,52,159,82,240,182,86,22,206,
                       216,233,174,22,61,121,106,112,206,13,31,108,160,176,
                       245,231,238,232,98,149,12,203,25,111,64,170>>]}]
<<< Handshake, ServerKeyExchange
[{exchange_keys,<<3,0,23,65,4,231,222,71,59,151,176,41,153,219,95,142,124,41,
                  151,47,119,190,159,225,244,32,32,67,221,144,216,179,23,131,
                  234,136,98,153,21,162,227,73,95,4,5,90,10,114,235,202,245,
                  58,107,210,115,46,139,103,45,159,7,6,203,233,212,129,145,7,
                  67,2,1,1,0,40,98,40,207,59,160,61,172,56,7,235,215,248,218,
                  251,129,182,165,122,80,97,247,253,18,183,90,119,74,229,41,
                  137,9,61,100,3,249,112,171,69,176,211,63,140,64,227,123,30,
                  71,231,188,15,88,47,175,192,66,226,160,120,57,219,179,115,
                  23,126,186,1,159,35,73,144,243,203,26,144,148,198,136,239,
                  238,146,135,59,135,150,58,235,135,162,152,232,106,32,48,
                  118,184,100,125,116,136,235,200,138,71,216,218,236,114,58,
                  250,30,9,178,237,143,240,8,194,220,157,166,218,134,62,185,
                  209,94,218,233,124,67,224,50,129,234,108,56,65,140,40,198,
                  254,191,34,138,4,19,131,254,33,188,166,134,143,57,105,140,
                  97,229,91,29,115,17,46,205,23,7,110,117,29,208,114,194,226,
                  54,89,90,194,23,138,203,134,142,85,188,147,72,18,191,98,
                  186,246,100,116,109,212,141,125,205,128,206,196,187,178,3,
                  252,104,173,56,203,143,102,9,71,254,214,20,19,10,179,112,
                  95,12,126,187,145,201,10,20,122,191,57,172,6,86,109,172,
                  107,104,49,85,88,165,249,63,101,42,200,171,208,146,164,152,
                  205,34,39>>}]
writing (7 bytes) TLS 1.2 Record Protocol, alert
0000 - 15 03 03 00 02 02 28                                ......(
=NOTICE REPORT==== 12-Sep-2022::16:08:50.389195 ===
TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure
 - {unknown_or_malformed_handshake,13}
{error,{tls_alert,{handshake_failure,"TLS client: In state hello at ssl_handshake.erl:892 generated CLIENT ALERT: Fatal - Handshake Failure\n {unknown_or_malformed_handshake,13}"}}}

[nosnilmot]

Erlang/OTP 24 [erts-12.3.2] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [jit]

I think this is the issue: https://github.com/erlang/otp/issues/5961 and official ejabberd RPMs are hardcoded to bundle OTP 24.3.4 :(

[luizluca]

Is there any chance of getting this fixed in the official ejabberd RPMs? It could either patch the OTP or upgrade it to 25.

[luizluca]

It seems that version is used by portable binaries:

https://github.com/processone/ejabberd/blob/b017207ac1ec9365ded321dd213e6eb7aca49634/tools/make-binaries#L74

We just need it to be otp_vsn='24.3.4.1' or even otp_vsn='24.3.4.4'.

[nosnilmot]

Is there any chance of getting this fixed in the official ejabberd RPMs? It could either patch the OTP or upgrade it to 25.

I have submitted #3904 which should address this for future releases but I don't know if there is any chance of rebuilding RPM for existing relesse.

You could download ejabberd-packages from the Artifacts for the CI run on that PR (https://github.com/processone/ejabberd/actions/runs/3043222294) and install the RPM contained in that zip, but note this is a snapshot of current ejabberd git repo, not a release version.