search

processone / ejabberd

Robust, Ubiquitous and Massively Scalable Messaging Platform (XMPP, MQTT, SIP Server)
https://www.process-one.net/en/ejabberd/
Other
6.07k stars 1.51k forks source link

Fails to establish STARTTLS connection #4097

Closed paulmenzel closed 12 months ago

paulmenzel commented 12 months ago

This setup worked for months, but something broke after changing something in the distribution or updating ejabberd. Before starting to bisect all different components, can you see what is going wrong?

Environment

Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml

```yaml loglevel: 5 log_rotate_size: 10485760 log_rotate_count: 1 hosts: - "molgen.mpg.de" certfiles: - "/home/ejabberd/conf/xmpp.molgen.mpg.de-key.pem" - "/home/ejabberd/conf/xmpp.molgen.mpg.de.pem" ca_file: "/etc/ssl/cert.pem" listen: - port: 5222 ip: "::" module: ejabberd_c2s starttls: true max_stanza_size: 65536 shaper: c2s_shaper access: c2s - port: 5269 ip: "::" module: ejabberd_s2s_in max_stanza_size: 131072 shaper: s2s_shaper - port: 5280 ip: "::" module: ejabberd_http request_handlers: "/ws": ejabberd_http_ws "/bosh": mod_bosh "/oauth": ejabberd_oauth "/api": mod_http_api captcha: false - port: 5443 ip: 0.0.0.0 module: ejabberd_http request_handlers: "/admin": ejabberd_web_admin "/api": mod_http_api "/bosh": mod_bosh "/upload": mod_http_upload "/ws": ejabberd_http_ws tls: true s2s_use_starttls: optional auth_method: ldap ldap_servers: - "ldap.molgen.mpg.de" ldap_encrypt: tls ldap_rootdn: "cn=ejabberd,dc=ldap,dc=apps,dc=molgen,dc=mpg,dc=de" ldap_password: "X" ldap_base: "dc=user,dc=apps,dc=molgen,dc=mpg,dc=de" ldap_filter: "(objectClass=molgenUser)" shaper: normal: 1000 fast: 50000 max_fsm_queue: 10000 acl: admin: user: - "admin@localhost" - "admin@xmpp.molgen.mpg.de" local: user_regexp: "" loopback: ip: - "127.0.0.0/8" - "::1/128" - "::FFFF:127.0.0.1/128" shaper_rules: max_user_sessions: 10 max_user_offline_messages: - 5000: admin - 100 c2s_shaper: - none: admin - normal s2s_shaper: fast access_rules: local: - allow: local c2s: - deny: blocked - allow announce: - allow: admin configure: - allow: admin muc_create: - allow: local pubsub_createnode: - allow: local register: - allow trusted_network: - allow: loopback api_permissions: "console commands": from: - ejabberd_ctl who: all what: "*" "admin access": who: - access: - allow: - acl: loopback - acl: admin - oauth: - scope: "ejabberd:admin" - access: - allow: - acl: loopback - acl: admin what: - "*" - "!stop" - "!start" "public commands": who: - ip: "127.0.0.1/8" what: - "status" - "connected_users_number" language: "en" modules: mod_adhoc: {} mod_admin_extra: {} mod_announce: # recommends mod_adhoc access: announce mod_blocking: {} # requires mod_privacy mod_caps: {} mod_carboncopy: {} mod_client_state: {} mod_configure: {} # requires mod_adhoc mod_disco: {} mod_bosh: {} mod_http_upload: custom_headers: "Access-Control-Allow-Origin": "*" "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" "Access-Control-Allow-Headers": "Content-Type" put_url: "https://upload.@HOST@:5443/upload" thumbnail: false # otherwise needs ejabberd to be compiled with libgd support mod_last: {} mod_mam: # for xep0313, mnesia is limited to 2GB, better use an SQL backend assume_mam_usage: true default: always mod_muc: access: - allow access_admin: - allow: admin access_create: muc_create access_persistent: muc_create default_room_options: allow_subscription: true persistent: true mam: true mod_muc_admin: {} mod_offline: access_max_user_messages: max_user_offline_messages mod_ping: {} mod_privacy: {} mod_private: {} mod_pubsub: access_createnode: pubsub_createnode ignore_pep_from_offline: true last_item_cache: false max_items_node: 10 plugins: - "flat" - "pep" # pep requires mod_caps force_node_config: "eu.siacs.conversations.axolotl.*": access_model: whitelist "storage:bookmarks": access_model: whitelist mod_push: {} mod_push_keepalive: {} mod_register: welcome_message: subject: "Welcome!" body: |- Hi. Welcome to this XMPP server. ip_access: trusted_network access: register mod_roster: {} mod_shared_roster: {} mod_vcard: search: false mod_vcard_xupdate: {} mod_avatar: {} mod_version: {} mod_stream_mgmt: {} mod_s2s_dialback: {} mod_http_api: {} mod_fail2ban: {} allow_contrib_modules: true ```

Errors from error.log/crash.log

No errors

Bug description

$ openssl s_client -connect xmpp.molgen.mpg.de:5222 </dev/null -starttls xmpp
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 287 bytes and written 123 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
2023-10-10 15:09:35.399423+00:00 [info] <0.627.0>@ejabberd_listener:accept/7:344 (<0.1044.0>) Accepted connection [::ffff:172.17.0.1]:58290 -> [::ffff:172.17.0.4]:5222
2023-10-10 15:09:35.399699+00:00 [notice] <0.1044.0> (tcp|<0.1044.0>) Received XML on stream = <<"<stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' to='xmpp.molgen.mpg.de' version='1.0'>">>
2023-10-10 15:09:35.400228+00:00 [notice] <0.1044.0> (tcp|<0.1044.0>) Send XML on stream = <<"<?xml version='1.0'?><stream:stream id='18307731040550219917' version='1.0' xml:lang='en' xmlns:stream='http://etherx.jabber.org/streams' from='xmpp.molgen.mpg.de' xmlns='jabber:client'>">>
2023-10-10 15:09:35.400724+00:00 [debug] <0.1044.0>@ejabberd_hooks:safe_apply/4:315 Running hook c2s_filter_send: mod_client_state:filter_chat_states/1
2023-10-10 15:09:35.400983+00:00 [debug] <0.1044.0>@ejabberd_hooks:safe_apply/4:315 Running hook c2s_filter_send: mod_client_state:filter_pep/1
2023-10-10 15:09:35.401195+00:00 [debug] <0.1044.0>@ejabberd_hooks:safe_apply/4:315 Running hook c2s_filter_send: mod_client_state:filter_presence/1
2023-10-10 15:09:35.401426+00:00 [debug] <0.1044.0>@ejabberd_hooks:safe_apply/4:315 Running hook c2s_filter_send: mod_client_state:filter_other/1
2023-10-10 15:09:35.401689+00:00 [notice] <0.1044.0> (tcp|<0.1044.0>) Send XML on stream = <<"<stream:error><host-unknown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/></stream:error>">>
2023-10-10 15:09:35.401979+00:00 [debug] <0.1044.0>@ejabberd_hooks:safe_apply/4:315 Running hook c2s_handle_send: mod_push:c2s_stanza/3
2023-10-10 15:09:35.402181+00:00 [debug] <0.1044.0>@ejabberd_hooks:safe_apply/4:315 Running hook c2s_handle_send: mod_push_keepalive:c2s_stanza/3
2023-10-10 15:09:35.402390+00:00 [debug] <0.1044.0>@ejabberd_hooks:safe_apply/4:315 Running hook c2s_handle_send: mod_stream_mgmt:c2s_handle_send/3
2023-10-10 15:09:35.402679+00:00 [debug] <0.1044.0>@ejabberd_hooks:safe_apply/4:315 Running hook c2s_closed: mod_stream_mgmt:c2s_closed/2
2023-10-10 15:09:35.403024+00:00 [debug] <0.1044.0>@ejabberd_hooks:safe_apply/4:315 Running hook c2s_closed: ejabberd_c2s:process_closed/2
2023-10-10 15:09:35.403365+00:00 [debug] <0.1044.0>@ejabberd_hooks:safe_apply/4:315 Running hook c2s_terminated: mod_stream_mgmt:c2s_terminated/2
2023-10-10 15:09:35.403589+00:00 [debug] <0.1044.0>@ejabberd_hooks:safe_apply/4:315 Running hook c2s_terminated: mod_pubsub:on_user_offline/2
2023-10-10 15:09:35.403883+00:00 [debug] <0.1044.0>@ejabberd_hooks:safe_apply/4:315 Running hook c2s_terminated: ejabberd_c2s:process_terminated/2
2023-10-10 15:09:35.404097+00:00 [notice] <0.1044.0> (tcp|<0.1044.0>) Send XML on stream = <<"</stream:stream>">>
prefiks commented 12 months ago

Add -xmpphost molgen.mpg.de

paulmenzel commented 12 months ago

Indeed. Thank you.

$ openssl s_client -connect xmpp.molgen.mpg.de:5222 </dev/null -starttls xmpp -xmpphost molgen.mpg.de
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = DE, ST = Bayern, O = Max-Planck-Gesellschaft zur F\C3\B6rderung der Wissenschaften e.V., CN = xmpp.molgen.mpg.de
verify return:1
---
Certificate chain
 0 s:C = DE, ST = Bayern, O = Max-Planck-Gesellschaft zur F\C3\B6rderung der Wissenschaften e.V., CN = xmpp.molgen.mpg.de
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 24 00:00:00 2023 GMT; NotAfter: May 23 23:59:59 2024 GMT
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Nov  2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHADCCBeigAwIBAgIRALdKUzlBc1J4JeY1Sgz+8DQwDQYJKoZIhvcNAQELBQAw
gZUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE9MDsGA1UE
AxM0U2VjdGlnbyBSU0EgT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gU2VjdXJlIFNl
cnZlciBDQTAeFw0yMzA1MjQwMDAwMDBaFw0yNDA1MjMyMzU5NTlaMIGEMQswCQYD
VQQGEwJERTEPMA0GA1UECBMGQmF5ZXJuMUcwRQYDVQQKDD5NYXgtUGxhbmNrLUdl
c2VsbHNjaGFmdCB6dXIgRsO2cmRlcnVuZyBkZXIgV2lzc2Vuc2NoYWZ0ZW4gZS5W
LjEbMBkGA1UEAxMSeG1wcC5tb2xnZW4ubXBnLmRlMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAxE+aOikOJ/Xl+pFWOFnxhQZUdulZEkLs2qfNpxHSrYIQ
3ii3XdzvvtX9SmvVG1Ov4CyT2zLl4X4diaQhcpgDnWBzb2n9zmZPaRxBTm7xnS9i
cvQ/B9rI4zpu8+WG3F4cB+czIJeEUgL80dZXWawf6pOjsF5c/q2kPyH7MUiwogOE
hMH3UptM46pvvHTa8WqcROZ4Dc4vg5rThUjdR2w+mRdQgc+9UuUHq0zOdiQWjEFD
VRoCKea/xHC4VKdrYhcWz+ZnaviCNhOK8RRarYxEsNFm4/tPBqzvVhAAVZvG2heK
9nGIpWPIwCTYiK4tpirxLcuOFMUz0/AkjbAKSIe6ywIDAQABo4IDWDCCA1QwHwYD
VR0jBBgwFoAUF9nWJSdn+THCSUPZMDZEjGypT+swHQYDVR0OBBYEFAUgcUSbjvLc
k7dFGCsm6hj1sA9xMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBBMDUGDCsGAQQBsjEB
AgEDBDAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZn
gQwBAgIwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9T
ZWN0aWdvUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
bDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3Rp
Z28uY29tL1NlY3RpZ29SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2Vy
dmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAd
BgNVHREEFjAUghJ4bXBwLm1vbGdlbi5tcGcuZGUwggF/BgorBgEEAdZ5AgQCBIIB
bwSCAWsBaQB2AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABiE3R
+agAAAQDAEcwRQIhAIsiQdJMgS1+sy3kJeAAwbb20fyVesAhTApICSEaYv5jAiA8
JKdLz+9JYIUCDZ9pweJcu+zdE9ou0hlIGvBlrF5PrAB2ANq2v2s/tbYin5vCu1xr
6HCRcWy7UYSFNL2kPTBI1/urAAABiE3R+gMAAAQDAEcwRQIgNaWXKwc1k1ilCnvT
Oiv/7k/DCCphLgIIHBhJGJCfoKsCIQCfHmUKNYCj8c8W376foH9R8hqBpWcwzjUO
FNwlZ8fVrQB3AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABiE3R
+c4AAAQDAEgwRgIhANe5PYib5hn0POb5Z1nncqdMz+eeHVXpjNLOdb2MqUo7AiEA
m9mmdaDhLh5J+iax9+IoNJzR7VPV6/yX2FuhlEBhBB4wDQYJKoZIhvcNAQELBQAD
ggEBAJdiFa8PfV7nJJfKIqJSyVZeL/X6HXxML/i5rUcPY9dp90UGJnbwktF20DXt
Wb6tV79CpmewZlf2/kGWfnEWp57g+mz32hdf4lsiLrqhrUTizg0WIo3tZpjqNJsN
E3Pl9Q/bInyrtngpzkDDCaEhAL8hyMC7hV5uYDTS0YiHsuk+gw5J9S7kydsdZZtr
NltRm4jFlYcyymxCCVtuc3P3UQ8vps0TR0OfVO3LjdyhEpbANhxE8AIR8ZYNrdef
RVBtiZ02K55vqvJx5QeDblvA7Wgjcxuete78jTkcFGN7N5QgGfRu9kFgWpTfeMGo
f6LbsixgE+NfpAnfTk1bXxqiC9E=
-----END CERTIFICATE-----
subject=C = DE, ST = Bayern, O = Max-Planck-Gesellschaft zur F\C3\B6rderung der Wissenschaften e.V., CN = xmpp.molgen.mpg.de
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5911 bytes and written 603 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

PS: OT: So, why is dino-im saying there is a problem with the certificate.

Neustradamus commented 11 months ago

@paulmenzel: It has been closed?

paulmenzel commented 11 months ago

Yes, as my problem was solved.

licaon-kter commented 11 months ago

@paulmenzel but how? :))

paulmenzel commented 11 months ago

By doing, what @prefiks suggested: passing the switch -xmpphost. openssl s_client -connect xmpp.molgen.mpg.de:5222 </dev/null -starttls xmpp -xmpphost molgen.mpg.de works for my setup.