[XMPP] jabber.org dh key too small

[Neustradamus]

When we contact a Jabber.org JID:

prosody         | xxx.xxx:tls                      debug      Received features element
prosody         | xxx.xxx:tls                      debug      jabber.org is offering TLS, taking up the offer...
prosody         | s2sout563f15ad31d0               debug      Sending[s2sout_unauthed]: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
prosody         | s2sout563f15ad31d0               debug      Received[s2sout_unauthed]: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
prosody         | xxx.xxx:tls                      debug      Proceeding with TLS on s2sout...
prosody         | socket                           debug      try to start ssl at client id: 563f15d15390 
prosody         | socket                           debug      starting handshake... 
prosody         | socket                           debug      ssl handshake of client with id:table: 0x563f15d15390, attempt:1 
prosody         | socket                           debug      ssl handshake of client with id:table: 0x563f15d15390, attempt:2 
prosody         | socket                           debug      ssl handshake error: dh key too small 
prosody         | socket                           debug      closing client with id: 563f15d15390 dh key too small 
prosody         | s2sout563f15ad31d0               debug      s2s connection attempt failed: dh key too small
prosody         | s2sout563f15ad31d0               debug      Out of IP addresses, trying next SRV record (if any)
prosody         | s2sout563f15ad31d0               info      Failed in all attempts to connect to jabber.org
prosody         | s2sout563f15ad31d0               debug      No other records to try for jabber.org - destroying
prosody         | s2sout563f15ad31d0               debug      Destroying outgoing session xxx.xxx->jabber.org: Connecting failed: dh key too small
prosody         | s2sout563f15ad31d0               info      Sending error replies for 1 queued stanzas because of failed outgoing connection to jabber.org
prosody         | stanzarouter                     debug      Received[s2sin]: <message to='user@xxx.xxx/client' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='error' from='user@jabber.org'>
prosody         | xxx.xxx:mam                      debug      Not archiving stanza: <message to='user@xxx.xxx/client' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='error' from='user@jabber.org'> (type)
prosody         | c2s563f15b4d340                  debug      Sending[c2s]: <message to='user@xxx.xxx/client' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='error' from='user@jabber.org'>
prosody         | s2sout563f15ad31d0               debug      s2s disconnected: <nil>-><nil> (dh key too small)
prosody         | socket                           debug      handshake failed because: dh key too small 

When we go on a Jabber.org Muc Room:

prosody         | c2s563f15b4d340                  debug      Received[c2s]: <iq to='room@conference.jabber.org' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='get' from='user@xxx.xxx/client'>
prosody         | mod_s2s                          debug      opening a new outgoing connection for this stanza
prosody         | mod_s2s                          debug      stanza [iq] queued until connection complete
prosody         | s2sout563f15c5bcf0               debug      First attempt to connect to conference.jabber.org, starting with SRV lookup...
prosody         | adns                             debug      Records for _xmpp-server._tcp.conference.jabber.org. not in cache, sending query (thread: 0x563f16131480)...
prosody         | adns                             debug      Sending DNS query to 127.0.0.11
prosody         | socket                           debug      new connection established. id: 563f162d6810 
prosody         | socket                           debug      try to close client connection with id: 563f162d6810 
prosody         | socket                           debug      closing client with id: 563f162d6810 client to close 
prosody         | adns                             debug      Reply for _xmpp-server._tcp.conference.jabber.org. (thread: 0x563f16131480)
prosody         | s2sout563f15c5bcf0               debug      conference.jabber.org has SRV records, handling...
prosody         | s2sout563f15c5bcf0               debug      Best record found, will connect to hermes2.jabber.org.:5269
prosody         | adns                             debug      Records for hermes2.jabber.org. already cached, using those...
prosody         | s2sout563f15c5bcf0               debug      DNS reply for hermes2.jabber.org. gives us 208.68.163.218
prosody         | s2sout563f15c5bcf0               debug      Beginning new connection attempt to conference.jabber.org ([208.68.163.218]:5269)
prosody         | s2sout563f15c5bcf0               debug      Connection attempt in progress...
prosody         | socket                           debug      new connection established. id: 563f15bdeb90 
prosody         | s2sout563f15c5bcf0               debug      Sending[s2sout_unauthed]: <?xml version='1.0'?>
prosody         | s2sout563f15c5bcf0               debug      Sending[s2sout_unauthed]: <stream:stream to='conference.jabber.org' xmlns:stream='http://etherx.jabber.org/streams' xml:lang='en' version='1.0' xmlns:db='jabber:server:dialback' xmlns='jabber:server' from='xxx.xxx'>
prosody         | runnerKTSoXRXM                   debug      creating new coroutine
prosody         | s2sout563f15c5bcf0               debug      Received[s2sout_unauthed]: <features xmlns='http://etherx.jabber.org/streams'>
prosody         | xxx.xxx:tls                      debug      Received features element
prosody         | xxx.xxx:tls                      debug      conference.jabber.org is offering TLS, taking up the offer...
prosody         | s2sout563f15c5bcf0               debug      Sending[s2sout_unauthed]: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
prosody         | s2sout563f15c5bcf0               debug      Received[s2sout_unauthed]: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
prosody         | xxx.xxx:tls                      debug      Proceeding with TLS on s2sout...
prosody         | socket                           debug      try to start ssl at client id: 563f15bdeb90 
prosody         | socket                           debug      starting handshake... 
prosody         | socket                           debug      ssl handshake of client with id:table: 0x563f15bdeb90, attempt:1 
prosody         | socket                           debug      ssl handshake of client with id:table: 0x563f15bdeb90, attempt:2 
prosody         | socket                           debug      ssl handshake error: dh key too small 
prosody         | socket                           debug      closing client with id: 563f15bdeb90 dh key too small 
prosody         | s2sout563f15c5bcf0               debug      s2s connection attempt failed: dh key too small
prosody         | s2sout563f15c5bcf0               debug      Out of IP addresses, trying next SRV record (if any)
prosody         | s2sout563f15c5bcf0               info      Failed in all attempts to connect to conference.jabber.org
prosody         | s2sout563f15c5bcf0               debug      No other records to try for conference.jabber.org - destroying
prosody         | s2sout563f15c5bcf0               debug      Destroying outgoing session xxx.xxx->conference.jabber.org: Connecting failed: dh key too small
prosody         | s2sout563f15c5bcf0               info      Sending error replies for 1 queued stanzas because of failed outgoing connection to conference.jabber.org
prosody         | stanzarouter                     debug      Received[s2sin]: <iq to='user@xxx.xxx/client' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='error' from='room@conference.jabber.org'>
prosody         | c2s563f15b4d340                  debug      Sending[c2s]: <iq to='user@xxx.xxx/client' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='error' from='room@conference.jabber.org'>
prosody         | s2sout563f15c5bcf0               debug      s2s disconnected: <nil>-><nil> (dh key too small)
prosody         | socket                           debug      handshake failed because: dh key too small 

[Zash]

Short version: jabber.org uses 1024 bit DH parameters. Recent OpenSSL (1.1.1 possibly) enforces a limit on (I think) 2048 bit minimum. Hilarity ensues. ^W^W Nothing works.

[quite]

I think this implies that the jabber.org contigent have detached from the rest of federated XMPP space (or is at least becoming more so, as openssl 1.1.1 is spreading). It's a loss!

[ThomasLeister]

Same here with trashserver.net :( Too bad the problem still exists.

[neonknight]

To allow connections to ancient, poorly secured servers you need to do the following:

in /etc/ssl/default.cnf go to section [system_default_sect] and set CipherString = DEFAULT@SECLEVEL=1

However, this will weaken overall encryption security of your system, so you must know what you're doing...

[ShinjiLE]

This problem is now more aggressive. Connections e.g. Jabber.de no longer work properly.

[Neustradamus]

@stpeter: Any news about the migration?

[Neustradamus]

@stpeter: Any news about the end of the migration after several months?

[Neustradamus]

@stpeter: https://weakdh.org/