Your message dated Fri, 08 Sep 2017 21:02:15 +0000
with message-id <[email protected]>
and subject line Bug#871264: fixed in erlang-p1-tls 1.0.7-2+deb9u1
has caused the Debian Bug report #871264,
regarding ejabberd 16.09 on Stretch can't use ECDSA certificates
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
871264: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871264
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ejabberd
Version: 16.09-4
Severity: important
Dear Maintainer,
Last week, I've upgraded my server from Debian Jessie to Debian Stretch.
Before the upgrade, I was already successfully using ejabberd 16.09 from
jessie-backports. My setup used a TLS certificate made from an ECC
generated key (certificate was then authentified by Let's Encrypt).
After the upgrade,the ejabberd 16.09 from Stretch has been installed
and my XMPP clients (Conversation on Android and Gajim on
a Debian desktop) were not any more able to connect to my server with a
message like "TLS connection error".
Note that I didn't need to update my ejabberd configuration as it was
already good for 16.09 from Jessie backports.
I've noticed too, that Firefox was unable too to create a TLS connection
with the web admin interface. OpenSSL client commands said me that no
certificates were sent from the web admin interface.
After a small search on the web, it seems to be related to the
erlang-p1-tls package which is used by ejabberd to manage TLS.
[This article](https://koldfront.dk/archive/2017/06/20-210822.html) gives a
patch to apply to this package and say it should work then.
As I found that upstream have applied such a patch as commit
[b91c17209cc](https://github.com/processone/fast_tls/commit/b9c17209cc4a9cf149f8a64903b4c2b46c125dac)
and I've seen that it has been released in the erlang-p1-tls version
1.0.14, I've tried to install ejabberd 17.07 and erlang-p1-tls 1.0.14
from Buster.
Using these two packages from Buster worked well with my ECDSA certifcate.
To summary, I've found these setups work well:
1. with Jessie server:
- ECDSA certificate
- ejabberd 16.09 from Jessie-backports
- openssl from Jessie (or Jessie-backports I don't know what I had
before)
- erlang-p1-tls from Jessie
2. with Stretch server:
- RSA certificate (not ECDSA)
- ejabberd 16.09 from Stretch
- openssl from Stretch
- erlang-p1-tls from Stretch
3. with Stretch server:
- ECDSA certificate
- ejabberd 17.07 from Buster
- openssl from Stretch
- erlang-p1-tls from Buster
On my side, as I want to keep my server as stable as possible, I have
rolled back my setup to have every packages from Stretch and use a RSA
key instead of ECC key.
I've reported the bug on the ejabberd package as my issue comes with
ejabberd and as I don't know exactly which parts from setup 3 above
resolved the issue (the upgrade of ejabberd or erlang-p1-tls ?).
Sorry if it wasn't the good choice.
As I use certificates from Let's Encrypt, it will be easy for me to try
fix you could apply, let me know if I can help.
Do you think it will be possible to use ECDSA certificate with ejabberd
using packages from Stretch (or from Stretch-backports)?
Regards,
Adrien Dorsaz
PS: the upstream commit mentionned above is linked to the upstream bug
report: https://github.com/processone/fast_tls/issues/20
-- System Information:
Debian Release: 9.1
APT prefers stable
APT policy: (990, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_CH:fr (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages ejabberd depends on:
ii adduser 3.115
ii debconf [debconf-2.0] 1.5.61
ii erlang-asn1 1:19.2.1+dfsg-2
ii erlang-base [erlang-abi-17.0] 1:19.2.1+dfsg-2
ii erlang-crypto 1:19.2.1+dfsg-2
ii erlang-inets 1:19.2.1+dfsg-2
ii erlang-jiffy 0.14.8+dfsg-1
ii erlang-lager 3.2.4-1
ii erlang-mnesia 1:19.2.1+dfsg-2
ii erlang-odbc 1:19.2.1+dfsg-2
ii erlang-p1-cache-tab 1.0.4-2
ii erlang-p1-iconv 1.0.2-2
ii erlang-p1-stringprep 1.0.6-2
ii erlang-p1-tls 1.0.7-2+b1
ii erlang-p1-utils 1.0.5-3
ii erlang-p1-xml 1.1.15-2
ii erlang-p1-yaml 1.0.6-2
ii erlang-p1-zlib 1.0.1-4
ii erlang-public-key 1:19.2.1+dfsg-2
ii erlang-ssl 1:19.2.1+dfsg-2
ii erlang-syntax-tools 1:19.2.1+dfsg-2
ii erlang-xmerl 1:19.2.1+dfsg-2
ii init-system-helpers 1.48
ii lsb-base 9.20161125
ii openssl 1.1.0f-3
ii ucf 3.0036
ejabberd recommends no packages.
Versions of packages ejabberd suggests:
pn apparmor <none>
pn apparmor-utils <none>
pn ejabberd-contrib <none>
pn erlang-luerl <none>
pn erlang-p1-mysql <none>
pn erlang-p1-oauth2 <none>
pn erlang-p1-pam <none>
ii erlang-p1-pgsql 1.1.0-4
pn erlang-p1-sip <none>
pn erlang-p1-sqlite3 <none>
pn erlang-p1-stun <none>
pn erlang-redis-client <none>
ii graphicsmagick-imagemagick-compat [imagemagick] 1.3.25-8
ii libunix-syslog-perl 1.1-2+b6
ii yamllint 1.5.0-1
-- Configuration Files:
/etc/ejabberd/inetrc [Errno 13] Permission non accordée: '/etc/ejabberd/inetrc'
/etc/ejabberd/modules.d/README.modules [Errno 13] Permission non accordée:
'/etc/ejabberd/modules.d/README.modules'
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: erlang-p1-tls
Source-Version: 1.0.7-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
erlang-p1-tls, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Philipp Huebner <[email protected]> (supplier of updated erlang-p1-tls
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 10 Aug 2017 15:37:09 +0200
Source: erlang-p1-tls
Binary: erlang-p1-tls
Architecture: source amd64
Version: 1.0.7-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Philipp Huebner <[email protected]>
Changed-By: Philipp Huebner <[email protected]>
Description:
erlang-p1-tls - native TLS / SSL driver for Erlang / Elixir
Closes: 871264
Changes:
erlang-p1-tls (1.0.7-2+deb9u1) stretch; urgency=medium
.
* Added backported upstream patch to "use openssl built-in function for
setting up ECDH curves" (Closes: 871264)
Thanks Adrien Dorsaz for reporting and providing the patch.
Checksums-Sha1:
f113a93050f4d5b7b2764749398775ae45c1139f 2064 erlang-p1-tls_1.0.7-2+deb9u1.dsc
c29765c59d3161aafa7a999bb127240dd80f21c1 4624
erlang-p1-tls_1.0.7-2+deb9u1.debian.tar.xz
4ba97f4fd89dea0d1c71553c267a9276fc1a5aec 27738
erlang-p1-tls-dbgsym_1.0.7-2+deb9u1_amd64.deb
6b7ae6fe5d3f55632bb9e43cb5f1ef1974abf760 9179
erlang-p1-tls_1.0.7-2+deb9u1_amd64.buildinfo
31f158aeaf11b5a23e7bc3474ed42e5795c5738e 28182
erlang-p1-tls_1.0.7-2+deb9u1_amd64.deb
Checksums-Sha256:
505ec45dd6adf2d0b04df0e306003caecbd072b56ba4617b8563a9caf1e22564 2064
erlang-p1-tls_1.0.7-2+deb9u1.dsc
272ff257e5a362a40a87b7cef47da6183624e3cb46c24a3d38afa5f0fee9fbf4 4624
erlang-p1-tls_1.0.7-2+deb9u1.debian.tar.xz
3c1be3e5a4f243b78aef1b2d92bc15b86c861cc2c7284b77d7058a3708133845 27738
erlang-p1-tls-dbgsym_1.0.7-2+deb9u1_amd64.deb
475b997304e0fd9cb82e435b0b5f92eeab720cea015da1462bf860c873d568ef 9179
erlang-p1-tls_1.0.7-2+deb9u1_amd64.buildinfo
bbdc1fda6a71474949626dea7972881625de0d4b8035b2979b378dc0b4dd2498 28182
erlang-p1-tls_1.0.7-2+deb9u1_amd64.deb
Files:
8ec4a1c6f03ce9d7797d2e671d5a7b98 2064 libs optional
erlang-p1-tls_1.0.7-2+deb9u1.dsc
5a70e9ba0b642153e9f4e64d7b587c11 4624 libs optional
erlang-p1-tls_1.0.7-2+deb9u1.debian.tar.xz
ed4903177a9c8dae2767d22b19de6b9f 27738 debug extra
erlang-p1-tls-dbgsym_1.0.7-2+deb9u1_amd64.deb
c4782bee3bf013afbeeb339efb9cca01 9179 libs optional
erlang-p1-tls_1.0.7-2+deb9u1_amd64.buildinfo
fc38f89f5de5046d480e748001e5f605 28182 libs optional
erlang-p1-tls_1.0.7-2+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEECEGLvkRyDy26xQXsunokltrkDRwFAlmjzFcVHGRlYmFsYW5j
ZUBkZWJpYW4ub3JnAAoJELp6JJba5A0cfIIQAL8qIQTMHxSAqCDkoD4YRi85pVWG
sZhJosZpCgw2KR0SE5SvwBxrhh7JTWfADQ1I3iMlPq5zFGHxi05QJ6e3YQaOrxSZ
G7VyVawEhtmX1vuUCvFZPccE9b1EXr2N3OCS8NNjmUwaeha6Zu3MH0GQ0Tnum97j
6JLKqOxjy9prMP6UbNNxCbeDDMFCtk4T6Z9KvyYid6/coWC7ZZ6Z3XyCooOVfD3A
jMRmqDVFnWwCbE5FLH5e1T6pX03DHGWjdBrI1IPpV8wzS0vb+hcnsRNJ4+s1boIJ
P5giAd/I7amna3/LSPU9/aLdevzIS3caeb1aWW3xt486RXFSAANSef94iy/0unvs
CGiI4PocJVTIbD8WqwICygxbtYPmTXp5WgGFkW4+fzd3anS+2KmEyD1RnW4xbQRD
nZvvrtHTuZrdGZglLF9iPCIpZVc8WtEcShBabVUcokEIPrVzQuXW+CClk3MTxryF
J362w5Y37NLLBneqVA5DJn0dMRF2wNrzaBiRzJFskUvTyQGmo88f4kkjkViQeVih
hT7lrEiq6Leoa0El+LcZ3z+krUi3OEcomEatgiPsum2gbOSTNKXQZ1OT0hbQefF+
M58Nl4PEI3ChN//C3oEfRB6Ks9QYmouRQYbwJj5i+8eBLo1+ghFgYwyNDbGFJyBB
OYWelnb8tmJbnKS/
=chiF
-----END PGP SIGNATURE-----
--- End Message ---
