Package: ejabberd
Version: 24.12-3
Severity: important
Dear Maintainer,
since recently, some incomping S2S connections are systematically rejected due
to new letsencrypt certificates that do not include clientAuth anymore.
Here is the message seen in ejabberd logs:
Failed inbound s2s EXTERNAL authentication remoteserver.tld -> myserver.tld
... unsupported certificate purpose
This problem is known (cf. [1]) and was fixed for ejabberd v25.07.
A possible workaround would be to contact every admin of other servers to ask
them to enable mod_dialback, but I think this is hopeless.
So I manually patched my own servers (all of theme are running ejabberd from
Debian Trixie) by :
- installing erlang-p1-tls v1.1.25 (rebuilt for Trixie)
- applying the one-line patch on src/ejabberd_s2s_in.erl (cf. [2])
Would it be feasable to include this fix into Debian stable? Or in
proposed-updates?
[1]: https://github.com/processone/ejabberd/issues/4392
[2]:
https://github.com/processone/ejabberd/commit/72bc9b6#diff-98717b2810c40f5556afc28a834bacd6676d2d1752c655fce7dcbe8588c17288
