Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:ejabberd User: [email protected] Usertags: pu
[ Reason ] Let's Encrypt has recently ended the support for TLS Client Authentication in their certificates, see https://letsencrypt.org/2025/05/14/ending-tls-client-authentication and https://blog.prosody.im/2026-letsencrypt-changes/, as well as Debian bugs #1127369 + #1128568. This breaks communication with ejabberd servers, as they use the certificate also in client mode for server-to-server connections. To permit s2s communication with the new certifcates, both the erlang-p1-tls package and the ejabberd package must be updated. If the ejabberd-contrib package is used, that one must also be updated to a version built against the updated ejabberd package. [ Impact ] Without addressing this, federation between XMPP servers (s2s) will become more and more broken as more and more servers renew certificates which are then missing the client authentication flag. [ Tests ] I have deployed the updated package to my own server together with updated ejabberd + ejabberd-contrib packages, after which I could finally contact other ejabberd servers again that already run recent Let's Encrypt certificates without the client authentication flag. [ Risks ] None. Changes are trivial. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Add patch based on an upstream commit that allows accepting client certificates without the client purpose flag. [ Other info ] The fix is already part of current ejabberd releases and thereby also fixed in unstable. I will upload to proposed-updates right away.
diff -Nru ejabberd-24.12/debian/changelog ejabberd-24.12/debian/changelog --- ejabberd-24.12/debian/changelog 2025-12-27 23:45:41.000000000 +0100 +++ ejabberd-24.12/debian/changelog 2026-03-15 09:24:05.000000000 +0100 @@ -1,3 +1,10 @@ +ejabberd (24.12-3+deb13u2) trixie; urgency=medium + + [ Holger Weiss ] + * Ignore cert purpose for incoming s2s connections + + -- Philipp Huebner <[email protected]> Sun, 15 Mar 2026 09:24:05 +0100 + ejabberd (24.12-3+deb13u1) trixie; urgency=medium * Correctly remove no longer shipped conffile (apparmor profile) diff -Nru ejabberd-24.12/debian/control ejabberd-24.12/debian/control --- ejabberd-24.12/debian/control 2025-12-27 23:45:41.000000000 +0100 +++ ejabberd-24.12/debian/control 2026-03-15 08:50:20.000000000 +0100 @@ -32,7 +32,7 @@ erlang-p1-sqlite3 (>= 1.1.15-2~), erlang-p1-stringprep (>= 1.0.30-2~), erlang-p1-stun (>= 1.2.15), - erlang-p1-tls (>= 1.1.22), + erlang-p1-tls (>= 1.1.22-1+deb13u1), erlang-p1-utils (>= 1.0.26), erlang-p1-xml (>= 1.1.55), erlang-p1-xmpp (>= 1.9.4), @@ -71,7 +71,7 @@ erlang-p1-pkix (>= 1.0.10-2~), erlang-p1-stringprep (>= 1.0.30-2~), erlang-p1-stun (>= 1.2.15), - erlang-p1-tls (>= 1.1.22), + erlang-p1-tls (>= 1.1.22-1+deb13u1), erlang-p1-utils (>= 1.0.26), erlang-p1-xml (>= 1.1.55), erlang-p1-xmpp (>= 1.9.4), diff -Nru ejabberd-24.12/debian/patches/series ejabberd-24.12/debian/patches/series --- ejabberd-24.12/debian/patches/series 2025-12-27 23:45:41.000000000 +0100 +++ ejabberd-24.12/debian/patches/series 2026-03-15 08:50:20.000000000 +0100 @@ -8,3 +8,4 @@ fix-spelling-errors.patch remove_an-trap_macro.patch 133d52d04023d603283a7796c46bc40ffc7cd3c2.patch +src.ejabberd_s2s_in.patch diff -Nru ejabberd-24.12/debian/patches/src.ejabberd_s2s_in.patch ejabberd-24.12/debian/patches/src.ejabberd_s2s_in.patch --- ejabberd-24.12/debian/patches/src.ejabberd_s2s_in.patch 1970-01-01 01:00:00.000000000 +0100 +++ ejabberd-24.12/debian/patches/src.ejabberd_s2s_in.patch 2026-03-15 08:50:20.000000000 +0100 @@ -0,0 +1,34 @@ +From 8032358dc720c59c799fa2a7e2153e2b3d2ea2a2 Mon Sep 17 00:00:00 2001 +From: Holger Weiss <[email protected]> +Date: Sat, 21 Feb 2026 19:35:23 +0100 +Subject: [PATCH] Ignore cert purpose for incoming s2s connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since web browser certificate authority requirements no longer allow for +including the client purpose flag, let s2s listeners ignore certificate +purposes when authenticating incoming connections. + +Based on upstream commit 72bc9b6c7f6afce7aa671a47eee343cc25b0abcb by +Paweł Chmielowski <[email protected]>. +--- + src/ejabberd_s2s_in.erl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/ejabberd_s2s_in.erl b/src/ejabberd_s2s_in.erl +index 1af45a16..8a7817cc 100644 +--- a/src/ejabberd_s2s_in.erl ++++ b/src/ejabberd_s2s_in.erl +@@ -138,7 +138,7 @@ process_closed(#{server := LServer} = State, Reason) -> + %%% xmpp_stream_in callbacks + %%%=================================================================== + tls_options(#{tls_options := TLSOpts, lserver := LServer, server_host := ServerHost}) -> +- ejabberd_s2s:tls_options(LServer, ServerHost, TLSOpts). ++ [override_cert_purpose | ejabberd_s2s:tls_options(LServer, ServerHost, TLSOpts)]. + + tls_required(#{server_host := ServerHost}) -> + ejabberd_s2s:tls_required(ServerHost). +-- +2.39.5 +
