Your message dated Sat, 16 May 2026 10:23:16 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1130812,
regarding trixie-pu: package ejabberd/24.12-3+deb13u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130812: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130812
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:ejabberd
User: [email protected]
Usertags: pu
[ Reason ]
Let's Encrypt has recently ended the support for TLS Client
Authentication in their certificates, see
https://letsencrypt.org/2025/05/14/ending-tls-client-authentication
and https://blog.prosody.im/2026-letsencrypt-changes/, as well as
Debian bugs #1127369 + #1128568.
This breaks communication with ejabberd servers, as they use the
certificate also in client mode for server-to-server connections.
To permit s2s communication with the new certifcates, both the erlang-p1-tls
package and the ejabberd package must be updated. If the ejabberd-contrib
package is used, that one must also be updated to a version built
against the updated ejabberd package.
[ Impact ]
Without addressing this, federation between XMPP servers (s2s) will become
more and more broken as more and more servers renew certificates which are
then missing the client authentication flag.
[ Tests ]
I have deployed the updated package to my own server together with
updated ejabberd + ejabberd-contrib packages, after which I could
finally contact other ejabberd servers again that already run recent
Let's Encrypt certificates without the client authentication flag.
[ Risks ]
None. Changes are trivial.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Add patch based on an upstream commit that allows accepting client certificates
without the client purpose flag.
[ Other info ]
The fix is already part of current ejabberd releases and thereby also fixed in
unstable.
I will upload to proposed-updates right away.
diff -Nru ejabberd-24.12/debian/changelog ejabberd-24.12/debian/changelog
--- ejabberd-24.12/debian/changelog 2025-12-27 23:45:41.000000000 +0100
+++ ejabberd-24.12/debian/changelog 2026-03-15 09:24:05.000000000 +0100
@@ -1,3 +1,10 @@
+ejabberd (24.12-3+deb13u2) trixie; urgency=medium
+
+ [ Holger Weiss ]
+ * Ignore cert purpose for incoming s2s connections
+
+ -- Philipp Huebner <[email protected]> Sun, 15 Mar 2026 09:24:05 +0100
+
ejabberd (24.12-3+deb13u1) trixie; urgency=medium
* Correctly remove no longer shipped conffile (apparmor profile)
diff -Nru ejabberd-24.12/debian/control ejabberd-24.12/debian/control
--- ejabberd-24.12/debian/control 2025-12-27 23:45:41.000000000 +0100
+++ ejabberd-24.12/debian/control 2026-03-15 08:50:20.000000000 +0100
@@ -32,7 +32,7 @@
erlang-p1-sqlite3 (>= 1.1.15-2~),
erlang-p1-stringprep (>= 1.0.30-2~),
erlang-p1-stun (>= 1.2.15),
- erlang-p1-tls (>= 1.1.22),
+ erlang-p1-tls (>= 1.1.22-1+deb13u1),
erlang-p1-utils (>= 1.0.26),
erlang-p1-xml (>= 1.1.55),
erlang-p1-xmpp (>= 1.9.4),
@@ -71,7 +71,7 @@
erlang-p1-pkix (>= 1.0.10-2~),
erlang-p1-stringprep (>= 1.0.30-2~),
erlang-p1-stun (>= 1.2.15),
- erlang-p1-tls (>= 1.1.22),
+ erlang-p1-tls (>= 1.1.22-1+deb13u1),
erlang-p1-utils (>= 1.0.26),
erlang-p1-xml (>= 1.1.55),
erlang-p1-xmpp (>= 1.9.4),
diff -Nru ejabberd-24.12/debian/patches/series
ejabberd-24.12/debian/patches/series
--- ejabberd-24.12/debian/patches/series 2025-12-27 23:45:41.000000000
+0100
+++ ejabberd-24.12/debian/patches/series 2026-03-15 08:50:20.000000000
+0100
@@ -8,3 +8,4 @@
fix-spelling-errors.patch
remove_an-trap_macro.patch
133d52d04023d603283a7796c46bc40ffc7cd3c2.patch
+src.ejabberd_s2s_in.patch
diff -Nru ejabberd-24.12/debian/patches/src.ejabberd_s2s_in.patch
ejabberd-24.12/debian/patches/src.ejabberd_s2s_in.patch
--- ejabberd-24.12/debian/patches/src.ejabberd_s2s_in.patch 1970-01-01
01:00:00.000000000 +0100
+++ ejabberd-24.12/debian/patches/src.ejabberd_s2s_in.patch 2026-03-15
08:50:20.000000000 +0100
@@ -0,0 +1,34 @@
+From 8032358dc720c59c799fa2a7e2153e2b3d2ea2a2 Mon Sep 17 00:00:00 2001
+From: Holger Weiss <[email protected]>
+Date: Sat, 21 Feb 2026 19:35:23 +0100
+Subject: [PATCH] Ignore cert purpose for incoming s2s connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since web browser certificate authority requirements no longer allow for
+including the client purpose flag, let s2s listeners ignore certificate
+purposes when authenticating incoming connections.
+
+Based on upstream commit 72bc9b6c7f6afce7aa671a47eee343cc25b0abcb by
+Paweł Chmielowski <[email protected]>.
+---
+ src/ejabberd_s2s_in.erl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/ejabberd_s2s_in.erl b/src/ejabberd_s2s_in.erl
+index 1af45a16..8a7817cc 100644
+--- a/src/ejabberd_s2s_in.erl
++++ b/src/ejabberd_s2s_in.erl
+@@ -138,7 +138,7 @@ process_closed(#{server := LServer} = State, Reason) ->
+ %%% xmpp_stream_in callbacks
+ %%%===================================================================
+ tls_options(#{tls_options := TLSOpts, lserver := LServer, server_host :=
ServerHost}) ->
+- ejabberd_s2s:tls_options(LServer, ServerHost, TLSOpts).
++ [override_cert_purpose | ejabberd_s2s:tls_options(LServer, ServerHost,
TLSOpts)].
+
+ tls_required(#{server_host := ServerHost}) ->
+ ejabberd_s2s:tls_required(ServerHost).
+--
+2.39.5
+
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.5
This update has been released as part of Debian 13.5.
--- End Message ---
