Christof,

I had the same problem, luckily I ran on a test server. I could not even login with my client.

There has been a change in sx/ssl.c line 899. The line now reads
ctx = SSL_CTX_new(TLSv1_2_method());

This means that it will support TLS v1.2 only. Connections using SSLv3 or TLS v1.1 and earlier are not accepted any more. There is also another issue that if a secure connection cannot be established for any reason (incompatible protocol or verification failed or similar) it will retry many times in very rapid succession for 10 minutes.

You can get the old behavior back by changing the line above back to the 2.2.17 version:
ctx = SSL_CTX_new(SSLv23_method());

I think a better solution would be to use the SSLv23_method and disable SSLv3 with an option immediately after:

SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);

I have not tested this yet but as far as I can see it will leave you with support for TLS v1.0, v1.1 and v1.2. An even better solution would be to make the SSL settings user-configurable. This is not trivial to do though.

Regards,
Eric.


On 11/26/13 07:40, Christof Meerwald wrote:
On Mon, 18 Nov 2013 17:18:07 +0100, Tomasz Sterna wrote:
Next jabberd2 release is finally available.

Get 2.3.0 release at GitHub: https://github.com/jabberd2/jabberd2/releases
I tried upgrading from 2.2.17 to 2.3.0 yesterday, but that left me
with a broken server. The s2s component now just connects to a remote
server, switches the stream to TLS, gets the certificate, disconnects
and immediately connects again. The log file doesn't give any reason
for this connection/disconnection loop and it's not clear what
configuration settings need to be updated to make it work again (as
the NEWS file isn't that helpful). But as there is no delay between
the connects/disconnects (and no useful error message), this behaviour
might be considered a bug anyway...

Guess I'll have to do some debugging and code reviewing in the next
few days...


Christof




Reply via email to