Package: ejabberd Version: 16.09-4 Severity: important Dear Maintainer,
Last week, I've upgraded my server from Debian Jessie to Debian Stretch. Before the upgrade, I was already successfully using ejabberd 16.09 from jessie-backports. My setup used a TLS certificate made from an ECC generated key (certificate was then authentified by Let's Encrypt). After the upgrade,the ejabberd 16.09 from Stretch has been installed and my XMPP clients (Conversation on Android and Gajim on a Debian desktop) were not any more able to connect to my server with a message like "TLS connection error". Note that I didn't need to update my ejabberd configuration as it was already good for 16.09 from Jessie backports. I've noticed too, that Firefox was unable too to create a TLS connection with the web admin interface. OpenSSL client commands said me that no certificates were sent from the web admin interface. After a small search on the web, it seems to be related to the erlang-p1-tls package which is used by ejabberd to manage TLS. [This article](https://koldfront.dk/archive/2017/06/20-210822.html) gives a patch to apply to this package and say it should work then. As I found that upstream have applied such a patch as commit [b91c17209cc](https://github.com/processone/fast_tls/commit/b9c17209cc4a9cf149f8a64903b4c2b46c125dac) and I've seen that it has been released in the erlang-p1-tls version 1.0.14, I've tried to install ejabberd 17.07 and erlang-p1-tls 1.0.14 from Buster. Using these two packages from Buster worked well with my ECDSA certifcate. To summary, I've found these setups work well: 1. with Jessie server: - ECDSA certificate - ejabberd 16.09 from Jessie-backports - openssl from Jessie (or Jessie-backports I don't know what I had before) - erlang-p1-tls from Jessie 2. with Stretch server: - RSA certificate (not ECDSA) - ejabberd 16.09 from Stretch - openssl from Stretch - erlang-p1-tls from Stretch 3. with Stretch server: - ECDSA certificate - ejabberd 17.07 from Buster - openssl from Stretch - erlang-p1-tls from Buster On my side, as I want to keep my server as stable as possible, I have rolled back my setup to have every packages from Stretch and use a RSA key instead of ECC key. I've reported the bug on the ejabberd package as my issue comes with ejabberd and as I don't know exactly which parts from setup 3 above resolved the issue (the upgrade of ejabberd or erlang-p1-tls ?). Sorry if it wasn't the good choice. As I use certificates from Let's Encrypt, it will be easy for me to try fix you could apply, let me know if I can help. Do you think it will be possible to use ECDSA certificate with ejabberd using packages from Stretch (or from Stretch-backports)? Regards, Adrien Dorsaz PS: the upstream commit mentionned above is linked to the upstream bug report: https://github.com/processone/fast_tls/issues/20 -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (990, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CH:fr (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ejabberd depends on: ii adduser 3.115 ii debconf [debconf-2.0] 1.5.61 ii erlang-asn1 1:19.2.1+dfsg-2 ii erlang-base [erlang-abi-17.0] 1:19.2.1+dfsg-2 ii erlang-crypto 1:19.2.1+dfsg-2 ii erlang-inets 1:19.2.1+dfsg-2 ii erlang-jiffy 0.14.8+dfsg-1 ii erlang-lager 3.2.4-1 ii erlang-mnesia 1:19.2.1+dfsg-2 ii erlang-odbc 1:19.2.1+dfsg-2 ii erlang-p1-cache-tab 1.0.4-2 ii erlang-p1-iconv 1.0.2-2 ii erlang-p1-stringprep 1.0.6-2 ii erlang-p1-tls 1.0.7-2+b1 ii erlang-p1-utils 1.0.5-3 ii erlang-p1-xml 1.1.15-2 ii erlang-p1-yaml 1.0.6-2 ii erlang-p1-zlib 1.0.1-4 ii erlang-public-key 1:19.2.1+dfsg-2 ii erlang-ssl 1:19.2.1+dfsg-2 ii erlang-syntax-tools 1:19.2.1+dfsg-2 ii erlang-xmerl 1:19.2.1+dfsg-2 ii init-system-helpers 1.48 ii lsb-base 9.20161125 ii openssl 1.1.0f-3 ii ucf 3.0036 ejabberd recommends no packages. Versions of packages ejabberd suggests: pn apparmor <none> pn apparmor-utils <none> pn ejabberd-contrib <none> pn erlang-luerl <none> pn erlang-p1-mysql <none> pn erlang-p1-oauth2 <none> pn erlang-p1-pam <none> ii erlang-p1-pgsql 1.1.0-4 pn erlang-p1-sip <none> pn erlang-p1-sqlite3 <none> pn erlang-p1-stun <none> pn erlang-redis-client <none> ii graphicsmagick-imagemagick-compat [imagemagick] 1.3.25-8 ii libunix-syslog-perl 1.1-2+b6 ii yamllint 1.5.0-1 -- Configuration Files: /etc/ejabberd/inetrc [Errno 13] Permission non accordée: '/etc/ejabberd/inetrc' /etc/ejabberd/modules.d/README.modules [Errno 13] Permission non accordée: '/etc/ejabberd/modules.d/README.modules' -- debconf information excluded
