Bug#933042: python3-sleekxmpp: TLSv1.0-only is incompatible with modern servers

Thu, 25 Jul 2019 17:12:58 -0700 

Package: python3-sleekxmpp
Version: 1.3.3-4
Severity: normal

Dear Maintainer,

After having upgraded an XMPP server (ejabberd on Debian buster)
connections from python3-sleekxmpp are failing.

ejabberd.log:

  2019-07-25 16:23:06.078 [warning] 
<0.627.0>@ejabberd_c2s:process_terminated:285 (tls|<0.627.0>) Failed to secure 
c2s connection: TLS failed: SSL_do_handshake failed: error:14209102:SSL 
routines:tls_early_post_process_client_hello:unsupported protocol

Code within the sleekxmpp is explicitly setting TLS parameters:

  xmlstream.py line 119:

    #: Most XMPP servers support TLSv1, but OpenFire in particular
    #: does not work well with it. For OpenFire, set
    #: :attr:`ssl_version` to use ``SSLv23``::
    #:
    #:     import ssl
    #:     xmpp.ssl_version = ssl.PROTOCOL_SSLv23
    self.ssl_version = ssl.PROTOCOL_TLSv1

According to Python documentation, this probably ought to be set to
ssl.PROTOCOL_TLS (sans -v1) for widest range of compatibility, see table
at:

  https://docs.python.org/3/library/ssl.html#ssl.SSLContext

Initially I had thought about opening a bug with ejabberd since I cannot
seem to coerce it into allowing TLSv1.0 connections anymore.  However I
suppose that since it's 2019, it's time to heed these deprecation
warnings in the Python docs ;-)


-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (601, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-cloud-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3-sleekxmpp depends on:
ii  libjs-sphinxdoc         1.8.4-1
ii  python3                 3.7.3-1
ii  python3-dnspython       1.16.0-1
ii  python3-pyasn1          0.4.2-3
ii  python3-pyasn1-modules  0.2.1-0.2

Versions of packages python3-sleekxmpp recommends:
ii  python3-dateutil                  2.7.3-3
pn  python3-gnupg                     <none>
pn  python3-socks | python3-socksipy  <none>

python3-sleekxmpp suggests no packages.

-- no debconf information

-- 
Gerald Turner <gtur...@unzane.com>        Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D

Attachment: signature.asc
Description: PGP signature

Reply via email to