#943 ArchLinux Prosody 0.10 cannot talk with Debian 9 Ejabberd
Reporter
kseistrup
Owner
Zash
Created
Updated
Stars
★★ (2)
Tags
Priority-Medium
Status-Fixed
Milestone-0.10
Type-Defect
kseistrup
on
I'm here from #879 (comment 11):
What steps will reproduce the problem?
1. Add account on an ArchLinux community/prosody 1:0.10 installation
2. Add account on a Debian 9 (stretch) ejabberd instance (v16.09)
3. Have the two accounts chat over a TLS-encrypted s2s session
What is the expected output? What do you see instead?
Expected: The two accounts can chat, as before Debian upgraded to stretch.
Seen: At best, with some tweaks, the Prosody instance can initiate an s2sout connection, thus letting the prosody end send messages to the ejabberd end. But the s2sin connection fails.
What version of the product are you using? On what operating system?
Plain Prosody install from ArchLinux:
Prosody hg:2fd20f372cb1
# Prosody directories
Data directory: /var/lib/prosody
Config directory: /etc/prosody
Source directory: /usr/lib/prosody
Plugin directories:
/usr/lib/prosody/modules/
# Lua environment
Lua version: Lua 5.1
Lua module search paths:
/usr/lib/prosody/?.lua
/usr/share/luajit-2.0.5/?.lua
/usr/local/share/lua/5.1/?.lua
/usr/local/share/lua/5.1/?/init.lua
/usr/share/lua/5.1/?.lua
/usr/share/lua/5.1/?/init.lua
Lua C module search paths:
/usr/lib/prosody/?.so
/usr/local/lib/lua/5.1/?.so
/usr/lib/lua/5.1/?.so
/usr/local/lib/lua/5.1/loadall.so
LuaRocks: Not installed
# Lua module versions
lfs: LuaFileSystem 1.6.3
libevent: 2.0.22-stable
luaevent: 0.4.4
lxp: LuaExpat 1.3.0
socket: LuaSocket 3.0-rc1
ssl: 0.6
Please provide any additional information below.
Here's a few lines from the ejabberd end. I'm sorry, it's all we've got:
2017-06-19 19:00:54.426 [debug] <0.554.0>@ejabberd_receiver:handle_info:194 TLS error = SSL_do_handshake failed: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
2017-06-19 19:00:54.426 [info] <0.549.0>@ejabberd_s2s_out:wait_for_stream:386 Closing s2s connection: koldfront.dk -> enotty.dk (close in wait_for_stream)
Ejabberd is using curve prime256v1 while prosody is using secp384r1. After the ejabberd admin patched his ejabberd to try curves {NID_X9_62_prime256v1, NID_secp384r1}, we can talk again: https://koldfront.dk/archive/2017/06/20-210822.html
I hope somebody else can provide more info.
I'm here from #879 (comment 11): What steps will reproduce the problem? 1. Add account on an ArchLinux community/prosody 1:0.10 installation 2. Add account on a Debian 9 (stretch) ejabberd instance (v16.09) 3. Have the two accounts chat over a TLS-encrypted s2s session What is the expected output? What do you see instead? Expected: The two accounts can chat, as before Debian upgraded to stretch. Seen: At best, with some tweaks, the Prosody instance can initiate an s2sout connection, thus letting the prosody end send messages to the ejabberd end. But the s2sin connection fails. What version of the product are you using? On what operating system? Plain Prosody install from ArchLinux: Prosody hg:2fd20f372cb1 # Prosody directories Data directory: /var/lib/prosody Config directory: /etc/prosody Source directory: /usr/lib/prosody Plugin directories: /usr/lib/prosody/modules/ # Lua environment Lua version: Lua 5.1 Lua module search paths: /usr/lib/prosody/?.lua /usr/share/luajit-2.0.5/?.lua /usr/local/share/lua/5.1/?.lua /usr/local/share/lua/5.1/?/init.lua /usr/share/lua/5.1/?.lua /usr/share/lua/5.1/?/init.lua Lua C module search paths: /usr/lib/prosody/?.so /usr/local/lib/lua/5.1/?.so /usr/lib/lua/5.1/?.so /usr/local/lib/lua/5.1/loadall.so LuaRocks: Not installed # Lua module versions lfs: LuaFileSystem 1.6.3 libevent: 2.0.22-stable luaevent: 0.4.4 lxp: LuaExpat 1.3.0 socket: LuaSocket 3.0-rc1 ssl: 0.6 Please provide any additional information below. Here's a few lines from the ejabberd end. I'm sorry, it's all we've got: 2017-06-19 19:00:54.426 [debug] <0.554.0>@ejabberd_receiver:handle_info:194 TLS error = SSL_do_handshake failed: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure 2017-06-19 19:00:54.426 [info] <0.549.0>@ejabberd_s2s_out:wait_for_stream:386 Closing s2s connection: koldfront.dk -> enotty.dk (close in wait_for_stream) Ejabberd is using curve prime256v1 while prosody is using secp384r1. After the ejabberd admin patched his ejabberd to try curves {NID_X9_62_prime256v1, NID_secp384r1}, we can talk again: https://koldfront.dk/archive/2017/06/20-210822.html I hope somebody else can provide more info.
Fixed in https://hg.prosody.im/trunk/rev/92cddfe65003
Changes