koldfront

Patched ejabberd (erlang-p1-tls) to support multiple ECDH curves #free software #programming

After the upgrade to Debian 9 (stretch) yesterday I hit this problem where my ejabberd would not talk a Prosody server.

The problem seems to be that the two servers each support exactly one ECDH curve, and it is not the same one.

There is an ejabberd issue from May 5 on the subject: TLS ECDH curve selection.

Reading that lead me to an issue on the tls package used by ejabberd from November 9, 2015: Allow specification of ECC named curve used in ECDH key exchange.

Hm, couldn't I just patch my erlang-p1-tls package, to fix the problem? I tried:

--- erlang-p1-tls-1.0.7.orig/c_src/fast_tls_drv.c
+++ erlang-p1-tls-1.0.7/c_src/fast_tls_drv.c
@@ -384,16 +384,15 @@ static int verify_callback(int preverify
 static void setup_ecdh(SSL_CTX *ctx)
 {
    EC_KEY *ecdh;
+   static int curves[] = {NID_X9_62_prime256v1, NID_secp384r1};
 
    if (SSLeay() < 0x1000005fL) {
       return;
    }
 
-   ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+   SSL_CTX_set1_curves(ctx, curves, 2);
+   SSL_CTX_set_ecdh_auto(ctx, 1);
    SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
-   SSL_CTX_set_tmp_ecdh(ctx, ecdh);
-
-   EC_KEY_free(ecdh);
 }
 #endif

The result? It works, my ejabberd can now talk to the Prosody server! - I hope it can talk to other ejabberd's as well.

Free software - software you can fix yourself!

Update: it has been fixed in the Erlang tls library as well.

Add comment?

Title:

Name:

Email (won't be displayed online):

Text:

0.0140 s
webcustodian@koldfront.dk