Patched ejabberd (erlang-p1-tls) to support multiple ECDH curves #free software #programming
After the upgrade to Debian 9 (stretch) yesterday I hit this problem where my ejabberd would not talk a Prosody server.
The problem seems to be that the two servers each support exactly one ECDH curve, and it is not the same one.
There is an ejabberd issue from May 5 on the subject: TLS ECDH curve selection.
Reading that lead me to an issue on the tls package used by ejabberd from November 9, 2015: Allow specification of ECC named curve used in ECDH key exchange.
Hm, couldn't I just patch my erlang-p1-tls
package, to fix the problem? I tried:
--- erlang-p1-tls-1.0.7.orig/c_src/fast_tls_drv.c
+++ erlang-p1-tls-1.0.7/c_src/fast_tls_drv.c
@@ -384,16 +384,15 @@ static int verify_callback(int preverify
static void setup_ecdh(SSL_CTX *ctx)
{
EC_KEY *ecdh;
+ static int curves[] = {NID_X9_62_prime256v1, NID_secp384r1};
if (SSLeay() < 0x1000005fL) {
return;
}
- ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ SSL_CTX_set1_curves(ctx, curves, 2);
+ SSL_CTX_set_ecdh_auto(ctx, 1);
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
- SSL_CTX_set_tmp_ecdh(ctx, ecdh);
-
- EC_KEY_free(ecdh);
}
#endif
The result? It works, my ejabberd can now talk to the Prosody server! - I hope it can talk to other ejabberd's as well.
Free software - software you can fix yourself!
Update: it has been fixed in the Erlang tls library as well.
Add comment
To avoid spam many websites make you fill out a CAPTCHA, or log in via an account at a corporation such as Twitter, Facebook, Google or even Microsoft GitHub.
I have chosen to use a more old school method of spam prevention.
To post a comment here, you need to:
- Configure a newsreaderยน to connect to the server
- Open the newsgroup called
ยน Such as Thunderbird, Pan, slrn, tin or Gnus (part of Emacs).koldfront.dk
on port1119
using nntps (nntp over TLS).lantern.koldfront
and post a follow up to the article.Or, you can fill in this form: