koldfront

Patched ejabberd (erlang-p1-tls) to support multiple ECDH curves #free software #programming

๐Ÿ•—๏ธŽ - 2017-06-20

After the upgrade to Debian 9 (stretch) yesterday I hit this problem where my ejabberd would not talk a Prosody server.

The problem seems to be that the two servers each support exactly one ECDH curve, and it is not the same one.

There is an ejabberd issue from May 5 on the subject: TLS ECDH curve selection.

Reading that lead me to an issue on the tls package used by ejabberd from November 9, 2015: Allow specification of ECC named curve used in ECDH key exchange.

Hm, couldn't I just patch my erlang-p1-tls package, to fix the problem? I tried:


--- erlang-p1-tls-1.0.7.orig/c_src/fast_tls_drv.c
+++ erlang-p1-tls-1.0.7/c_src/fast_tls_drv.c
@@ -384,16 +384,15 @@ static int verify_callback(int preverify
 static void setup_ecdh(SSL_CTX *ctx)
 {
    EC_KEY *ecdh;
+   static int curves[] = {NID_X9_62_prime256v1, NID_secp384r1};
 
    if (SSLeay() < 0x1000005fL) {
       return;
    }
 
-   ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+   SSL_CTX_set1_curves(ctx, curves, 2);
+   SSL_CTX_set_ecdh_auto(ctx, 1);
    SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
-   SSL_CTX_set_tmp_ecdh(ctx, ecdh);
-
-   EC_KEY_free(ecdh);
 }
 #endif

The result? It works, my ejabberd can now talk to the Prosody server! - I hope it can talk to other ejabberd's as well.

Free software - software you can fix yourself!

Update: it has been fixed in the Erlang tls library as well.

Add comment

To avoid spam many websites make you fill out a CAPTCHA, or log in via an account at a corporation such as Twitter, Facebook, Google or even Microsoft GitHub.

I have chosen to use a more old school method of spam prevention.

To post a comment here, you need to:

ยน Such as Thunderbird, Pan, slrn, tin or Gnus (part of Emacs).

Or, you can fill in this form:

+=