wiki.zeratul.org

User Tools

Site Tools

You are here: start » linux » debian
Trace:
linux:debian:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Last revisionBoth sides next revision
linux:debian:start [2017/07/25 04:36] – add how-to print out APT keys styblalinux:debian:start [2017/12/05 06:18] – Added migration of ejabberd from Jessie to Stretch stybla
Line 80: Line 80:
 ==== Migrating ejabberd 2.0.x to 2.1.x ==== ==== Migrating ejabberd 2.0.x to 2.1.x ====
  
-**WARNING - still work in progress!!!**+**WARNING - probably a bit incomplete, but who cares years later**
  
 Debian 6.0 Squeeze, however I think this doesn't depend on your GNU/Linux distribution. Debian 6.0 Squeeze, however I think this doesn't depend on your GNU/Linux distribution.
Line 147: Line 147:
 </code> </code>
   * hopefully enjoy!   * hopefully enjoy!
 +
 +==== Migrating ejabberd from Jessie to Stretch ====
 +
 +Yet another round fun. My private Jabber has been off for a long time, because client decided server is no good anymore. This was due to vulnerabilities in SSL/TLS, resp. OpenSSL(?) and there seemed to be no fix for Jessie. I've ignored it, because I didn't have time and it's not that important to me anyway. Now, on the verge of migration to Stretch, I couldn't ignore it anymore. Of course I've hit couple snags on the way.
 +
 +First of all, I found out I can neither perform backup or dump of ejabberd at Jessie. Mad props to devs, because all I had to do was to move ''/var/lib/ejabberd'' to the new server.
 +
 +Second of all, there was the change of format of configuration file from whatever to YAML. In theory, you can convert old cfg to YAML via ''ejabberdctl convert_to_yaml src dst''. Theory being theory, it wasn't my case.
 +
 +<code>
 +ejabberdctl convert_to_yaml /etc/ejabberd/ejabberd-old.cfg /etc/ejabberd/ejabberd.yaml
 +Error: erofs
 +</code>
 +
 +Not exactly nice, but worry not, because it's not that hard to adjust whatever needs to be adjusted, if your configuration is simple.
 +
 +Last, but not least, was the certificate. I guess that was the issue on Jessie as well, but then I didn't really spend any time on it. Anyway, once I got ejabberd up and running, I couldn't connect. "Host unknown" was the error and some others later on. The following should've been the big hint, unfortunately wasn't.
 +
 +<code>
 +foo@bar:~/openssl$ s_client -connect XXX:5222
 +CONNECTED(00000003)
 +140252860966144:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
 +---
 +no peer certificate available
 +---
 +No client certificate CA names sent
 +---
 +SSL handshake has read 5 bytes and written 176 bytes
 +Verification: OK
 +---
 +New, (NONE), Cipher is (NONE)
 +Secure Renegotiation IS NOT supported
 +Compression: NONE
 +Expansion: NONE
 +No ALPN negotiated
 +SSL-Session:
 +    Protocol  : TLSv1.2
 +    Cipher    : 0000
 +    Session-ID: 
 +    Session-ID-ctx: 
 +    Master-Key: 
 +    PSK identity: None
 +    PSK identity hint: None
 +    SRP username: None
 +    Start Time: 1512468671
 +    Timeout   : 7200 (sec)
 +    Verify return code: 0 (ok)                                                                                                                                                        
 +    Extended master secret: no                                                                                                                                                        
 +---                                                                                                                                                                                   
 +foo@bar:~/$ openssl s_client -connect XXX:5222 -starttls xmpp                                                               
 +CONNECTED(00000003)                                                                                                                                                                   
 +---                                                                                                                                                                                   
 +no peer certificate available                                                                                                                                                         
 +---
 +No client certificate CA names sent
 +---
 +SSL handshake has read 295 bytes and written 126 bytes
 +Verification: OK
 +---
 +New, (NONE), Cipher is (NONE)
 +Secure Renegotiation IS NOT supported
 +Compression: NONE
 +Expansion: NONE
 +No ALPN negotiated
 +---
 +</code>
 +
 +Well, at least I've found out you must(?) disable SSLv2 in the config as well. Also, that there is ''starttls_required: true''. Anyway, this didn't help either and I didn't find error messages really helpful(I guess I should've, shouldn't I?).
 +
 +<code>
 +2017-12-05 11:13:30.742 [error] <0.376.0> Supervisor ejabberd_s2s_in_sup had child undefined started with {ejabberd_s2s_in,start_link,undefined} at <0.528.0> exit with reason no match of right hand value {error,<<"SSL_CTX_use_certificate_file failed: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak">>} in ejabberd_socket:starttls/3 line 153 in context child_terminated
 +2017-12-05 11:13:49.406 [error] <0.530.0> gen_fsm <0.530.0> in state wait_for_feature_request terminated with reason: no match of right hand value {error,<<"SSL_CTX_use_certificate_file failed: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak">>} in ejabberd_socket:starttls/3 line 153
 +</code>
 +
 +So, as the last ditch effort, I've generated new SSL certificate. Lo behold, the miracle! Everything works now. I wonder what the problem was. May be SSL cert generated in ~ 2013 wasn't strong enough and that's what the issue was about from the get go. Comparison of old and new one:
 +
 +<code>
 +Signature Algorithm: md5WithRSAEncryption
 +Signature Algorithm: sha256WithRSAEncryption
 +</code>
  
  
linux/debian/start.txt · Last modified: 2022/01/27 01:52 by stybla