User Tools

Site Tools


linux:debian:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
linux:debian:start [2017/07/25 09:36]
stybla add how-to print out APT keys
linux:debian:start [2017/12/05 12:18] (current)
stybla Added migration of ejabberd from Jessie to Stretch
Line 80: Line 80:
 ==== Migrating ejabberd 2.0.x to 2.1.x ==== ==== Migrating ejabberd 2.0.x to 2.1.x ====
  
-**WARNING - still work in progress!!!**+**WARNING - probably a bit incomplete, but who cares years later**
  
 Debian 6.0 Squeeze, however I think this doesn'​t depend on your GNU/Linux distribution. Debian 6.0 Squeeze, however I think this doesn'​t depend on your GNU/Linux distribution.
Line 147: Line 147:
 </​code>​ </​code>​
   * hopefully enjoy!   * hopefully enjoy!
 +
 +==== Migrating ejabberd from Jessie to Stretch ====
 +
 +Yet another round fun. My private Jabber has been off for a long time, because client decided server is no good anymore. This was due to vulnerabilities in SSL/TLS, resp. OpenSSL(?) and there seemed to be no fix for Jessie. I've ignored it, because I didn't have time and it's not that important to me anyway. Now, on the verge of migration to Stretch, I couldn'​t ignore it anymore. Of course I've hit couple snags on the way.
 +
 +First of all, I found out I can neither perform backup or dump of ejabberd at Jessie. Mad props to devs, because all I had to do was to move ''/​var/​lib/​ejabberd''​ to the new server.
 +
 +Second of all, there was the change of format of configuration file from whatever to YAML. In theory, you can convert old cfg to YAML via ''​ejabberdctl convert_to_yaml src dst''​. Theory being theory, it wasn't my case.
 +
 +<​code>​
 +ejabberdctl convert_to_yaml /​etc/​ejabberd/​ejabberd-old.cfg /​etc/​ejabberd/​ejabberd.yaml
 +Error: erofs
 +</​code>​
 +
 +Not exactly nice, but worry not, because it's not that hard to adjust whatever needs to be adjusted, if your configuration is simple.
 +
 +Last, but not least, was the certificate. I guess that was the issue on Jessie as well, but then I didn't really spend any time on it. Anyway, once I got ejabberd up and running, I couldn'​t connect. "Host unknown"​ was the error and some others later on. The following should'​ve been the big hint, unfortunately wasn'​t.
 +
 +<​code>​
 +foo@bar:​~/​openssl$ s_client -connect XXX:5222
 +CONNECTED(00000003)
 +140252860966144:​error:​1408F10B:​SSL routines:​ssl3_get_record:​wrong version number:​../​ssl/​record/​ssl3_record.c:​252:​
 +---
 +no peer certificate available
 +---
 +No client certificate CA names sent
 +---
 +SSL handshake has read 5 bytes and written 176 bytes
 +Verification:​ OK
 +---
 +New, (NONE), Cipher is (NONE)
 +Secure Renegotiation IS NOT supported
 +Compression:​ NONE
 +Expansion: NONE
 +No ALPN negotiated
 +SSL-Session:​
 +    Protocol ​ : TLSv1.2
 +    Cipher ​   : 0000
 +    Session-ID: ​
 +    Session-ID-ctx: ​
 +    Master-Key: ​
 +    PSK identity: None
 +    PSK identity hint: None
 +    SRP username: None
 +    Start Time: 1512468671
 +    Timeout ​  : 7200 (sec)
 +    Verify return code: 0 (ok)                                                                                                                                                        ​
 +    Extended master secret: no                                                                                                                                                        ​
 +---                                                                                                                                                                                   
 +foo@bar:~/$ openssl s_client -connect XXX:5222 -starttls xmpp                                                               
 +CONNECTED(00000003) ​                                                                                                                                                                  
 +---                                                                                                                                                                                   
 +no peer certificate available ​                                                                                                                                                        
 +---
 +No client certificate CA names sent
 +---
 +SSL handshake has read 295 bytes and written 126 bytes
 +Verification:​ OK
 +---
 +New, (NONE), Cipher is (NONE)
 +Secure Renegotiation IS NOT supported
 +Compression:​ NONE
 +Expansion: NONE
 +No ALPN negotiated
 +---
 +</​code>​
 +
 +Well, at least I've found out you must(?) disable SSLv2 in the config as well. Also, that there is ''​starttls_required:​ true''​. Anyway, this didn't help either and I didn't find error messages really helpful(I guess I should'​ve,​ shouldn'​t I?).
 +
 +<​code>​
 +2017-12-05 11:​13:​30.742 [error] <​0.376.0>​ Supervisor ejabberd_s2s_in_sup had child undefined started with {ejabberd_s2s_in,​start_link,​undefined} at <​0.528.0>​ exit with reason no match of right hand value {error,<<"​SSL_CTX_use_certificate_file failed: error:​140AB18E:​SSL routines:​SSL_CTX_use_certificate:​ca md too weak">>​} in ejabberd_socket:​starttls/​3 line 153 in context child_terminated
 +2017-12-05 11:​13:​49.406 [error] <​0.530.0>​ gen_fsm <​0.530.0>​ in state wait_for_feature_request terminated with reason: no match of right hand value {error,<<"​SSL_CTX_use_certificate_file failed: error:​140AB18E:​SSL routines:​SSL_CTX_use_certificate:​ca md too weak">>​} in ejabberd_socket:​starttls/​3 line 153
 +</​code>​
 +
 +So, as the last ditch effort, I've generated new SSL certificate. Lo behold, the miracle! Everything works now. I wonder what the problem was. May be SSL cert generated in ~ 2013 wasn't strong enough and that's what the issue was about from the get go. Comparison of old and new one:
 +
 +<​code>​
 +Signature Algorithm: md5WithRSAEncryption
 +Signature Algorithm: sha256WithRSAEncryption
 +</​code>​
  
  
linux/debian/start.txt · Last modified: 2017/12/05 12:18 by stybla