openssl 1.1.1 support #2608
Comments
|
As we are talking about OpenSSL 1.1.1: A few days ago Arch Linux shipped OpenSSL 1.1.1. Today I realised that since that update some clients (e.g. Gajim also on Arch with OpenSSL 1.1.1) are not able to connect to my ejabberd anymore (it looks like the server closes the connection after the SSL_do_handshake fails). Downgrading the OpenSSL on the server to version 1.1.0-i works so far. I don't know yet if my issue can be solved via configuration or if ejabberd is not yet prepared to work with the new version? From what I have learned so far it might be caused by the SNI changes in TLS 1.3. |
|
Couple weeks ago i updated fasttls module that ejabberd uses for tls connections to properly work with openssl1.1.1, next ejabberd release (hopefully next week) will have it. |
I will probably never understand this urge. Supporting this in ejabberd (in the correct way, i.e. without introducing shitload of obscure configuration options) requires significant effort with moot benefits. |
|
closing this issue as covered by last fast_tls |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
https://www.openssl.org/news/openssl-1.1.1-notes.html
is out and has some interesting improvements
tls 1.3 support: which comes with a slight catch ... the API to set the ciphersuite is different for 1.3 than it is for 1.2 and earlier. there is also a SSL_CTX_set_options flag to prefer chacha ciphers if supported (useful for mobile clients). a related discussion Revisit and modernize ciphersuite specification mechanism ("cipher string") openssl/openssl#5050
to quote a haproxy change
With openssl >= 1.1.1 and boringssl multi-cert is natively supported.
ECDSA/RSA selection is done and work correctly with TLS >= v1.2.
Though the question is ... how to configure multiple certs within the ejabberd.yml so openssl can pick the proper cert?
The text was updated successfully, but these errors were encountered: