Environment
- ejabberd version: 20.12
- Erlang version:
erl +V
[root@ns7loc14 ~]# /opt/ejabberd-20.12/bin/erl +V
Erlang (SMP,ASYNC_THREADS,HIPE) (BEAM) emulator version 10.3.4
- OS: Linux centos7.9
- Installed from: official rpm from the project
[root@ns7loc14 ~]# rpm -qa ejabberd
ejabberd-20.12-0.x86_64
Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml
[root@ns7loc14 ~]# grep -Ev '^$|^\s*#' /etc/ejabberd/ejabberd.yml
loglevel: 4
log_rotate_count: 0
hosts:
- "nethservertest.org"
define_macro:
'CERTFILE': "/etc/ejabberd/ejabberd.pem"
'TLSOPTS':
- "no_sslv3"
- "no_tlsv1"
- "no_tlsv1_1"
- "cipher_server_preference"
'CIPHERS': "kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:
+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!SSLv3:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES"
certfiles:
- 'CERTFILE'
listen:
-
port: 5222
ip: "0.0.0.0"
module: ejabberd_c2s
protocol_options: 'TLSOPTS'
starttls: true
starttls_required: true
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
ciphers: 'CIPHERS'
-
port: 5223
ip: "0.0.0.0"
module: ejabberd_c2s
access: c2s
shaper: c2s_shaper
tls: true
protocol_options: 'TLSOPTS'
max_stanza_size: 65536
ciphers: 'CIPHERS'
-
port: 5280
ip: "0.0.0.0"
module: ejabberd_http
tls: true
request_handlers:
"/websocket": ejabberd_http_ws
"/api": mod_http_api
"/bosh": mod_bosh
captcha: false
protocol_options: 'TLSOPTS'
ciphers: 'CIPHERS'
s2s_use_starttls: required
auth_method: external
extauth_program: "/usr/libexec/nethserver/ejabberd-auth"
extauth_pool_size: 4
auth_use_cache: false
api_permissions:
"console commands":
from:
- ejabberd_ctl
who: all
what: "*"
"admin access":
who:
- access:
- allow:
- ip: "127.0.0.1/8"
- acl: admin
- oauth:
- scope: "ejabberd:admin"
- access:
- allow:
- ip: "127.0.0.1/8"
- acl: admin
what:
- "*"
- "!stop"
- "!start"
"public commands":
who:
- ip: "127.0.0.1/8"
what:
- "status"
- "connected_users_number"
acl:
admin:
user:
local:
user_regexp: ""
loopback:
ip:
- "127.0.0.0/8"
shaper:
normal: 500000
fast: 1000000
max_fsm_queue: 10000
shaper_rules:
max_user_sessions: 10
max_user_offline_messages:
- 5000: admin
- 100
c2s_shaper:
- none: admin
- normal
s2s_shaper: fast
access_rules:
local:
- allow: local
c2s:
- deny: blocked
- allow
announce:
- allow: admin
configure:
- allow: admin
muc_create:
- allow: local
pubsub_createnode:
- allow: local
register:
- deny
trusted_network:
- allow: loopback
language: "en"
allow_contrib_modules: true
modules:
mod_adhoc: {}
mod_admin_extra: {}
mod_announce: # recommends mod_adhoc
access: announce
mod_blocking: {} # requires mod_privacy
mod_caps: {}
mod_carboncopy: {}
mod_client_state: {}
mod_configure: {} # requires mod_adhoc
mod_disco: {}
mod_bosh: {}
mod_last: {}
mod_muc:
access:
- allow
access_admin:
- allow: admin
access_create: muc_create
access_persistent: muc_create
mod_muc_admin: {}
mod_offline:
access_max_user_messages: max_user_offline_messages
mod_ping: {}
mod_privacy: {}
mod_private: {}
mod_pubsub:
access_createnode: pubsub_createnode
ignore_pep_from_offline: true
last_item_cache: false
plugins:
- "flat"
- "pep" # pep requires mod_caps
mod_register:
welcome_message:
subject: "Welcome!"
body: |-
Hi.
Welcome to nethservertest.org XMPP server.
ip_access: trusted_network
access: register
mod_roster: {}
mod_shared_roster: {}
mod_vcard:
search: false
mod_version: {}
mod_stream_mgmt: {}
mod_s2s_dialback: {}
mod_http_api: {}
mod_shared_roster_ldap:
ldap_base: "dc=directory,dc=nh"
ldap_encrypt: tls
ldap_tls_verify: false
ldap_groupattr: "cn"
ldap_groupdesc: "o"
ldap_memberattr: "uid"
ldap_memberattr_format: "%u"
ldap_password: "V_85617fr2bK3Csj"
ldap_port: 636
ldap_rfilter: "(objectClass=posixAccount)"
ldap_rootdn: "cn=ldapservice,dc=directory,dc=nh"
ldap_servers: ["192.168.56.12"]
ldap_ufilter: "(uid=%u)"
ldap_useruid: "uid"
Errors from error.log/crash.log
No errors from crash.log, only from /var/log/ejabberd/ejabberd.log
2021-01-21 17:58:51.998 [notice] <0.120.0>@lager_file_backend:152 Changed loghwm of /var/log/ejabberd/error.log to 100
2021-01-21 17:58:51.998 [notice] <0.120.0>@lager_file_backend:152 Changed loghwm of /var/log/ejabberd/ejabberd.log to 100
2021-01-21 17:58:52.116 [info] <0.106.0>@ejabberd_config:load:82 Loading configuration from /etc/ejabberd/ejabberd.yml
2021-01-21 17:58:52.333 [warning] <0.106.0>@gen_mod:warn_soft_dep_fail:582 Module mod_mam is recommended for module mod_muc but is not found in the config
2021-01-21 17:58:52.355 [info] <0.106.0>@ejabberd_config:load:89 Configuration loaded successfully
2021-01-21 17:58:52.725 [info] <0.335.0>@gen_mod:start_modules:130 Loading modules for nethservertest.org
2021-01-21 17:58:52.929 [error] <0.433.0>@eldap:connect_bind:1073 LDAP connection to 192.168.56.12:636 failed: received CLIENT ALERT: Fatal - Handshake Failure
2021-01-21 17:58:52.929 [info] <0.442.0> TLS client: In state hello received SERVER ALERT: Fatal - Handshake Failure
2021-01-21 17:58:52.988 [info] <0.106.0>@ejabberd_cluster_mnesia:wait_for_sync:123 Waiting for Mnesia synchronization to complete
2021-01-21 17:58:53.038 [warning] <0.359.0>@ejabberd_pkix:log_warnings:393 Invalid certificate in /etc/ejabberd/ejabberd.pem: at line 29: self-signed certificate
2021-01-21 17:58:53.200 [warning] <0.359.0>@ejabberd_pkix:check_domain_certfiles:312 No certificate found matching nethservertest.org
2021-01-21 17:58:53.200 [warning] <0.359.0>@ejabberd_pkix:check_domain_certfiles:312 No certificate found matching conference.nethservertest.org
2021-01-21 17:58:53.201 [warning] <0.359.0>@ejabberd_pkix:check_domain_certfiles:312 No certificate found matching pubsub.nethservertest.org
2021-01-21 17:58:53.201 [info] <0.106.0>@ejabberd_app:start:62 ejabberd 20.12 is started in the node ejabberd@localhost in 1.40s
2021-01-21 17:58:53.201 [warning] <0.451.0>@ejabberd_acme:request_on_start:593 No HTTP listeners for ACME challenges are configured, automatic certificate requests are aborted. Hint: configure the listener and restart/reload ejabberd. Or set acme->auto option to `false` to suppress this warning.
2021-01-21 17:58:53.202 [info] <0.356.0>@ejabberd_listener:init:159 Start accepting TCP connections at 0.0.0.0:5222 for ejabberd_c2s
2021-01-21 17:58:53.202 [info] <0.357.0>@ejabberd_listener:init:159 Start accepting TLS connections at 0.0.0.0:5223 for ejabberd_c2s
2021-01-21 17:58:53.202 [info] <0.358.0>@ejabberd_listener:init:159 Start accepting TLS connections at 0.0.0.0:5280 for ejabberd_http
2021-01-21 17:58:53.438 [info] <0.503.0> TLS client: In state hello received SERVER ALERT: Fatal - Handshake Failure
2021-01-21 17:58:53.438 [error] <0.433.0>@eldap:connect_bind:1073 LDAP connection to 192.168.56.12:636 failed: received CLIENT ALERT: Fatal - Handshake Failure
2021-01-21 17:58:53.943 [info] <0.509.0> TLS client: In state hello received SERVER ALERT: Fatal - Handshake Failure
2021-01-21 17:58:53.943 [error] <0.433.0>@eldap:connect_bind:1073 LDAP connection to 192.168.56.12:636 failed: received CLIENT ALERT: Fatal - Handshake Failure
Bug description
We provide a server configuration for ejabberd with an account provider that you can use locally or remotely based on samba AD or openldap.
- the ldap ssl over 636 tcp port for samba AD gets no issue
- the ldap in plain text over 389 tcp port gets no issue for openldap
We can bind remotely or locally our applications to openldap in plain text or encrypted therefore we have a workable configuration but ejabberd got an error about tls handshake failure when we try to use ldaps over 636, no matter it is local or remote openldap
If I change the account provider on the same server to samba AD I have no error, so it is not a certificate issue
I read in another issue #2344 (comment) and it seems that the downgrade to erlang 19 fixed the issue.
Environment
erl +VConfiguration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml
Errors from error.log/crash.log
No errors from crash.log, only from
/var/log/ejabberd/ejabberd.logBug description
We provide a server configuration for ejabberd with an account provider that you can use locally or remotely based on samba AD or openldap.
We can bind remotely or locally our applications to openldap in plain text or encrypted therefore we have a workable configuration but ejabberd got an error about tls handshake failure when we try to use ldaps over 636, no matter it is local or remote openldap
If I change the account provider on the same server to samba AD I have no error, so it is not a certificate issue
I read in another issue #2344 (comment) and it seems that the downgrade to erlang 19 fixed the issue.