[XMPP] jabber.org dh key too small
Opened this issue · 8 comments
When we contact a Jabber.org JID:
prosody | xxx.xxx:tls debug Received features element
prosody | xxx.xxx:tls debug jabber.org is offering TLS, taking up the offer...
prosody | s2sout563f15ad31d0 debug Sending[s2sout_unauthed]: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
prosody | s2sout563f15ad31d0 debug Received[s2sout_unauthed]: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
prosody | xxx.xxx:tls debug Proceeding with TLS on s2sout...
prosody | socket debug try to start ssl at client id: 563f15d15390
prosody | socket debug starting handshake...
prosody | socket debug ssl handshake of client with id:table: 0x563f15d15390, attempt:1
prosody | socket debug ssl handshake of client with id:table: 0x563f15d15390, attempt:2
prosody | socket debug ssl handshake error: dh key too small
prosody | socket debug closing client with id: 563f15d15390 dh key too small
prosody | s2sout563f15ad31d0 debug s2s connection attempt failed: dh key too small
prosody | s2sout563f15ad31d0 debug Out of IP addresses, trying next SRV record (if any)
prosody | s2sout563f15ad31d0 info Failed in all attempts to connect to jabber.org
prosody | s2sout563f15ad31d0 debug No other records to try for jabber.org - destroying
prosody | s2sout563f15ad31d0 debug Destroying outgoing session xxx.xxx->jabber.org: Connecting failed: dh key too small
prosody | s2sout563f15ad31d0 info Sending error replies for 1 queued stanzas because of failed outgoing connection to jabber.org
prosody | stanzarouter debug Received[s2sin]: <message to='user@xxx.xxx/client' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='error' from='user@jabber.org'>
prosody | xxx.xxx:mam debug Not archiving stanza: <message to='user@xxx.xxx/client' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='error' from='user@jabber.org'> (type)
prosody | c2s563f15b4d340 debug Sending[c2s]: <message to='user@xxx.xxx/client' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='error' from='user@jabber.org'>
prosody | s2sout563f15ad31d0 debug s2s disconnected: <nil>-><nil> (dh key too small)
prosody | socket debug handshake failed because: dh key too small
When we go on a Jabber.org Muc Room:
prosody | c2s563f15b4d340 debug Received[c2s]: <iq to='room@conference.jabber.org' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='get' from='user@xxx.xxx/client'>
prosody | mod_s2s debug opening a new outgoing connection for this stanza
prosody | mod_s2s debug stanza [iq] queued until connection complete
prosody | s2sout563f15c5bcf0 debug First attempt to connect to conference.jabber.org, starting with SRV lookup...
prosody | adns debug Records for _xmpp-server._tcp.conference.jabber.org. not in cache, sending query (thread: 0x563f16131480)...
prosody | adns debug Sending DNS query to 127.0.0.11
prosody | socket debug new connection established. id: 563f162d6810
prosody | socket debug try to close client connection with id: 563f162d6810
prosody | socket debug closing client with id: 563f162d6810 client to close
prosody | adns debug Reply for _xmpp-server._tcp.conference.jabber.org. (thread: 0x563f16131480)
prosody | s2sout563f15c5bcf0 debug conference.jabber.org has SRV records, handling...
prosody | s2sout563f15c5bcf0 debug Best record found, will connect to hermes2.jabber.org.:5269
prosody | adns debug Records for hermes2.jabber.org. already cached, using those...
prosody | s2sout563f15c5bcf0 debug DNS reply for hermes2.jabber.org. gives us 208.68.163.218
prosody | s2sout563f15c5bcf0 debug Beginning new connection attempt to conference.jabber.org ([208.68.163.218]:5269)
prosody | s2sout563f15c5bcf0 debug Connection attempt in progress...
prosody | socket debug new connection established. id: 563f15bdeb90
prosody | s2sout563f15c5bcf0 debug Sending[s2sout_unauthed]: <?xml version='1.0'?>
prosody | s2sout563f15c5bcf0 debug Sending[s2sout_unauthed]: <stream:stream to='conference.jabber.org' xmlns:stream='http://etherx.jabber.org/streams' xml:lang='en' version='1.0' xmlns:db='jabber:server:dialback' xmlns='jabber:server' from='xxx.xxx'>
prosody | runnerKTSoXRXM debug creating new coroutine
prosody | s2sout563f15c5bcf0 debug Received[s2sout_unauthed]: <features xmlns='http://etherx.jabber.org/streams'>
prosody | xxx.xxx:tls debug Received features element
prosody | xxx.xxx:tls debug conference.jabber.org is offering TLS, taking up the offer...
prosody | s2sout563f15c5bcf0 debug Sending[s2sout_unauthed]: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
prosody | s2sout563f15c5bcf0 debug Received[s2sout_unauthed]: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
prosody | xxx.xxx:tls debug Proceeding with TLS on s2sout...
prosody | socket debug try to start ssl at client id: 563f15bdeb90
prosody | socket debug starting handshake...
prosody | socket debug ssl handshake of client with id:table: 0x563f15bdeb90, attempt:1
prosody | socket debug ssl handshake of client with id:table: 0x563f15bdeb90, attempt:2
prosody | socket debug ssl handshake error: dh key too small
prosody | socket debug closing client with id: 563f15bdeb90 dh key too small
prosody | s2sout563f15c5bcf0 debug s2s connection attempt failed: dh key too small
prosody | s2sout563f15c5bcf0 debug Out of IP addresses, trying next SRV record (if any)
prosody | s2sout563f15c5bcf0 info Failed in all attempts to connect to conference.jabber.org
prosody | s2sout563f15c5bcf0 debug No other records to try for conference.jabber.org - destroying
prosody | s2sout563f15c5bcf0 debug Destroying outgoing session xxx.xxx->conference.jabber.org: Connecting failed: dh key too small
prosody | s2sout563f15c5bcf0 info Sending error replies for 1 queued stanzas because of failed outgoing connection to conference.jabber.org
prosody | stanzarouter debug Received[s2sin]: <iq to='user@xxx.xxx/client' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='error' from='room@conference.jabber.org'>
prosody | c2s563f15b4d340 debug Sending[c2s]: <iq to='user@xxx.xxx/client' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='error' from='room@conference.jabber.org'>
prosody | s2sout563f15c5bcf0 debug s2s disconnected: <nil>-><nil> (dh key too small)
prosody | socket debug handshake failed because: dh key too small
Short version:
jabber.org uses 1024 bit DH parameters.
Recent OpenSSL (1.1.1 possibly) enforces a limit on (I think) 2048 bit minimum.
Hilarity ensues. ^W^W
Nothing works.
I think this implies that the jabber.org contigent have detached from the rest of federated XMPP space (or is at least becoming more so, as openssl 1.1.1 is spreading). It's a loss!
Same here with trashserver.net :( Too bad the problem still exists.
To allow connections to ancient, poorly secured servers you need to do the following:
in /etc/ssl/default.cnf go to section [system_default_sect] and set CipherString = DEFAULT@SECLEVEL=1
However, this will weaken overall encryption security of your system, so you must know what you're doing...
This problem is now more aggressive. Connections e.g. Jabber.de no longer work properly.
@stpeter: Any news about the migration?
@stpeter: Any news about the end of the migration after several months?