[XMPP] jabber.org dh key too small
Opened this issue · 8 comments
Neustradamus commented
When we contact a Jabber.org JID:
prosody | xxx.xxx:tls debug Received features element
prosody | xxx.xxx:tls debug jabber.org is offering TLS, taking up the offer...
prosody | s2sout563f15ad31d0 debug Sending[s2sout_unauthed]: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
prosody | s2sout563f15ad31d0 debug Received[s2sout_unauthed]: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
prosody | xxx.xxx:tls debug Proceeding with TLS on s2sout...
prosody | socket debug try to start ssl at client id: 563f15d15390
prosody | socket debug starting handshake...
prosody | socket debug ssl handshake of client with id:table: 0x563f15d15390, attempt:1
prosody | socket debug ssl handshake of client with id:table: 0x563f15d15390, attempt:2
prosody | socket debug ssl handshake error: dh key too small
prosody | socket debug closing client with id: 563f15d15390 dh key too small
prosody | s2sout563f15ad31d0 debug s2s connection attempt failed: dh key too small
prosody | s2sout563f15ad31d0 debug Out of IP addresses, trying next SRV record (if any)
prosody | s2sout563f15ad31d0 info Failed in all attempts to connect to jabber.org
prosody | s2sout563f15ad31d0 debug No other records to try for jabber.org - destroying
prosody | s2sout563f15ad31d0 debug Destroying outgoing session xxx.xxx->jabber.org: Connecting failed: dh key too small
prosody | s2sout563f15ad31d0 info Sending error replies for 1 queued stanzas because of failed outgoing connection to jabber.org
prosody | stanzarouter debug Received[s2sin]: <message to='user@xxx.xxx/client' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='error' from='user@jabber.org'>
prosody | xxx.xxx:mam debug Not archiving stanza: <message to='user@xxx.xxx/client' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='error' from='user@jabber.org'> (type)
prosody | c2s563f15b4d340 debug Sending[c2s]: <message to='user@xxx.xxx/client' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='error' from='user@jabber.org'>
prosody | s2sout563f15ad31d0 debug s2s disconnected: <nil>-><nil> (dh key too small)
prosody | socket debug handshake failed because: dh key too small
When we go on a Jabber.org Muc Room:
prosody | c2s563f15b4d340 debug Received[c2s]: <iq to='room@conference.jabber.org' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='get' from='user@xxx.xxx/client'>
prosody | mod_s2s debug opening a new outgoing connection for this stanza
prosody | mod_s2s debug stanza [iq] queued until connection complete
prosody | s2sout563f15c5bcf0 debug First attempt to connect to conference.jabber.org, starting with SRV lookup...
prosody | adns debug Records for _xmpp-server._tcp.conference.jabber.org. not in cache, sending query (thread: 0x563f16131480)...
prosody | adns debug Sending DNS query to 127.0.0.11
prosody | socket debug new connection established. id: 563f162d6810
prosody | socket debug try to close client connection with id: 563f162d6810
prosody | socket debug closing client with id: 563f162d6810 client to close
prosody | adns debug Reply for _xmpp-server._tcp.conference.jabber.org. (thread: 0x563f16131480)
prosody | s2sout563f15c5bcf0 debug conference.jabber.org has SRV records, handling...
prosody | s2sout563f15c5bcf0 debug Best record found, will connect to hermes2.jabber.org.:5269
prosody | adns debug Records for hermes2.jabber.org. already cached, using those...
prosody | s2sout563f15c5bcf0 debug DNS reply for hermes2.jabber.org. gives us 208.68.163.218
prosody | s2sout563f15c5bcf0 debug Beginning new connection attempt to conference.jabber.org ([208.68.163.218]:5269)
prosody | s2sout563f15c5bcf0 debug Connection attempt in progress...
prosody | socket debug new connection established. id: 563f15bdeb90
prosody | s2sout563f15c5bcf0 debug Sending[s2sout_unauthed]: <?xml version='1.0'?>
prosody | s2sout563f15c5bcf0 debug Sending[s2sout_unauthed]: <stream:stream to='conference.jabber.org' xmlns:stream='http://etherx.jabber.org/streams' xml:lang='en' version='1.0' xmlns:db='jabber:server:dialback' xmlns='jabber:server' from='xxx.xxx'>
prosody | runnerKTSoXRXM debug creating new coroutine
prosody | s2sout563f15c5bcf0 debug Received[s2sout_unauthed]: <features xmlns='http://etherx.jabber.org/streams'>
prosody | xxx.xxx:tls debug Received features element
prosody | xxx.xxx:tls debug conference.jabber.org is offering TLS, taking up the offer...
prosody | s2sout563f15c5bcf0 debug Sending[s2sout_unauthed]: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
prosody | s2sout563f15c5bcf0 debug Received[s2sout_unauthed]: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
prosody | xxx.xxx:tls debug Proceeding with TLS on s2sout...
prosody | socket debug try to start ssl at client id: 563f15bdeb90
prosody | socket debug starting handshake...
prosody | socket debug ssl handshake of client with id:table: 0x563f15bdeb90, attempt:1
prosody | socket debug ssl handshake of client with id:table: 0x563f15bdeb90, attempt:2
prosody | socket debug ssl handshake error: dh key too small
prosody | socket debug closing client with id: 563f15bdeb90 dh key too small
prosody | s2sout563f15c5bcf0 debug s2s connection attempt failed: dh key too small
prosody | s2sout563f15c5bcf0 debug Out of IP addresses, trying next SRV record (if any)
prosody | s2sout563f15c5bcf0 info Failed in all attempts to connect to conference.jabber.org
prosody | s2sout563f15c5bcf0 debug No other records to try for conference.jabber.org - destroying
prosody | s2sout563f15c5bcf0 debug Destroying outgoing session xxx.xxx->conference.jabber.org: Connecting failed: dh key too small
prosody | s2sout563f15c5bcf0 info Sending error replies for 1 queued stanzas because of failed outgoing connection to conference.jabber.org
prosody | stanzarouter debug Received[s2sin]: <iq to='user@xxx.xxx/client' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='error' from='room@conference.jabber.org'>
prosody | c2s563f15b4d340 debug Sending[c2s]: <iq to='user@xxx.xxx/client' id='xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' type='error' from='room@conference.jabber.org'>
prosody | s2sout563f15c5bcf0 debug s2s disconnected: <nil>-><nil> (dh key too small)
prosody | socket debug handshake failed because: dh key too small
Zash commented
Short version:
jabber.org uses 1024 bit DH parameters.
Recent OpenSSL (1.1.1 possibly) enforces a limit on (I think) 2048 bit minimum.
Hilarity ensues. ^W^W Nothing works.
quite commented
I think this implies that the jabber.org contigent have detached from the rest of federated XMPP space (or is at least becoming more so, as openssl 1.1.1 is spreading). It's a loss!
ThomasLeister commented
Same here with trashserver.net :( Too bad the problem still exists.
neonknight commented
To allow connections to ancient, poorly secured servers you need to do the following:
in /etc/ssl/default.cnf go to section [system_default_sect] and set CipherString = DEFAULT@SECLEVEL=1
However, this will weaken overall encryption security of your system, so you must know what you're doing...
ShinjiLE commented
This problem is now more aggressive. Connections e.g. Jabber.de no longer work properly.
Neustradamus commented
@stpeter: Any news about the migration?
Neustradamus commented
@stpeter: Any news about the end of the migration after several months?
Neustradamus commented