-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gajim: failed to secure c2s connection: TLS failed:client renegotiations forbidden #2614
Comments
Gajim version 1.0.2 or newer right? What OpenSSL version? |
Duplicate of #2607 ? |
|
@zinid no, I'm using letsencrypt. |
This ^^^
TL;DR: this is related to TLSv1.3 |
@prefiks feel free to close the issue if you think it's already fixed. |
Is there a workaround I can use for now? |
@OneOfOne you can compile ejabberd from master branch. |
Or maybe just compiling fast_tls from master is enough. |
@OneOfOne by the way, this is also a problem of Arch packages: current version of ejabberd doesn't work with openssl1.1.1, but the package manager ignores this. Worth reporting to the Arch bugtracker. |
Compiling fast_tls from master didn't work |
For me compiling |
@OneOfOne @melvinvermeeren Arch released 18.09 earlier this week, but I still see the errors mentioned above. Does the update improve/solve the situation for you? (btw. don't try to downgrade OpenSSL as it will break pacman) |
@arendtio The upgrade to 18.09 seems to include the recent Current versions on server are In define_macro:
'TLS_OPTIONS':
- "no_sslv2"
- "no_sslv3"
- "no_tlsv1"
- "cipher_server_preference"
- "no_compression" For every |
@melvinvermeeren Thanks for the detailed description, but it seems my setup not so different (same ejabberd and OpenSSL version and I tried your config options), and yet some clients still have problems connecting. Do you mind if I am asking how you tried to trigger the issue on your server? The Arch version of Gajim doesn't seem to have the problem anymore (at least for me), but I have a few users with other clients. One of the clients which trigger the issue on my server is Conversations Legacy. Also, some older versions of the 2.0 branch of Conversations seem to have problems too. |
@arendtio I have not tested the current setup with anything besides Gajim on Arch Linux, in my case I host a very small XMPP node for personal use and a few friends. What might be related is that, also on Arch Linux, Firefox cannot connect to the ejabberd web interface at all. For example https://mel.vin:5443/ gives a:
With other browsers (Falkon, w3m) and tools like curl it does work properly, just like within Gajim (tried HTTPUpload). However, it could be there is a bug in ejabberd or fast_tls that in this case triggers on Firefox but in fact might be the same bug your older clients are experiencing, unless of course there is a bug in Firefox. |
At least I am not the only one with that Firefox Issue ;-) Currently, I am trying to clean up my config maybe that helps. |
There is a commit in fast_tls repo which fixes your issue. You have to build fast_tls master branch manually and update. Or ask the maintainer of ejabberd in ArchLinux to do it. |
@zinid applied this fix on my server, thanks. |
@zinid I can confirm the commit you mention seems to fix the
They seem to be triggered by connection attempts from Conversations Legacy clients. Those clients still cannot connect. Any ideas? |
https://github.com/siacs/Conversations/commit/b6c5000d0146225d1b73726192df604623171cc5
|
Thanks @alexara 👍 in fact, I was using f-droid which did not install the newest version :-/ , but with the newest version from the Play Store, Conversations Legacy can connect now too. Is there a way to configure the server so that it can handle broken/outdated clients until most clients have been upgraded to compatible versions (like disabling TLS 1.3 for the time being, or even better something that lets modern clients still use TLS1.3)? |
Of course you can disable TLS 1.3: use |
@zinid nice, that worked. I didn't expect it to, as it is not listed in the file which is linked in the documentation. From my perspective it looks like all clients can connect again 🥇 Let me sum up what I did for the workaround:
Thank you all for helping me through this. I hope this is useful for @OneOfOne too. |
I think we can close this. There is enough info here to fix 18.09 and with the new release the issue will be resolved automatically. |
Same problem started to happen for me after I upgraded from Ubuntu 18.04 "bionic" to 18.10 "cosmic". Setting |
HTTP uploads also didn't work from Conversations. Had to set |
@mbirth Thanks for mentioning it. I was wondering the last few days why I got multiple reports of failed image transfers which worked just fine after client updates. |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Environment
Erlang (SMP,ASYNC_THREADS,HIPE) (BEAM) emulator version 10.0.8
Errors from error.log/crash.log
Bug description
Gajim can't connect and I get that error every time it tries to connect.
Other clients work fine.
The text was updated successfully, but these errors were encountered: