PositivDenken 🤯Mar 16
Holger Weiß

In case you're using the official ejabberd packages on Debian stable: They're affected by a recent CA policy change (e.g., Let's Encrypt), causing ejabberd to reject newly issued certificates and thereby breaking federation with some remote servers. Deploy this update to fix the issue:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128568#23

You may also want to consider enabling mod_s2s_dialback to deal with remote servers that haven't been updated yet.

#ejabberd #XMPP #Jabber #Debian #LetsEncrypt

#1128568 - ejabberd: Federation with some servers is broken (TLS issue: unsupported certificate purpose) - Debian Bug report logs

Mar 15 at 7:00pmWeb
Show threadmonal-im.org Mar 15
@holger beware though, that dialback has weaker security properties than proper can certificate validation. So of should only be enabled as interim solution.
Show threadHolger WeißMar 16

@Monal Yes.

I think the main scenario that certificate authentication protects against but Dialback does not looks like this:

- Alice exchanges messages with a remote contact, Bob.
- Those messages aren't E2E-encrypted/-verified.
- The attacker cannot MitM Alice's c2s connection.
- The attacker cannot MitM Bob's c2s connection.
- The attacker has no access to the remote server's certificate/key.
- DNSSEC is not deployed for the relevant domain(s).
- The attacker cannot MitM the (multi-perspective) DNS traffic used for issuing a new certificate.
- But the attacker can MitM the DNS traffic used for Dialback.

Show threadTom Mar 16
@holger is my server affected as well, if my Ejabberd is built from source?
Show threadHolger WeißMar 16
@thomas ejabberd 25.07 and newer contain that fix, so no, your instance is not affected.