[Koha-devel] Integration troubleshooting tips after upgrading to Debian 12 (Bookworm)

Tue, 07 Jan 2025 17:32:46 -0800 

Kia ora/Hello Koha community,
Over the last few months we have been upgrading the OS of our Koha, database, load balancer and VuFind servers from Debian 11 (Bullseye) to Debian 12 (Bookworm). 

We have noticed two things which we thought might be helpful for others:


1) Third-party integrations using Stunnel (for example EZproxy) fail 
after the OS upgrade, if the vendor's stunnel.conf file is configured 
with: /sslVersion = TLSv1./



You will see an error like this in your /var/log/stunnel4/stunnel.log: 
/SSL_accept: ../ssl/t1_lib.c:3364: error:0A000076:SSL routines::no 
suitable signature algorithm/



By default, TLSv1 is NOT considered a suitable signature algorithm in 
Debian Bookworm. The integration vendor needs to update their 
stunnel.conf to/: sslVersion = TLSv1.2 /and a stunnel restart is needed 
on their end and on the Koha end.


---


2) SFTP file uploads (e.g. MARC or patron csv file uploads to Koha 
servers) fail if the server uploading the files is using a ssh-rsa 
public key.



You would see the following error in your /var/log/auth.log file, when 
the uploading server accepts to connect: /userauth_pubkey: signature 
algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]/


By default, Debian 12 does not support ssh-rsa public keys.


Fix: A new key pair needs to be generated on the uploading server using 
a supported algorithm like SHA-2 or ED25519. That public key then needs 
to be copied into the authorized_keys file on your server to restore 
SFTP authorisation.


We hope this information helps others.

Thanks,

Alex


--
*Alex Buckley (he/him)*
Developer, Implementation Lead | Rōpū kohinga
*Catalyst.Net Limited - Expert Open Source Solutions*

*Catalyst.Net Limited - a Catalyst IT group company*
www.catalyst.net.nz <http://www.catalyst.net.nz>


Follow Catalyst Koha on Twitter <https://twitter.com/catalystkoha> | 
Subscribe to the Catalyst Koha newsletter 
<https://catalyst.us4.list-manage.com/subscribe?u=62457ff5060d15ee3c07d3fc4&id=b73fbdcac8>


Catalyst Logo


CONFIDENTIALITY NOTICE: This email is intended for the named recipients 
only. It may contain privileged, confidential or copyright information. 
If you are not the named recipient, any use, reliance upon, disclosure 
or copying of this email or its attachments is unauthorised. If you have 
received this email in error, please reply via email or call +64 4 499 2267.
_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/






















					Reply via email to