Hi Alex, Thanks for this mail! This is very helpful.
I found a related issue in our stunnel setup using Debian12. Detected following warn/error although after that a connection was made. LOG3[89]: SSL_accept: ../ssl/record/ssl3_record.c:354: error:0A00010B:SSL routines::wrong version number Seems like SSLv3 is still tried and after that TLS. I chose for a similar fix as yours in the client.conf and server.conf like this: sslVersionMin = TLSv1.2 sslVersionMax = TLSv1.3 This eliminated the warn. Regards, Marcel ________________________________ Van: Koha-devel <koha-devel-boun...@lists.koha-community.org> namens Alex Buckley via Koha-devel <koha-devel@lists.koha-community.org> Verzonden: woensdag 8 januari 2025 02:32 Aan: koha-devel <koha-devel@lists.koha-community.org>; roopuukohi...@catalyst.net.nz <roopuukohi...@catalyst.net.nz> Onderwerp: [Koha-devel] Integration troubleshooting tips after upgrading to Debian 12 (Bookworm) Kia ora/Hello Koha community, Over the last few months we have been upgrading the OS of our Koha, database, load balancer and VuFind servers from Debian 11 (Bullseye) to Debian 12 (Bookworm). We have noticed two things which we thought might be helpful for others: 1) Third-party integrations using Stunnel (for example EZproxy) fail after the OS upgrade, if the vendor's stunnel.conf file is configured with: sslVersion = TLSv1. You will see an error like this in your /var/log/stunnel4/stunnel.log: SSL_accept: ../ssl/t1_lib.c:3364: error:0A000076:SSL routines::no suitable signature algorithm By default, TLSv1 is NOT considered a suitable signature algorithm in Debian Bookworm. The integration vendor needs to update their stunnel.conf to: sslVersion = TLSv1.2 and a stunnel restart is needed on their end and on the Koha end. --- 2) SFTP file uploads (e.g. MARC or patron csv file uploads to Koha servers) fail if the server uploading the files is using a ssh-rsa public key. You would see the following error in your /var/log/auth.log file, when the uploading server accepts to connect: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth] By default, Debian 12 does not support ssh-rsa public keys. Fix: A new key pair needs to be generated on the uploading server using a supported algorithm like SHA-2 or ED25519. That public key then needs to be copied into the authorized_keys file on your server to restore SFTP authorisation. We hope this information helps others. Thanks, Alex -- Alex Buckley (he/him) Developer, Implementation Lead | Rōpū kohinga Catalyst.Net Limited - Expert Open Source Solutions Catalyst.Net Limited - a Catalyst IT group company www.catalyst.net.nz<http://www.catalyst.net.nz/> Follow Catalyst Koha on Twitter<https://twitter.com/catalystkoha> | Subscribe to the Catalyst Koha newsletter<https://catalyst.us4.list-manage.com/subscribe?u=62457ff5060d15ee3c07d3fc4&id=b73fbdcac8> [Catalyst Logo] CONFIDENTIALITY NOTICE: This email is intended for the named recipients only. It may contain privileged, confidential or copyright information. If you are not the named recipient, any use, reliance upon, disclosure or copying of this email or its attachments is unauthorised. If you have received this email in error, please reply via email or call +64 4 499 2267.
_______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : https://www.koha-community.org/ git : https://git.koha-community.org/ bugs : https://bugs.koha-community.org/
