Hi Marcel,
I'm glad to hear that my email was helpful. Thanks for sharing that
related issue in your stunnel setup that is good to know. Appreciate it!
Kind regards,
Alex
On 9/01/25 11:59 pm, Marcel de Rooy wrote:
Hi Alex,
Thanks for this mail! This is very helpful.
I found a related issue in our stunnel setup using Debian12.
Detected following warn/error although after that a connection was made.
LOG3[89]: SSL_accept: ../ssl/record/ssl3_record.c:354:
error:0A00010B:SSL routines::wrong version number
Seems like SSLv3 is still tried and after that TLS.
I chose for a similar fix as yours in the client.conf and server.conf
like this:
sslVersionMin = TLSv1.2
sslVersionMax = TLSv1.3
This eliminated the warn.
Regards,
Marcel
------------------------------------------------------------------------
*Van:* Koha-devel <koha-devel-boun...@lists.koha-community.org> namens
Alex Buckley via Koha-devel <koha-devel@lists.koha-community.org>
*Verzonden:* woensdag 8 januari 2025 02:32
*Aan:* koha-devel <koha-devel@lists.koha-community.org>;
roopuukohi...@catalyst.net.nz <roopuukohi...@catalyst.net.nz>
*Onderwerp:* [Koha-devel] Integration troubleshooting tips after
upgrading to Debian 12 (Bookworm)
Kia ora/Hello Koha community,
Over the last few months we have been upgrading the OS of our Koha,
database, load balancer and VuFind servers from Debian 11 (Bullseye)
to Debian 12 (Bookworm).
We have noticed two things which we thought might be helpful for others:
1) Third-party integrations using Stunnel (for example EZproxy) fail
after the OS upgrade, if the vendor's stunnel.conf file is configured
with: /sslVersion = TLSv1./
You will see an error like this in your /var/log/stunnel4/stunnel.log:
/SSL_accept: ../ssl/t1_lib.c:3364: error:0A000076:SSL routines::no
suitable signature algorithm/
By default, TLSv1 is NOT considered a suitable signature algorithm in
Debian Bookworm. The integration vendor needs to update their
stunnel.conf to/: sslVersion = TLSv1.2 /and a stunnel restart is
needed on their end and on the Koha end.
---
2) SFTP file uploads (e.g. MARC or patron csv file uploads to Koha
servers) fail if the server uploading the files is using a ssh-rsa
public key.
You would see the following error in your /var/log/auth.log file, when
the uploading server accepts to connect: /userauth_pubkey: signature
algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]/
By default, Debian 12 does not support ssh-rsa public keys.
Fix: A new key pair needs to be generated on the uploading server
using a supported algorithm like SHA-2 or ED25519. That public key
then needs to be copied into the authorized_keys file on your server
to restore SFTP authorisation.
We hope this information helps others.
Thanks,
Alex
--
*Alex Buckley (he/him)*
Developer, Implementation Lead | Rōpū kohinga
*Catalyst.Net Limited - Expert Open Source Solutions*
*Catalyst.Net Limited - a Catalyst IT group company*
www.catalyst.net.nz <http://www.catalyst.net.nz/>
Follow Catalyst Koha on Twitter <https://twitter.com/catalystkoha> |
Subscribe to the Catalyst Koha newsletter
<https://catalyst.us4.list-manage.com/subscribe?u=62457ff5060d15ee3c07d3fc4&id=b73fbdcac8>
Catalyst Logo
CONFIDENTIALITY NOTICE: This email is intended for the named
recipients only. It may contain privileged, confidential or copyright
information. If you are not the named recipient, any use, reliance
upon, disclosure or copying of this email or its attachments is
unauthorised. If you have received this email in error, please reply
via email or call +64 4 499 2267.
--
*Alex Buckley (he/him)*
Developer, Implementation Lead | Rōpū kohinga
*Catalyst.Net Limited - Expert Open Source Solutions*
*Catalyst.Net Limited - a Catalyst IT group company*
www.catalyst.net.nz <http://www.catalyst.net.nz>
Follow Catalyst Koha on Twitter <https://twitter.com/catalystkoha> |
Subscribe to the Catalyst Koha newsletter
<https://catalyst.us4.list-manage.com/subscribe?u=62457ff5060d15ee3c07d3fc4&id=b73fbdcac8>
Catalyst Logo
CONFIDENTIALITY NOTICE: This email is intended for the named recipients
only. It may contain privileged, confidential or copyright information.
If you are not the named recipient, any use, reliance upon, disclosure
or copying of this email or its attachments is unauthorised. If you have
received this email in error, please reply via email or call +64 4 499 2267._______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/
