Hi Matthias,
Matthias Schmidt <[email protected]> wrote:
> Maybe it's me and my stupidity but since this update I can no longer
> connect to a XMPP server with a LE certificate. Both client and server
> are running -current (server with prosody). The client reports "Login
> failed" and the debug log shows:
>
> 19/09/2021 11:16:17: prof: INF: Connecting using account: [email protected]
> 19/09/2021 11:16:17: prof: INF: Connecting as
> [email protected]/profanity.kTdJ
> 19/09/2021 11:16:17: prof: DBG: Connecting with flags (0x2):
> 19/09/2021 11:16:17: prof: DBG: XMPP_CONN_FLAG_MANDATORY_TLS
> 19/09/2021 11:16:17: xmpp: DBG: SRV lookup failed, connecting via domain.
> 19/09/2021 11:16:17: xmpp: DBG: sock_connect() to jabber.xosc.org:5222
> returned 7
> 19/09/2021 11:16:17: xmpp: DBG: Attempting to connect to jabber.xosc.org
> 19/09/2021 11:16:17: xmpp: DBG: connection successful
> 19/09/2021 11:16:17: conn: DBG: SENT: <?xml version="1.0"?><stream:stream
> to="jabber.xosc.org" xml:lang="en" version="1.0" xmlns="jabber:client"
> xmlns:stream="http://etherx.jabber.org/streams";>
> 19/09/2021 11:16:17: xmpp: DBG: RECV: <stream:stream version="1.0"
> id="8c063ebf-77e7-4493-9ac3-79b6b0defa4d" lang="en" from="jabber.xosc.org">
> 19/09/2021 11:16:17: xmpp: DBG: RECV: <features
> xmlns="http://etherx.jabber.org/streams";><starttls
> xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls></features>
> 19/09/2021 11:16:17: conn: DBG: SENT: <starttls
> xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
> 19/09/2021 11:16:17: xmpp: DBG: RECV: <proceed
> xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
> 19/09/2021 11:16:17: xmpp: DBG: handle proceedtls called for proceed
> 19/09/2021 11:16:17: xmpp: DBG: proceeding with TLS
> 19/09/2021 11:16:17: tls: DBG: Certificate verification FAILED,
> result=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY(20)
> 19/09/2021 11:16:17: tls: DBG: Certificate was not presented by peer
> 19/09/2021 11:16:17: tls: DBG: error=SSL_ERROR_SSL(1) errno=0
> 19/09/2021 11:16:17: tls: DBG: error:14FFF086:SSL
> routines:(UNKNOWN)SSL_internal:certificate verify failed
> 19/09/2021 11:16:17: conn: DBG: Couldn't start TLS! error -3 tls_error 1
> 19/09/2021 11:16:17: conn: DBG: SENT: </stream:stream>
> 19/09/2021 11:16:17: xmpp: DBG: Send error occurred, disconnecting.
> 19/09/2021 11:16:17: xmpp: DBG: Closing socket.
> 19/09/2021 11:16:17: prof: DBG: Connection handler: XMPP_CONN_DISCONNECT
> 19/09/2021 11:16:17: prof: DBG: Connection handler: Login failed
> 19/09/2021 11:16:17: prof: DBG: Connection handler: No reconnect timer
> 19/09/2021 11:16:17: prof: INF: Login failed
>
> The server simply logs:
>
> Sep 19 09:23:14 omega prosody[38808]: c2s87a60669340: Client connected
> Sep 19 09:23:16 omega prosody[38808]: c2s87a60669340: Client disconnected:
> ssl handshake error: tlsv1 alert unknown ca
I think something is off in your certs. Running
openssl s_client -connect jabber.xosc.org:xmpp-server -starttls xmpp -xmpphost
jabber.xosc.org </dev/null
from -current yields
depth=0 CN = omega.xosc.org
verify error:num=20:unable to get local issuer certificate
verify return:1
CONNECTED(00000003)
write W BLOCK
---
Certificate chain
0 s:/CN=omega.xosc.org
i:/C=US/O=Let's Encrypt/CN=R3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGQTCCBSmgAwIBAgISBKismS1P7A4Yy0b3s2DckSGCMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MDMwNTU2MjRaFw0yMTEyMDIwNTU2MjNaMBkxFzAVBgNVBAMT
Dm9tZWdhLnhvc2Mub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
6ud+lWLONwx/8wdbPubIf9BrgrX+s8TLcptWw1wdD/ckwmxzeWpAGdMLIreKQM9a
EorGeRLrhuUWu3L+WZ72wDZt4wLMf5P0ZX2G+4Cy409h9EPJA9dhrTD3ikbB9l8l
JGBTPOD4hLVIOUAcIp2j/0As5LclwTzAAQx0C3Qe5FJU0TQ8UFL0K3c76RTvGEb/
6NFcU36HhVB2PcoF8yFFSSjBZCPfygzKm3M+oIiph7L6E74Lrgbqj3pwN3jtzXTZ
JUbgOghqHLPlOGBpiqG+PRlG6NhDx+cOlcfK5Qy/mtAPNCdSIshPNgh7g8sGl6nE
FsJ+Nu8QufRGqPifXryE6oD9HPDMXlMVgbGjQApyuOh6GTlhaVJbqAc83Z02JQrp
uPrgh2y85YpBKsMLOD8vemBZt7AKJrpUYjV6pGXuc9KM/w2Coc+nBDt7oHjQqAxC
JXgod5HaRNFq+Ga4+CjuwXIA/+mp/VM8xl7ruaaKaEUZgUoEFuePHHgue2tofYkq
m9TI6P9uasCxPb4A3WmKG3BvnYYDEhzIgTtEhrb4aFtegZ37zu+9TierubiXPqDr
0eNMKHsjvgYjVDKdkCEk53/0YCDYLnYhmlx4D1TVdCoDc8rGE0o4SVvvyy2Ys+LB
BWhpJRJ0rqDNHGnws66aNB/c5oDS2dmRD1smpc9M6o8CAwEAAaOCAmgwggJkMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQU5iMHmeoL46o/UJls25xr8x1yXSUwHwYDVR0j
BBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsG
AQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6
Ly9yMy5pLmxlbmNyLm9yZy8wOAYDVR0RBDEwL4IMZG5zLnhvc2Mub3Jngg9qYWJi
ZXIueG9zYy5vcmeCDm9tZWdhLnhvc2Mub3JnMEwGA1UdIARFMEMwCAYGZ4EMAQIB
MDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2Vu
Y3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYARJRlLrDuzq/EQAfY
qP4owNrmgr7YyzG1P9MzlrW2gagAAAF7qnG4QwAABAMARzBFAiEAqy37NZNFoKZc
FYWX8comKSNz99jt/WnTPMV3DI/7LvcCIHm+M3mtCEDWDF7NmgXGs2fsfwhhg6oF
baT8fNlw4HN6AHYA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF7
qnG4IQAABAMARzBFAiEAicK15uuTSKcaLbg75jwxu8i/1mxIp2yrdnuE6G1GIb4C
IASYjvtXbnsn1JzB4n9XFrtF8eWLVoodDd6IuENgZIrzMA0GCSqGSIb3DQEBCwUA
A4IBAQA3HmP70jCYaD3ZRnkh4F22C1cXHV0afBripsqBTs9E47vF1USG0Yg2z9sp
S/urqqBb+DH2HuGsAOTsvaWB71Jjns5MqBmA43p8SWASE/NwzLWOJpWCMmzIithY
5HcF7Tf3XVHBM7BvvooUrfyLbfL4IGE1rknxVoHYxOfwqf1xNNIoOsMGKNYakG1Y
Bc342XpG8pQ4sarlrPIRGuG8bE2QI5hNWM7gl+i3oR/SlpZokz1A0PwlPIUtie1d
vaZjTpZFMEKOdb+4mhMz0zHgJY/+pmJYGhp9DzJk9Cm178FCiMHpA6Xk32mNFIqs
ZxkXckWaE6r/LhMtTonVcXbzQw6C
-----END CERTIFICATE-----
subject=/CN=omega.xosc.org
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 2912 bytes and written 568 bytes
---
New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : AEAD-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1632057849
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
DONE
It include the lines
depth=0 CN = omega.xosc.org
verify error:num=20:unable to get local issuer certificate
verify return:1
which are the same as shown in the log, so I think the issue is more
related to LibreSSL or the cert setup itself than the switch away from
libmesode. It also shows
---
Certificate chain
0 s:/CN=omega.xosc.org
i:/C=US/O=Let's Encrypt/CN=R3
---
Maybe you aren't using the fullchain and instead present the cert for
just your host? It doesn't show the "middle" cert from LE. This is the
chain for a correctly verified (from `openssl s_client` point of view)
cert issued by LE
---
Certificate chain
0 s:/CN=www.openbsd.org
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
In particular, `/etc/ssl/cert.pem` does include the certs for
=== /C=US/O=Internet Security Research Group/CN=ISRG Root X1
and
=== /O=Digital Signature Trust Co./CN=DST Root CA X3
which is what allows LibreSSL to verify the whole chain.
> When I play around with the /tls settings, I mostly get the message
>
> 11:20:36 - Certificate path setting only supported when built with libmesode.
> 11:20:47 - Certificate path setting only supported when built with libmesode.
This is bound to profanity code. It has quite a few big chunks under
`#ifdef HAVE_LIBMESODE` in `src/command/cmd_funcs.c`.
-Lucas
