From 72bc9b6c7f6afce7aa671a47eee343cc25b0abcb Mon Sep 17 00:00:00 2001 From: Pawel Chmielowski Date: Wed, 9 Jul 2025 13:21:03 +0200 Subject: [PATCH] Allow s2s connections to accept client certificates that have only server purpose Due to Google Chrome certification requirements we can expect that in near future there will be no certificate authority that will issue certifcates that have both server and client auth purposes. This change makes s2s listeners ignore cert purposes, and should allow servers that have those new certificate to use it, to authenticate new s2s connections. This fixes issue #4392 --- mix.exs | 2 +- rebar.config | 2 +- rebar.lock | 7 ++++--- src/ejabberd_s2s_in.erl | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/mix.exs b/mix.exs index 7a12a248a..3fead1d4b 100644 --- a/mix.exs +++ b/mix.exs @@ -120,7 +120,7 @@ defmodule Ejabberd.MixProject do {:dialyxir, "~> 1.2", only: [:test], runtime: false}, {:eimp, "~> 1.0"}, {:ex_doc, "~> 0.31", only: [:edoc], runtime: false}, - {:fast_tls, "~> 1.1.22"}, + {:fast_tls, git: "https://github.com/processone/fast_tls.git", ref: "f1e55d6d6bdf109ebc48dda880d028c95f349c3b", override: true}, {:fast_xml, git: "https://github.com/processone/fast_xml", ref: "72e1c1b2eef84804399095704f2d729d5df8f02e", override: true}, {:fast_yaml, "~> 1.0"}, {:idna, "~> 6.0"}, diff --git a/rebar.config b/rebar.config index eb160ed8b..9f1652b50 100644 --- a/rebar.config +++ b/rebar.config @@ -44,7 +44,7 @@ {esip, "~> 1.0.57", {git, "https://github.com/processone/esip", {tag, "1.0.57"}}}}, {if_var_true, zlib, {ezlib, "~> 1.0.13", {git, "https://github.com/processone/ezlib", {tag, "1.0.13"}}}}, - {fast_tls, "~> 1.1.22", {git, "https://github.com/processone/fast_tls", {tag, "1.1.22"}}}, + {fast_tls, "~> 1.1.22", {git, "https://github.com/processone/fast_tls", "f1e55d6d6bdf109ebc48dda880d028c95f349c3b"}}, {fast_xml, "~> 1.1.55", {git, "https://github.com/processone/fast_xml", "72e1c1b2eef84804399095704f2d729d5df8f02e"}}, {fast_yaml, "~> 1.0.37", {git, "https://github.com/processone/fast_yaml", {tag, "1.0.37"}}}, {idna, "~> 6.0", {git, "https://github.com/benoitc/erlang-idna", {tag, "6.0.0"}}}, diff --git a/rebar.lock b/rebar.lock index d4452766d..50ef76ab4 100644 --- a/rebar.lock +++ b/rebar.lock @@ -6,7 +6,10 @@ {<<"eredis">>,{pkg,<<"eredis">>,<<"1.7.1">>},0}, {<<"esip">>,{pkg,<<"esip">>,<<"1.0.57">>},0}, {<<"ezlib">>,{pkg,<<"ezlib">>,<<"1.0.13">>},0}, - {<<"fast_tls">>,{pkg,<<"fast_tls">>,<<"1.1.22">>},0}, + {<<"fast_tls">>, + {git,"https://github.com/processone/fast_tls", + {ref,"f1e55d6d6bdf109ebc48dda880d028c95f349c3b"}}, + 0}, {<<"fast_xml">>, {git,"https://github.com/processone/fast_xml", {ref,"72e1c1b2eef84804399095704f2d729d5df8f02e"}}, @@ -44,7 +47,6 @@ {<<"eredis">>, <<"39E31AA02ADCD651C657F39AAFD4D31A9B2F63C6C700DC9CECE98D4BC3C897AB">>}, {<<"esip">>, <<"4B14E4832D08B9FFC10D855B5D10B3083232B1D53DEB4C046679496CE85569C4">>}, {<<"ezlib">>, <<"3C7F62862850A241159C10B218ECF580BCE54D0890601B65144DACC2633BE2B0">>}, - {<<"fast_tls">>, <<"44356B256AFAD4399C2FC5059A3066669DAFD8BD4E4E796C9C1CF8910DDD265E">>}, {<<"fast_yaml">>, <<"F71D472FBF787CCD161B914D1EB486116A0F4F2E835337A378FBD31B59D2E74B">>}, {<<"idna">>, <<"8A63070E9F7D0C62EB9D9FCB360A7DE382448200FBBD1B106CC96D3D8099DF8D">>}, {<<"jiffy">>, <<"A9B6C9A7EC268E7CF493D028F0A4C9144F59CCB878B1AFE42841597800840A1B">>}, @@ -69,7 +71,6 @@ {<<"eredis">>, <<"7C2B54C566FED55FEEF3341CA79B0100A6348FD3F162184B7ED5118D258C3CC1">>}, {<<"esip">>, <<"19C357E1817B1E04792EF359BF900400F3E6D0E5ADE929FD72F88EA9B44AF2ED">>}, {<<"ezlib">>, <<"9EE62AB3F8ED55A0FD11A9569FCB8E458683F95575417272192B069F092ABFBB">>}, - {<<"fast_tls">>, <<"E65779AEFB7AB15C4755230FEF8077E687D20CC5A3984A5974F9F657E8E2485B">>}, {<<"fast_yaml">>, <<"8DE868721BF7E2172414F7D3148EDE0F3C922B496455CD625DD5C4429515A769">>}, {<<"idna">>, <<"92376EB7894412ED19AC475E4A86F7B413C1B9FBB5BD16DCCD57934157944CEA">>}, {<<"jiffy">>, <<"BB61BC42A720BBD33CB09A410E48BB79A61012C74CB8B3E75F26D988485CF381">>}, diff --git a/src/ejabberd_s2s_in.erl b/src/ejabberd_s2s_in.erl index e065f8418..c985e3afc 100644 --- a/src/ejabberd_s2s_in.erl +++ b/src/ejabberd_s2s_in.erl @@ -138,7 +138,7 @@ process_closed(#{server := LServer} = State, Reason) -> %%% xmpp_stream_in callbacks %%%=================================================================== tls_options(#{tls_options := TLSOpts, lserver := LServer, server_host := ServerHost}) -> - ejabberd_s2s:tls_options(LServer, ServerHost, TLSOpts). + [override_cert_purpose | ejabberd_s2s:tls_options(LServer, ServerHost, TLSOpts)]. tls_required(#{server_host := ServerHost}) -> ejabberd_s2s:tls_required(ServerHost).