Allow s2s connections to accept client certificates that have only server purpose

Due to Google Chrome certification requirements we can expect that in near future there will be no certificate authority that will issue certifcates that have both server and client auth purposes. This change makes s2s listeners ignore cert purposes, and should allow servers that have those new certificate to use it, to authenticate new s2s connections. This fixes issue #4392
2025-10-03 09:49:18 +02:00 · 2025-07-09 13:21:03 +02:00 · 2025-07-09 13:21:03 +02:00 · 72bc9b6c7f
commit 72bc9b6c7f
parent 4694a482f4
4 changed files with 7 additions and 6 deletions
--- a/mix.exs
+++ b/mix.exs
@ -120,7 +120,7 @@ defmodule Ejabberd.MixProject do
     {:dialyxir, "~> 1.2", only: [:test], runtime: false},
     {:eimp, "~> 1.0"},
     {:ex_doc, "~> 0.31", only: [:edoc], runtime: false},
-     {:fast_tls, "~> 1.1.22"},
+     {:fast_tls, git: "https://github.com/processone/fast_tls.git", ref: "f1e55d6d6bdf109ebc48dda880d028c95f349c3b", override: true},
     {:fast_xml, git: "https://github.com/processone/fast_xml", ref: "72e1c1b2eef84804399095704f2d729d5df8f02e", override: true},
     {:fast_yaml, "~> 1.0"},
     {:idna, "~> 6.0"},
--- a/rebar.config
+++ b/rebar.config
@ -44,7 +44,7 @@
         {esip, "~> 1.0.57", {git, "https://github.com/processone/esip", {tag, "1.0.57"}}}},
        {if_var_true, zlib,
         {ezlib, "~> 1.0.13", {git, "https://github.com/processone/ezlib", {tag, "1.0.13"}}}},
-        {fast_tls, "~> 1.1.22", {git, "https://github.com/processone/fast_tls", {tag, "1.1.22"}}},
+        {fast_tls, "~> 1.1.22", {git, "https://github.com/processone/fast_tls", "f1e55d6d6bdf109ebc48dda880d028c95f349c3b"}},
        {fast_xml, "~> 1.1.55", {git, "https://github.com/processone/fast_xml", "72e1c1b2eef84804399095704f2d729d5df8f02e"}},
        {fast_yaml, "~> 1.0.37", {git, "https://github.com/processone/fast_yaml", {tag, "1.0.37"}}},
        {idna, "~> 6.0", {git, "https://github.com/benoitc/erlang-idna", {tag, "6.0.0"}}},
--- a/rebar.lock
+++ b/rebar.lock
@ -6,7 +6,10 @@
 {<<"eredis">>,{pkg,<<"eredis">>,<<"1.7.1">>},0},
 {<<"esip">>,{pkg,<<"esip">>,<<"1.0.57">>},0},
 {<<"ezlib">>,{pkg,<<"ezlib">>,<<"1.0.13">>},0},
- {<<"fast_tls">>,{pkg,<<"fast_tls">>,<<"1.1.22">>},0},
+ {<<"fast_tls">>,
+  {git,"https://github.com/processone/fast_tls",
+       {ref,"f1e55d6d6bdf109ebc48dda880d028c95f349c3b"}},
+  0},
 {<<"fast_xml">>,
  {git,"https://github.com/processone/fast_xml",
       {ref,"72e1c1b2eef84804399095704f2d729d5df8f02e"}},
@ -44,7 +47,6 @@
 {<<"eredis">>, <<"39E31AA02ADCD651C657F39AAFD4D31A9B2F63C6C700DC9CECE98D4BC3C897AB">>},
 {<<"esip">>, <<"4B14E4832D08B9FFC10D855B5D10B3083232B1D53DEB4C046679496CE85569C4">>},
 {<<"ezlib">>, <<"3C7F62862850A241159C10B218ECF580BCE54D0890601B65144DACC2633BE2B0">>},
- {<<"fast_tls">>, <<"44356B256AFAD4399C2FC5059A3066669DAFD8BD4E4E796C9C1CF8910DDD265E">>},
 {<<"fast_yaml">>, <<"F71D472FBF787CCD161B914D1EB486116A0F4F2E835337A378FBD31B59D2E74B">>},
 {<<"idna">>, <<"8A63070E9F7D0C62EB9D9FCB360A7DE382448200FBBD1B106CC96D3D8099DF8D">>},
 {<<"jiffy">>, <<"A9B6C9A7EC268E7CF493D028F0A4C9144F59CCB878B1AFE42841597800840A1B">>},
@ -69,7 +71,6 @@
 {<<"eredis">>, <<"7C2B54C566FED55FEEF3341CA79B0100A6348FD3F162184B7ED5118D258C3CC1">>},
 {<<"esip">>, <<"19C357E1817B1E04792EF359BF900400F3E6D0E5ADE929FD72F88EA9B44AF2ED">>},
 {<<"ezlib">>, <<"9EE62AB3F8ED55A0FD11A9569FCB8E458683F95575417272192B069F092ABFBB">>},
- {<<"fast_tls">>, <<"E65779AEFB7AB15C4755230FEF8077E687D20CC5A3984A5974F9F657E8E2485B">>},
 {<<"fast_yaml">>, <<"8DE868721BF7E2172414F7D3148EDE0F3C922B496455CD625DD5C4429515A769">>},
 {<<"idna">>, <<"92376EB7894412ED19AC475E4A86F7B413C1B9FBB5BD16DCCD57934157944CEA">>},
 {<<"jiffy">>, <<"BB61BC42A720BBD33CB09A410E48BB79A61012C74CB8B3E75F26D988485CF381">>},
--- a/src/ejabberd_s2s_in.erl
+++ b/src/ejabberd_s2s_in.erl
@ -138,7 +138,7 @@ process_closed(#{server := LServer} = State, Reason) ->
 %%% xmpp_stream_in callbacks
 %%%===================================================================
 tls_options(#{tls_options := TLSOpts, lserver := LServer, server_host := ServerHost}) ->
-    ejabberd_s2s:tls_options(LServer, ServerHost, TLSOpts).
+    [override_cert_purpose | ejabberd_s2s:tls_options(LServer, ServerHost, TLSOpts)].

 tls_required(#{server_host := ServerHost}) ->
    ejabberd_s2s:tls_required(ServerHost).