ejabberd - Comments for "TSL Connect Failure"

Noust 64 bit

Mahlon E. Smith — Mon, 21 Apr 2008 14:39:36 +0000

I'm seeing the problem with 32 bit as well. Erlang 12b2.

Erlang issue?

mikechoo — Wed, 27 Feb 2008 03:58:56 +0000

I think i might have isolated the issue.
Those that didn't work are on Erlang 12, the one that worked in on Erlang 11

Have not managed to verify for sure.

same problem on FreeBSD

mikechoo — Fri, 04 Jan 2008 16:47:26 +0000

I use FreeBSD 6.2 AMD64 (64 bit version) and I have the same issues.
I cannot use TLS or STARTTL, same issue as discussed here. When using STARTTLS, I can connect once, and after the client disconnects, I cannot connect again without restarting ejabberd.

The same config worked fine on FreeBSD 6.2 I386 (32 bit version).
In fact I migrated my working ejabberd configuration files from the 32bit version over the 64bit version.

So it's not a config file issue, something is broken with SSL on 64bit platforms.

Problem reading tls_drv.so

mfoss — Wed, 21 Nov 2007 17:41:18 +0000

dirkniblick wrote:

The ejabberd.cfg is as follows:

Am I doing something wrong here?

The syntax of your config file seems correct. For that reason ejabberd can start correctly.

I installed ejabberd svn, created a certificate and everything worked fine. Then, I started to delete files, change permissions, and I annotated the error messages reported by ejabberd. Here they are:

If the pem file does not exist:

** Reason for termination =
** {{badmatch,{error,"SSL_CTX_use_certificate_file failed: error:02001002:system library:fopen:No such file or directory"}},
    [{ejabberd_socket,starttls,3},
     {ejabberd_c2s,wait_for_feature_request,2},
     {gen_fsm,handle_msg,7},
     {proc_lib,init_p,5}]}

If the permissions to read the pem file are insufficient:

** Reason for termination =
** {{badmatch,{error,"SSL_CTX_use_certificate_file failed: error:0200100D:system library:fopen:Permission denied"}},
    [{ejabberd_socket,starttls,3},
     {ejabberd_c2s,wait_for_feature_request,2},
     {gen_fsm,handle_msg,7},
     {proc_lib,init_p,5}]}

If the pem file doesn't have the correct format:

** Reason for termination =
** {{badmatch,{error,"SSL_CTX_use_certificate_file failed: error:0906D06C:PEM routines:PEM_read_bio:no start line"}},
    [{ejabberd_socket,starttls,3},
     {ejabberd_c2s,wait_for_feature_request,2},
     {gen_fsm,handle_msg,7},
     {proc_lib,init_p,5}]}

** Reason for termination =
** {{badmatch,{error,"SSL_CTX_use_certificate_file failed: error:0906D066:PEM routines:PEM_read_bio:bad end line"}},
    [{ejabberd_socket,starttls,3},
     {ejabberd_c2s,wait_for_feature_request,2},
     {gen_fsm,handle_msg,7},
     {proc_lib,init_p,5}]}

** Reason for termination =
** {{badmatch,{error,"SSL_CTX_use_PrivateKey_file failed: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag"}},
    [{ejabberd_socket,starttls,3},
     {ejabberd_c2s,wait_for_feature_request,2},
     {gen_fsm,handle_msg,7},
     {proc_lib,init_p,5}]}

If the tls_drv.so is not readable (doesn't exist, or has wrong file read permission):

** Reason for termination =
** {{case_clause,{error,{open_error,-10}}},
    [{tls,tcp_to_tls,2},
     {ejabberd_socket,starttls,3},
     {ejabberd_c2s,wait_for_feature_request,2},
     {gen_fsm,handle_msg,7},
     {proc_lib,init_p,5}]}

dirkniblick wrote:

I have created a new cert (newserver.pem) and migrated my data to a MySQL database. The server starts up just fine but I am getting a different error when clients try to connect:

=CRASH REPORT==== 15-Nov-2007::14:59:55 ===
  crasher:
    pid: <0.312.0>
    registered_name: []
    error_info: {{case_clause,{error,{open_error,-10}}},
                  [{tls,tcp_to_tls,2},
                   {ejabberd_c2s,wait_for_feature_request,2},
                   {gen_fsm,handle_msg,7},
                   {proc_lib,init_p,5}]}

As you can see, the problem is probably that tls_drv.so is not readable.

I think we already tried all the possibilities, and that you are doing the things correctly. So the problem may be a bug in the installer, or an incompatibility with your operating system or system libraries.

I've reported this issue in the bug tracher: open_error in 64bit installer when client logs using starttls. Once the problem is inspected, maybe there is a new solution that you should try to verify if it solves the problem.

Above???

dirkniblick — Fri, 16 Nov 2007 14:34:13 +0000

Check out my reply that's probably up above titled "More Help?". I've pasted my entire config and a different error.

Syntax error in ejabberd.cfg

mfoss — Fri, 16 Nov 2007 10:42:57 +0000

dirkniblick wrote:

This is the error that appears in logs/sasl.log:

=CRASH REPORT==== 13-Nov-2007::10:30:30 ===
  crasher:
    pid: <0.36.0>
    registered_name: []
    error_info: {bad_return,{{ejabberd_app,start,[normal,[]]},
                              {'EXIT',["118",
                                       58,
                                       32,
                                       ["syntax error before: ",["'{'"]]]}}}
    initial_call: {application_master,
                     init,
                     [<0.5.0>,
                      <0.35.0>,

Does the "syntax error" refer to the config file? ...or somewhere else?

Yes, the error message is probably related to a syntax error in ejabberd.cfg. I see a similar message if I put:

  {5223, ejabberd_c2s,     [{access, c2s} {max_stanza_size, 65536}]},

Note that in this example, I removed a comma after 'c2s}'. The small pieces of config you pasted here are correct. The syntax error may be were you put those lines.

More help?

dirkniblick — Thu, 15 Nov 2007 21:07:33 +0000

I have created a new cert (newserver.pem) and migrated my data to a MySQL database. The server starts up just fine but I am getting a different error when clients try to connect:

=CRASH REPORT==== 15-Nov-2007::14:59:55 ===
  crasher:
    pid: <0.312.0>
    registered_name: []
    error_info: {{case_clause,{error,{open_error,-10}}},
                  [{tls,tcp_to_tls,2},
                   {ejabberd_c2s,wait_for_feature_request,2},
                   {gen_fsm,handle_msg,7},
                   {proc_lib,init_p,5}]}
    initial_call: {gen,init_it,
                      [gen_fsm,
                       <0.235.0>,
                       self,
                       ejabberd_c2s,
                       [{gen_tcp,#Port<0.321>},
                        [{access,c2s},
                         {max_stanza_size,65536},
                         {shaper,c2s_shaper},
                         starttls,
                         {certfile,"/opt/ejabberd-1.1.4/conf/newserver.pem"}]],
                       []]}
    ancestors: [<0.235.0>,ejabberd_listeners,ejabberd_sup,<0.37.0>]
    messages: []
    links: []
    dictionary: []
    trap_exit: false
    status: running
    heap_size: 987
    stack_size: 21
    reductions: 1295
  neighbours:

The ejabberd.cfg is as follows:

{acl, admin, {user, "admin"}}.
{acl, local, {user_regexp, ""}}.
{access, pubsub_createnode, [{allow, all}]}.
{access, configure, [{allow, admin}]}.
{access, register, [{allow, all}]}.
{welcome_message, none}.
{access, announce, [{allow, admin}]}.
{access, c2s, [{deny, blocked},
               {allow, all}]}.
{shaper, normal, {maxrate, 1000}}.
{shaper, fast, {maxrate, 50000}}.
{access, c2s_shaper, [{none, admin},
                      {normal, all}]}.
{access, s2s_shaper, [{fast, all}]}.
{access, muc_admin, [{allow, admin}]}.
{access, muc, [{allow, all}]}.
{access, local, [{allow, local}]}.
{hosts, ["j2.alegent.org"]}.
{max_user_sessions, 10}.
{auth_method, odbc}.
{odbc_server, {mysql, "localhost", "ejabberd", "ejabberd", "XMPP"}}.
{language, "en"}.
{listen, [
{5222, ejabberd_c2s,     [{access, c2s}, {max_stanza_size, 65536}, {shaper, c2s_shaper}, starttls, {certfile, "/opt/ejabberd-1.1.4/conf/newserver.pem"}]},
{5223, ejabberd_c2s,     [{access, c2s}, {max_stanza_size, 65536}, {shaper, c2s_shaper}, tls, {certfile, "/opt/ejabberd-1.1.4/conf/newserver.pem"}]},
{5280, ejabberd_http,    [http_poll, web_admin, tls, {certfile, "/opt/ejabberd-1.1.4/conf/newserver.pem"}]}
  ]}.
{outgoing_s2s_port, 5269}.
{modules,
 [
  {mod_register,   [{access, register}]},
  {mod_roster_odbc,     []},
  {mod_privacy,    []},
  {mod_adhoc,      []},
  {mod_configure,  []}, % Depends on mod_adhoc
  {mod_configure2, []},
  {mod_disco,      []},
  {mod_stats,      []},
  {mod_vcard_odbc,      [{search, true}, {matches, infinity}, {allow_return_all, true}]},
  {mod_offline_odbc,    []},
  {mod_announce,   [{access, announce}]}, % Depends on mod_adhoc
  {mod_echo,       [{host, "echo.j2.alegent.org"}]},
  {mod_private,    []},
  {mod_muc,        [{access, muc}, {access_create, muc}, {access_admin, muc_admin}, {history_size, 10}]},
  {mod_shared_roster, []},
  {mod_pubsub,     [{access_createnode, pubsub_createnode}]},
  {mod_time,       []},
  {mod_last_odbc,       []},
  {mod_version,    []}
 ]}.

Am I doing something wrong here?

This is the error that

dirkniblick — Tue, 13 Nov 2007 16:39:04 +0000

This is the error that appears in logs/sasl.log:

=CRASH REPORT==== 13-Nov-2007::10:30:30 ===
  crasher:
    pid: <0.36.0>
    registered_name: []
    error_info: {bad_return,{{ejabberd_app,start,[normal,[]]},
                              {'EXIT',["118",
                                       58,
                                       32,
                                       ["syntax error before: ",["'{'"]]]}}}
    initial_call: {application_master,
                     init,
                     [<0.5.0>,
                      <0.35.0>,
                      {appl_data,
                          ejabberd,
                          [ejabberd,
                           ejabberd_sup,
                           ejabberd_auth,
                           ejabberd_router,
                           ejabberd_sm,
                           ejabberd_s2s,
                           ejabberd_local,
                           ejabberd_listeners,
                           ejabberd_iq_sup,
                           ejabberd_service_sup,
                           ejabberd_s2s_out_sup,
                           ejabberd_s2s_in_sup,
                           ejabberd_c2s_sup,
                           ejabberd_mod_roster,
                           ejabberd_mod_echo,
                           ejabberd_mod_pubsub,
                           ejabberd_mod_irc,
                           ejabberd_mod_muc,
                           ejabberd_offline,
                           random_generator],
                          undefined,
                          {ejabberd_app,[]},
                          [acl,
                           configure,
                           cyrsasl,
                           cyrsasl_digest,
                           cyrsasl_plain,
                           ejabberd,
                           ejabberd_app,
                           ejabberd_auth,
                           ejabberd_c2s,
                           ejabberd_config,
                           ejabberd_listener,
                           ejabberd_logger_h,
                           ejabberd_local,
                           ejabberd_router,
                           ejabberd_s2s,
                           ejabberd_s2s_in,
                           ejabberd_s2s_out,
                           ejabberd_service,
                           ejabberd_sm,
                           ejabberd_sup,
                           ejabberd_tmp_sup,
                           gen_iq_handler,
                           gen_mod,
                           jd2ejd,
                           jlib,
                           mod_configure,
                           mod_disco,
                           mod_echo,
                           mod_last,
                           mod_offline,
                           mod_private,
                           mod_register,
                           mod_roster,
                           mod_stats,
                           mod_time,
                           mod_vcard,
                           mod_version,
                           randoms,
                           sha,
                           shaper,
                           translate,
                           xml,
                           xml_stream],
                          [],
                          infinity,
                          infinity},
                      normal]}
    ancestors: [<0.35.0>]
    messages: []
    links: [<0.35.0>,<0.37.0>,<0.5.0>]
    dictionary: []
    trap_exit: true
    status: running
    heap_size: 610
    stack_size: 21
    reductions: 99
  neighbours:

Does the "syntax error" refer to the config file? ...or somewhere else? As far as the installer goes, I used the one here...
http://www.process-one.net/downloads/ejabberd/1.1.4/ejabberd-1.1.4_2-lin...
...which I would assume is for a 64-bit server. Here is the ls you asked for showing the tls_drv.so:

[root@tardis ejabberd-1.1.4]# ls /opt/ejabberd-1.1.4/lib/ejabberd-1.1.4/priv/linux-amd64/lib/
ejabberd_zlib_drv.so  expat_erl.so  iconv_erl.so  stringprep_drv.so  tls_drv.so

As far as the cert goes, it works okay with SSL so I would think it would work for TLS. Maybe not so I'll try to create a new one but maybe the error above can shed some light on my problem who's more familiar with the working of ejabberd. Thanks for your help.

Three possible errors

mfoss — Tue, 13 Nov 2007 08:24:26 +0000

dirkniblick wrote:

If I configure the port like you said...

{5222, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, {shaper, c2s_shaper}, starttls, {certfile, "/opt/ejabberd-1.1.4/conf/server.pem"}]},

...and my clients get "Read Error" when they try to connect.

My question is: How do I find out what is wrong with the "starttls" potion of ejabberd and what I can I do to fix it?

You didn't mention what error messages report ejabberd when you set 'starttls'.

With the information you provided, I consider several possibilities to explain the error:

You mention 'Red Hat Enterprise Linux 5 x64', and you installed 'the Linux .bin file'. Since ejabberd includes some binary drivers, they must be compiled to your CPU architecture. Did you use the correct installer? If you have a i386 or a x64 Linux, use the correct installer.
There could be a bug in the installer, and the file tls_drv.so is not installed in the correct path, or is not installed at all. Can you check if it is in the directory, with the other drivers?
```
$ ls /opt/ejabberd-1.1.4/lib/ejabberd-1.1.4/priv/linux-x86/lib
ejabberd_zlib_drv.so  expat_erl.so  iconv_erl.so  stringprep_drv.so  tls_drv.so
```
Maybe the cert file is not readable: a wrong path is specified in the config, or the file permissions are not apropiate. Since it was generated by the installer, this would be a bug in it.

Problem persists

dirkniblick — Mon, 12 Nov 2007 20:02:43 +0000

I wasn't trying to make weird experiments but was only trying anything I could think of to get the server to work. Here's what I see happening. If I configure the port like this (unmodified from the sample config)...

{5222, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, {shaper, c2s_shaper}]},

...my clients can connect. If I configure the port like you said...

{5222, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, {shaper, c2s_shaper}, starttls, {certfile, "/opt/ejabberd-1.1.4/conf/server.pem"}]},

...and my clients get "Read Error" when they try to connect. If I change it slightly to...

{5222, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, {shaper, c2s_shaper}, ssl, {certfile, "/opt/ejabberd-1.1.4/conf/server.pem"}]},

...and change my clients to use SSL, they connect just fine. My question is: How do I find out what is wrong with the "starttls" potion of ejabberd and what I can I do to fix it?

Summary of STARTTLS, TLS and SSL options.

mfoss — Mon, 12 Nov 2007 11:05:57 +0000

dirkniblick wrote:

I have been successful in configuring ejabberd in every way except using the TSL connection at all. I have been able to connect via SSL on port 5222 and 5223 with Linux and Windows versions of Pidgin. If I configure port 5222 (or any other port for that matter) like so...

Jabber/XMPP propose three encryption methods:

plain
SSL: old, defined in Jabber several years ago
STARTTLS, also called TLS: a reworked method, similar to the old SSL, but better.

As defined in ejabberd Guide, ejabberd allows those options when defining a listening socket:

nothing
starttls: This option specifies that STARTTLS encryption is available on connections to the port.
starttls_required: This option specifies that STARTTLS encryption is required on connections to the port. No unencrypted connections will be allowed.
ssl: This option specifies that traffic on the port will be encrypted using SSL.
tls: This option specifies that traffic on the port will be encrypted using SSL immediately after connecting.

As you can see, the option 'tls' in ejabberd is used to set a SSL connection, not STARTTLS. This obviously leads to confusion. However, ejabberd.cfg.example is quite clear to this respect:

{listen,
 [{5222, ejabberd_c2s,     [{access, c2s}, {shaper, c2s_shaper},
			    {max_stanza_size, 65536},
			    starttls, {certfile, "./ssl.pem"}]},
  {5223, ejabberd_c2s,     [{access, c2s},
			    {max_stanza_size, 65536},
			    tls, {certfile, "./ssl.pem"}]},

  % Use these two lines instead if TLS support is not compiled
  %{5222, ejabberd_c2s,     [{access, c2s}, {shaper, c2s_shaper}]},
  %{5223, ejabberd_c2s,     [{access, c2s}, ssl, {certfile, "./ssl.pem"}]},

Please follow this example and don't make weird experiments like putting 'tls' in the port 5222. Probably that will solve your problem.