I installed the 1.1.3 Linux installer on Red Hat 9. The server starts up fine, but experiences the same "crypto" problems reported for Debian/Ubuntu. Specifically, typing "erl", then "crypto:start()." shows that there is a problem.
I downloaded and built the latest Erlang release (from 2007-01-31). It installed fine, and the same crypto check above worked fine.
I then built ejabberd from source, and it works too. But, nothing related to TLS works. Typically, the client just hangs, and I don't even see an error message in the log (though I could just be missing something simple, sorry!).
If I switch the tls keyword to ssl, keeping it pointed to the same server.pem, then SSL legacy support works, as does https: for the web admin stuff. So, the crypto module is working (at least for SSL), and the certificate seems fine, etc.
This isn't a huge problem for me at the moment, but I hate feeling stupid, and this is definitely making feel that, so any pointers to getting TLS working instead of the legacy SSL stuff would be _greatly_ appreciated!
Thanks in advance!
P.S. I just looked again at my conf file, and I notice that on top of the legacy SSL lines it says: "Use these two lines instead if TLS support is not compiled". Is this an ERLANG compile option, an EJABBERD one, or an operating system library question? Perhaps it's that simple, that somewhere, I didn't specify (or load) the appropriate TLS support? The box is running Postfix with TLS support, so there is "some" TLS support on there, for sure.
Just a me-too post. My
Just a me-too post. My problem is with 1.1.2 on FreeBSD 6.2. But it looks like an Erlang issue, judging from what you find. (See message 002618 on the list archive.)
Did anyone get tls or starttls work on 1.1.2 or 1.1.3?
tls on FreeBSD
Haven't tried 6.2, but I got tls running fine under FreeBSD 6.1. (running 1.1.2 with LDAP/AD auth, jwchat, logging)
I got the erlang-lite port and built erlang from that. Installed the stable OpenSSL from ports.
I enabled SSL and TLS, but clients are connecting via TLS unless I'm being daft (can connect with 'require tls' checked, connects on 5222)
Here are my notes: (pasted in, so excuse the formatting...)
cd /etc/ejabberd
openssl req -new -x509 -newkey rsa:1024 -days 3650 -keyout privkey.pem -out server.pem
openssl rsa -in privkey.pem -out privkey.pem
cat privkey.pem >> server.pem
rm privkey.pem
Now edit your ejabberd.cfg file and specify the correct location of your server.pem:
{listen, [{5222, ejabberd_c2s, [{access, c2s}, {shaper, c2s_shaper},
starttls, {certfile, "/etc/ejabberd/server.pem"}]},
{5223, ejabberd_c2s, [{access, c2s}, {shaper, c2s_shaper},
ssl, {certfile, "/etc/ejabberd/server.pem"}]},
re: tls on FreeBSD
Thanks! TLS works on the same machine (though not in jail). Hmm, maybe I should generate a new certificate and try again within the jail. I'll report back if that's indeed the problem. Just for the record, I am using Erlang port, (not lite), with the base Openssl distribution (not port) on FreeBSD 6.2, also running 1.1.2 server. Since SSL still works so I didn't bother to try a new certificate. (I was migrating/upgrading an existing server, so continue to use the original cert/key.)
Finally got TLS to work!
I got my hands on a new machine, running CentOS 5.0. The installer for generic linux still fails on TLS support (for me at least).
So, I downloaded and built the latest Erlang (as above, but this time a newer release), and as before, crypto:start(). worked fine.
I downloaded and built ejabberd-1.1.3 and installed it. It did _not_ work.
I then hand-built the directory structure for the hand-built ejabberd to match the installer's directory structure exactly, substituting symlinks for each erlang file, from the new erlang install.
Finally, I copied over the installer's ejabberdctl file, since the one that comes in the tools directory of a source build doesn't have any of the added goodies.
After a few false starts and tweaks (all my errors to begin with), I now have everything running correctly. I can log in with any Jabber client with TLS, I can do s2s stuff, and I can use https _with TLS_ for admin as well.
Whew! I was really hoping to be able to use ejabberd, and now I finally can.
Here's hoping that the above will help someone else...