[Python-modules-team] Bug#933042: python3-sleekxmpp: TLSv1.0-only is incompatible with modern servers

Gerald Turner gturner at unzane.com
Fri Jul 26 01:09:27 BST 2019 

Package: python3-sleekxmpp
Version: 1.3.3-4
Severity: normal

Dear Maintainer,

After having upgraded an XMPP server (ejabberd on Debian buster)
connections from python3-sleekxmpp are failing.

ejabberd.log:

  2019-07-25 16:23:06.078 [warning] <0.627.0>@ejabberd_c2s:process_terminated:285 (tls|<0.627.0>) Failed to secure c2s connection: TLS failed: SSL_do_handshake failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol

Code within the sleekxmpp is explicitly setting TLS parameters:

  xmlstream.py line 119:

    #: Most XMPP servers support TLSv1, but OpenFire in particular
    #: does not work well with it. For OpenFire, set
    #: :attr:`ssl_version` to use ``SSLv23``::
    #:
    #:     import ssl
    #:     xmpp.ssl_version = ssl.PROTOCOL_SSLv23
    self.ssl_version = ssl.PROTOCOL_TLSv1

According to Python documentation, this probably ought to be set to
ssl.PROTOCOL_TLS (sans -v1) for widest range of compatibility, see table
at:

  https://docs.python.org/3/library/ssl.html#ssl.SSLContext

Initially I had thought about opening a bug with ejabberd since I cannot
seem to coerce it into allowing TLSv1.0 connections anymore.  However I
suppose that since it's 2019, it's time to heed these deprecation
warnings in the Python docs ;-)


-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (601, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-cloud-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3-sleekxmpp depends on:
ii  libjs-sphinxdoc         1.8.4-1
ii  python3                 3.7.3-1
ii  python3-dnspython       1.16.0-1
ii  python3-pyasn1          0.4.2-3
ii  python3-pyasn1-modules  0.2.1-0.2

Versions of packages python3-sleekxmpp recommends:
ii  python3-dateutil                  2.7.3-3
pn  python3-gnupg                     <none>
pn  python3-socks | python3-socksipy  <none>

python3-sleekxmpp suggests no packages.

-- no debconf information

-- 
Gerald Turner <gturner at unzane.com>        Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 962 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20190725/9c7a20d0/attachment.sig>

More information about the Python-modules-team mailing list