[xmppd-dev] Dialback to gmail.com failes: DH prime sent by server is to short
Petr Pisar
petr.pisar at atlas.cz
Wed Feb 25 14:24:43 CET 2009
Hello,
I've been using jabberd-1.6.1.1 server (with compatibility patch for newer
GnuTLS) succesfully for long time.
From 2009-02-20T23:33:20, I see following repeating errors:
(s2s): Denying peer to use the domain gmail.com. Dialback failed (timeout):
<db:result xmlns:db='jabber:server:dialback' to='gmail.com'
from='bay-rout.ics.muni.cz' type='invalid'/>
and then bunch of errors:
(gmail.com): bouncing a packet to x at gmail.com from
y at bay-rout.ics.muni.cz/centerimD9F45F51: Failed to deliver stanza to
other server while connected to other host: 209.85.163.125:5269: Connected
/ 209.85.201.125:5269: Connected / 209.85.201.125:5269: Connected
/ 209.85.163.125:5269: Connected / 209.85.163.125:5269: Connected
While debugging I discovered that the right reason is:
mio_tls.cc:1184 TLS handshake failed for fd #17: The Diffie Hellman prime sent
by the server is not acceptable (not long enough).
So I guess Google guys lowered Diffe-Hellman prime to low for my GnuTLS.
I tried to adjust TLS configuration for this host using <host name="gmail.com"
tls="128"/> and other numbers, but it did not help. The only think which
helped was to switch off TLS for gmail.com completely <host name="gmail.com"
tls="no"/>.
Thus I guess I found two bugs:
(1) Server logs that dialback from other server timed out. But the real reason
is TLS negotion failed and the failed connection was not closed, thus it
warns about lot of opened connections.
(2) The server doesn't honor numeric host at tls value.
-- Petr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.xmppd.org/pipermail/dev/attachments/20090225/887a85d9/attachment.pgp
More information about the dev
mailing list