Hi I have a setup where ejabberd runs with TLS and authenticate users to LDAP over TLS too. When switching from security/openssl to security/libressl, the server build fine but does not start: --------------------------8<-------------------------- 2017-12-13 09:59:57.769 [info] <0.14018.0> Application ssl started on node ejabberd@localhost 2017-12-13 09:59:57.788 [info] <0.14018.0> Application p1_utils started on node ejabberd@localhost 2017-12-13 09:59:57.820 [info] <0.14018.0> Application fast_yaml started on node ejabberd@localhost 2017-12-13 09:59:57.842 [error] <0.14129.0>@erl_ddll:format_error:239 CRASH REPORT Process <0.14129.0> with 0 neighbours exited with reason: bad argument in call to erl_ddll:format_error_int({load_failed,"Failed to load NIF library: '/usr/local/lib/erlang/lib/ejabberd-17.09/lib/fast_tls..."}) in erl_ddll:format_error/1 line 239 2017-12-13 09:59:57.843 [error] <0.14128.0>@erl_ddll:format_error:239 Supervisor fast_tls_sup had child fast_tls started with fast_tls:start_link() at undefined exit with reason bad argument in call to erl_ddll:format_error_int({load_failed,"Failed to load NIF library: '/usr/local/lib/erlang/lib/ejabberd-17.09/lib/fast_tls..."}) in erl_ddll:format_error/1 line 239 in context start_error 2017-12-13 09:59:57.843 [error] <0.14126.0> CRASH REPORT Process <0.14126.0> with 0 neighbours exited with reason: {{shutdown,{failed_to_start_child,fast_tls,{badarg,[{erl_ddll,format_error_int,[{load_failed,"Failed to load NIF library: '/usr/local/lib/erlang/lib/ejabberd-17.09/lib/fast_tls-1.0.16/priv/lib/fast_tls.so: Undefined symbol \"OPENSSL_cleanup\"'"}],[]},{erl_ddll,format_error,1,[{file,"erl_ddll.erl"},{line,239}]},{fast_tls,load_nif,1,[{file,"src/fast_tls.erl"},{line,444}]},{fast_tls,init,1,[{file,"src/fast_tls.erl"},{line,89}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,328}]},{proc_lib,...}]}}},...} in application_master:init/4 line 134 2017-12-13 09:59:57.844 [critical] <0.14049.0>@ejabberd:exit_or_halt:131 failed to start application 'fast_tls': {error, {{shutdown, {failed_to_start_child,fast_tls, {badarg, [{erl_ddll,format_error_int, [{load_failed, "Failed to load NIF library: '/usr/local/lib/erlang/lib/ejabberd-17.09/lib/fast_tls-1.0.16/priv/lib/fast_tls.so: Undefined symbol \"OPENSSL_cleanup\"'"}], []}, {erl_ddll,format_error,1, [{file,"erl_ddll.erl"}, {line,239}]}, {fast_tls,load_nif,1, [{file,"src/fast_tls.erl"}, {line,444}]}, {fast_tls,init,1, [{file,"src/fast_tls.erl"}, {line,89}]}, {gen_server,init_it,6, [{file,"gen_server.erl"}, {line,328}]}, {proc_lib,init_p_do_apply,3, [{file,"proc_lib.erl"}, {line,247}]}]}}}, {fast_tls_app,start,[normal,[]]}}} 2017-12-13 09:59:57.844 [info] <0.14018.0> Application fast_tls exited with reason: {{shutdown,{failed_to_start_child,fast_tls,{badarg,[{erl_ddll,format_error_int,[{load_failed,"Failed to load NIF library: '/usr/local/lib/erlang/lib/ejabberd-17.09/lib/fast_tls-1.0.16/priv/lib/fast_tls.so: Undefined symbol \"OPENSSL_cleanup\"'"}],[]},{erl_ddll,format_error,1,[{file,"erl_ddll.erl"},{line,239}]},{fast_tls,load_nif,1,[{file,"src/fast_tls.erl"},{line,444}]},{fast_tls,init,1,[{file,"src/fast_tls.erl"},{line,89}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,328}]},{proc_lib,...}]}}},...} --------------------------8<-------------------------- I tried different versions of the fast_tls dependency and got the following results: 1.0.17 - Does not start (Undefined symbol "OPENSSL_cleanup") 1.0.16 - Does not start (Undefined symbol "OPENSSL_cleanup") (version currently packaged) 1.0.15 - Does not start (Undefined symbol "OPENSSL_cleanup") 1.0.14 - Does not start (Undefined symbol "OPENSSL_cleanup") 1.0.13 - Does not start (Undefined symbol "OPENSSL_cleanup") 1.0.12 - OK 1.0.11 - OK 1.0.10 - OK 1.0.9 - OK 1.0.8 - Not tested (Not supported according to CHANGELOG) Can you please consider repackaging ejabberd dependencies with an older version of fast_tls while a fix is being worked on?
D'oh, a fix was committed a few days ago: https://github.com/processone/fast_tls/commit/a2b2154d11280becbf3077e62f7b5621d52b54fd There was no release including this fix yet, but I am currently running on top of master and everything looks fine!
(In reply to Romain Tartière from comment #1) Let me try updating ejabberd to 17.11 including that fast_tls diff. Thanks for letting me know.
Created attachment 189012 [details] Update diff to 17.11 - Update to 17.11 - Add a diff from master to make it work with LibreSSL - Add a diff from master to fix a bug in ejabberd_pix module - Fix kqueue implementation in fs dependency module (need to be pushed upstream)
(In reply to Romain Tartière from comment #1) Hi, Could you try the diff in attachment 189012 [details] to see if it works for you ? Also, if you can provide feedback with their LE support[1], that will be great. I'm traveling, and will commit it around December 27, or so. [1] https://github.com/processone/ejabberd/pull/1959 Thanks!
Hi! I have just recompiled all my ports with an up-to-date ports tree and your patch and updated everything. It looks like ejabberd is performing well :-) - Users can authenticate against the LDAP server; - Users can communicate with each other. So for me, everything is fine, thanks! Regarding your request concerning Let's Encrypt support, I do not currently use this. Have you something specific in mind in respect to this?
(In reply to Romain Tartière from comment #5) For some reason, I thought you use it. If you don't use it, or don't have a use-case, then no worries. Thank you for the confirmation. I'll commit it, when I get back.
Oh, okay :-) I didn't know about this let's encrypt module module, and it would definitively make sense in my setup, so be assured I will have a look at this in at some point in the future (after new year holiday). Thank you for the pointer!
A commit references this bug: Author: ashish Date: Tue Dec 26 21:28:37 UTC 2017 New revision: 457315 URL: https://svnweb.freebsd.org/changeset/ports/457315 Log: - Update to 17.11 - Add a fix from upstream to make it work with LibreSSL[1] - Add a bug fix from upstream w.r.t. ejabberd_pix module - Add a fix for kqueue implementation in 'fs' dependency module - Remove FreeBSD sed workaround PR: 224320 [1] Submitted by: romain [1] Changes: head/net-im/ejabberd/Makefile head/net-im/ejabberd/distinfo head/net-im/ejabberd/files/patch-Makefile.in head/net-im/ejabberd/files/patch-deps_fast__tls_c__src_fast__tls.c head/net-im/ejabberd/files/patch-deps_fs_c__src_bsd_main.c head/net-im/ejabberd/files/patch-deps_fs_src_sys_kqueue.erl head/net-im/ejabberd/files/patch-ejabberdctl.template head/net-im/ejabberd/files/patch-src_ejabberd__pkix.erl head/net-im/ejabberd/files/pkg-install.in head/net-im/ejabberd/pkg-plist
(In reply to Romain Tartière from comment #7) I have tested it with one of my domain names, and it seems to work as expected (at least initial certificate procurement part). Also thanks, committed the update.