Kia ora/Hello Koha community,
Over the last few months we have been upgrading the OS of our Koha, database, load balancer and VuFind servers from Debian 11 (Bullseye) to Debian 12 (Bookworm).
We have noticed two things which we thought might be helpful for others:
1) Third-party integrations using Stunnel (for example EZproxy)
fail after the OS upgrade, if the vendor's stunnel.conf file is
configured with: sslVersion = TLSv1.
You will see an error like this in your /var/log/stunnel4/stunnel.log: SSL_accept: ../ssl/t1_lib.c:3364: error:0A000076:SSL routines::no suitable signature algorithm
By default, TLSv1 is NOT considered a suitable signature algorithm in Debian Bookworm. The integration vendor needs to update their stunnel.conf to: sslVersion = TLSv1.2 and a stunnel restart is needed on their end and on the Koha end.---
2) SFTP file uploads (e.g. MARC or patron csv file uploads to Koha servers) fail if the server uploading the files is using a ssh-rsa public key.
You would see the following error in your /var/log/auth.log file,
when the uploading server accepts to connect: userauth_pubkey:
signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms
[preauth]
By default, Debian 12 does not support ssh-rsa public keys.
Fix: A new key pair needs to be generated on the uploading server
using a supported algorithm like SHA-2 or ED25519. That public key
then needs to be copied into the authorized_keys file on your
server to restore SFTP authorisation.
We hope this information helps others.
Thanks,
Alex