- Prosody 0.9.11
After updating luasec to luasec-0.6, s2s connections are no longer possible.
The following log entries are visible (replacing external host with XXX):
2016-11-17T12:58:23+01:00 router prosody[5962]: s2sin7ab42ba40: incoming s2s stream XXX->k8n.de closed: Your server's certificate is invalid, expired, or not trusted by k8n.de
2016-11-17T12:58:23+01:00 router prosody[5962]: s2sin7ab42ba40: Destroying incoming session XXX->k8n.de: Your server's certificate is invalid, expired, or not trusted by k8n.de
Downgrading to luasec-0.5.1 makes the connection work again:
2016-11-17T14:30:18+01:00 router prosody[15955]: x509: Cert dNSName XXX matched hostname
The affected certificates are from letsencrypt, currently unable to determine if only those are affected
The involved servers are correctly returning the full chain (i.e. cert and intermediate)
Zash
on
Hi. What OS is this?
Changes
owner Zash
tags Status-NeedInfo
Daniel Kenzelmann
on
Gentoo Linux
Zash
on
Is OpenSSL or Libressl used? Which version?
Also consider filing an issue in Gentoo.
Daniel Kenzelmann
on
OpenSSL 1.0.2j
Zash
on
I've managed to reproduce while investigating an unrelated issue.
It appears that the remote server doesn't send a certificate. Seems to only happen with Prosody 0.9.x and LuaSec 0.6. It works with LuaSec 0.5.1 and/or Prosody 0.10.
Changes
tags Milestone-0.9 Status-Accepted
Zash
on
Oh, the way Prosody checks if LuaSec supports certificate validation was also broken in 0.6.
https://hg.prosody.im/0.9/file/0.9.11/core/certmanager.lua#l35 -- ssl.x509 is nil here, so Prosody doesn't ask for a client certificate, the remote server doesn't send one.
Hi,
I was recently pointed out to https://prosody.im/doc/depends#luasec because it says "The newly released LuaSec 0.6 does not work with Prosody 0.9.x". I think this is related to this issue and the page above needs to be updated. Can someone confirm this and update the page to mention Prosody 0.9.12 now supports LuaSec 0.6? (provided I'm not mistaken of course).
Thanks. :)
- Prosody 0.9.11 After updating luasec to luasec-0.6, s2s connections are no longer possible. The following log entries are visible (replacing external host with XXX): 2016-11-17T12:58:23+01:00 router prosody[5962]: s2sin7ab42ba40: incoming s2s stream XXX->k8n.de closed: Your server's certificate is invalid, expired, or not trusted by k8n.de 2016-11-17T12:58:23+01:00 router prosody[5962]: s2sin7ab42ba40: Destroying incoming session XXX->k8n.de: Your server's certificate is invalid, expired, or not trusted by k8n.de Downgrading to luasec-0.5.1 makes the connection work again: 2016-11-17T14:30:18+01:00 router prosody[15955]: x509: Cert dNSName XXX matched hostname The affected certificates are from letsencrypt, currently unable to determine if only those are affected The involved servers are correctly returning the full chain (i.e. cert and intermediate)
Hi. What OS is this?
ChangesGentoo Linux
Is OpenSSL or Libressl used? Which version? Also consider filing an issue in Gentoo.
OpenSSL 1.0.2j
I've managed to reproduce while investigating an unrelated issue. It appears that the remote server doesn't send a certificate. Seems to only happen with Prosody 0.9.x and LuaSec 0.6. It works with LuaSec 0.5.1 and/or Prosody 0.10.
ChangesOh, the way Prosody checks if LuaSec supports certificate validation was also broken in 0.6. https://hg.prosody.im/0.9/file/0.9.11/core/certmanager.lua#l35 -- ssl.x509 is nil here, so Prosody doesn't ask for a client certificate, the remote server doesn't send one.
ChangesFixed in https://hg.prosody.im/0.9/rev/2a7b52437167 Thanks for the report
ChangesHi, I was recently pointed out to https://prosody.im/doc/depends#luasec because it says "The newly released LuaSec 0.6 does not work with Prosody 0.9.x". I think this is related to this issue and the page above needs to be updated. Can someone confirm this and update the page to mention Prosody 0.9.12 now supports LuaSec 0.6? (provided I'm not mistaken of course). Thanks. :)