Details: When I define custom ssl config for a virtual host, it doesn't apply to connections on direct_tls port, such as 5223. Reproduction: 1. Create the default self-signed certificate. openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -days 3650 -nodes -sha256 -subj '/CN=localhost' -addext 'basicConstraints=CA:false' -addext 'subjectAltName = DNS:localhost' -out default.cert.pem -keyout default.key.pem 2. Create certificate for virtual host. openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -days 3650 -nodes -sha256 -subj '/CN=prosody.test' -addext 'basicConstraints=CA:false' -addext 'subjectAltName = DNS:prosody.test, DNS:*.prosody.test' -out prosody.test.cert.pem -keyout prosody.test.key.pem 3. Create a compose.yaml file. Insert your own keys and certificates or use the ones I provide. services: prosody: image: "prosodyim/prosody:13.0" restart: always ports: - "5222:5222" - "5223:5223" - "5269:5269" - "5270:5270" - "5280:5280" - "5281:5281" volumes: - prosody_data:/var/lib/prosody configs: - source: ports target: /etc/prosody/conf.d/01-ports.cfg.lua mode: 0666 - source: certs target: /etc/prosody/conf.d/02-certs.cfg.lua mode: 0666 - source: prosody.test target: /etc/prosody/conf.d/90-localhost.cfg.lua mode: 0666 - source: default_cert target: /etc/prosody/certs/default/cert.pem mode: 0666 - source: default_key target: /etc/prosody/certs/default/key.pem mode: 0666 - source: prosody_test_cert target: /etc/prosody/certs/prosody.test/cert.pem mode: 0666 - source: prosody_test_key target: /etc/prosody/certs/prosody.test/key.pem mode: 0666 environment: LOCAL: root DOMAIN: prosody.test PASSWORD: root PROSODY_ADMINS: root@prosody.test PROSODY_CERTIFICATES: /path/does/not/exist volumes: prosody_data: {} configs: ports: content: | c2s_ports = { 5222 } c2s_direct_tls_ports = { 5223 } s2s_ports = { 5269 } s2s_direct_tls_ports = { 5270 } http_ports = { 5280 } https_ports = { 5281 } certs: content: | ssl = { certificate = "/etc/prosody/certs/default/cert.pem"; key = "/etc/prosody/certs/default/key.pem"; } https_ssl = { certificate = "/etc/prosody/certs/default/cert.pem"; key = "/etc/prosody/certs/default/key.pem"; } prosody.test: content: | VirtualHost "prosody.test" ssl = { certificate = "/etc/prosody/certs/prosody.test/cert.pem"; key = "/etc/prosody/certs/prosody.test/key.pem"; } https_ssl = { certificate = "/etc/prosody/certs/prosody.test/cert.pem"; key = "/etc/prosody/certs/prosody.test/key.pem"; } Component "conference.prosody.test" "muc" Component "upload.prosody.test" "http_file_share" http_host = "prosody.test" default_cert: content: | -----BEGIN CERTIFICATE----- MIIBjTCCATOgAwIBAgIUHgRikamjjEvfFlgG8cvseqHLigwwCgYIKoZIzj0EAwIw FDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MDMyMDAzMDQxOFoXDTM1MDMxODAz MDQxOFowFDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0D AQcDQgAEnkOuXfiEG9RGOQD2cdtrhrhXoezQfFhqZ1yRvRwSzsSYKtYy3nuxbUM8 2XHjCbWMkypFReE6XZsX9ZsbSFAA+KNjMGEwHQYDVR0OBBYEFP5v5zz46rklftxb 2xTCZnbbbBNSMB8GA1UdIwQYMBaAFP5v5zz46rklftxb2xTCZnbbbBNSMAkGA1Ud EwQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MAoGCCqGSM49BAMCA0gAMEUCIFEm d3YAgkJKaOqrt/6BjCOvqsekIyEothnzFXPKw3BJAiEA/ZeBwdjZoS/QBbEwCGJP pzhlFHfHsxL1b9EnHO71Oug= -----END CERTIFICATE----- default_key: content: | -----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgSL/IsO/NndNHsHeW 3QrAZZ76dt1uuTMO25o/aq4/jFmhRANCAASeQ65d+IQb1EY5APZx22uGuFeh7NB8 WGpnXJG9HBLOxJgq1jLee7FtQzzZceMJtYyTKkVF4Tpdmxf1mxtIUAD4 -----END PRIVATE KEY----- prosody_test_cert: content: | -----BEGIN CERTIFICATE----- MIIBpTCCAUygAwIBAgIUXSWcjaVe4N7DU0wsJdyvh8qbGxYwCgYIKoZIzj0EAwIw FzEVMBMGA1UEAwwMcHJvc29keS50ZXN0MB4XDTI1MDMyMDAzMDUwMloXDTM1MDMx ODAzMDUwMlowFzEVMBMGA1UEAwwMcHJvc29keS50ZXN0MFkwEwYHKoZIzj0CAQYI KoZIzj0DAQcDQgAEDA7YY3d8MvXehX30jR3sTIOeq8junY0a4Cw9eunxlh+JKiP1 7A4KGKXw5vh9USv2A6/JvYDzwjGF63ReyUaRMKN2MHQwHQYDVR0OBBYEFCsWn4GY n8tiDGytYMT6l0JC3ffXMB8GA1UdIwQYMBaAFCsWn4GYn8tiDGytYMT6l0JC3ffX MAkGA1UdEwQCMAAwJwYDVR0RBCAwHoIMcHJvc29keS50ZXN0gg4qLnByb3NvZHku dGVzdDAKBggqhkjOPQQDAgNHADBEAiBo86SBXH7VWKse+M/7FoSkjsy6v98gLH/y t4U5nLXCdwIgSB+e3HX7AB4cwxLk1+oCZdZKD2my5u6KSSZN5JhLYdo= -----END CERTIFICATE----- prosody_test_key: content: | -----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgUWS9uS0n2dd66Cdc +8ZeENLLdmtJk1YJgyzPxhCXvtKhRANCAAQMDthjd3wy9d6FffSNHexMg56ryO6d jRrgLD166fGWH4kqI/XsDgoYpfDm+H1RK/YDr8m9gPPCMYXrdF7JRpEw -----END PRIVATE KEY----- 4. Start compose project. I use 'docker compose up --force-recreate' to test the behavior. 5. Connect to the server using the client. Your account would be login:root@prosody.test password:root. I use gajim to test this. 6. Test the connection with testssl.sh. docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 prosody.test:5281 docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test --starttls xmpp prosody.test:5222 docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test prosody.test:5223 docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test --starttls xmpp prosody.test:5269 docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test prosody.test:5270 docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 prosody.test:5281 7. Test the connection with curl. curl --connect-to prosody.test::127.0.0.1: https://prosody.test:5281/file_share/ -v -k 8. Test the connection with openssl. openssl s_client -connect 127.0.0.1:5222 -starttls xmpp -xmpphost prosody.test -showcerts < /dev/null openssl s_client -connect 127.0.0.1:5223 -servername prosody.test -showcerts < /dev/null openssl s_client -connect 127.0.0.1:5269 -starttls xmpp-server -xmpphost prosody.test -showcerts < /dev/null openssl s_client -connect 127.0.0.1:5270 -servername prosody.test -showcerts < /dev/null openssl s_client -connect 127.0.0.1:5281 -servername prosody.test -showcerts < /dev/null Observed behavior: On ports 5222 and 5269, prosody responds with the correct self-signed certificate, but on ports 5223, 5270, and 5281, prosody uses the default certificate. Expected behavior: Prosody should return correct certificates on direct_tls and https ports. Additional: Sources for this issue: https://gist.github.com/vitoyucepi/7bab622a9db24d0a0cf53502b2b3ca31

Thanks for the report! Can reproduce...

• tags Status-Accepted Milestone-13.0

I have two remarks: 1. This problem exists in 0.12. 2. It's necessary to check what happens on certificate reload.

The issue is not present in 0.12 for me, so your issue may be different. I appreciate the detailed report, but it's a bit hard to follow all the docker and YAML. I've created #1915 to track the issue I can reproduce.

• tags Milestone-13.0 Status-Accepted Status-New

The prosody bugtracker is not very good for tracking lots of code and long issues, so I created a github gist with the issue available at https://gist.github.com/vitoyucepi/7bab622a9db24d0a0cf53502b2b3ca31 .

I've redone the reproduction in the github repository. Have a look at https://github.com/vitoyucepi/prosody-issue-1911 . I added the test script using the github actions. Here's the result: https://github.com/vitoyucepi/prosody-issue-1911/actions/runs/14146213005 . As I said, the problem exists in both 13.0 and 0.12.