#1911 Certificates defined inside virtualhost doesn't apply to direct tls ports
Reporter
Vito
Owner
Nobody
Created
Updated
Stars
★ (1)
Tags
Priority-Medium
Type-Defect
Status-New
Vito
on
Details:
When I define custom ssl config for a virtual host, it doesn't apply to connections on direct_tls port, such as 5223.
Reproduction:
1. Create the default self-signed certificate.
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -days 3650 -nodes -sha256 -subj '/CN=localhost' -addext 'basicConstraints=CA:false' -addext 'subjectAltName = DNS:localhost' -out default.cert.pem -keyout default.key.pem
2. Create certificate for virtual host.
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -days 3650 -nodes -sha256 -subj '/CN=prosody.test' -addext 'basicConstraints=CA:false' -addext 'subjectAltName = DNS:prosody.test, DNS:*.prosody.test' -out prosody.test.cert.pem -keyout prosody.test.key.pem
3. Create a compose.yaml file.
Insert your own keys and certificates or use the ones I provide.
services:
prosody:
image: "prosodyim/prosody:13.0"
restart: always
ports:
- "5222:5222"
- "5223:5223"
- "5269:5269"
- "5270:5270"
- "5280:5280"
- "5281:5281"
volumes:
- prosody_data:/var/lib/prosody
configs:
- source: ports
target: /etc/prosody/conf.d/01-ports.cfg.lua
mode: 0666
- source: certs
target: /etc/prosody/conf.d/02-certs.cfg.lua
mode: 0666
- source: prosody.test
target: /etc/prosody/conf.d/90-localhost.cfg.lua
mode: 0666
- source: default_cert
target: /etc/prosody/certs/default/cert.pem
mode: 0666
- source: default_key
target: /etc/prosody/certs/default/key.pem
mode: 0666
- source: prosody_test_cert
target: /etc/prosody/certs/prosody.test/cert.pem
mode: 0666
- source: prosody_test_key
target: /etc/prosody/certs/prosody.test/key.pem
mode: 0666
environment:
LOCAL: root
DOMAIN: prosody.test
PASSWORD: root
PROSODY_ADMINS: root@prosody.test
PROSODY_CERTIFICATES: /path/does/not/exist
volumes:
prosody_data: {}
configs:
ports:
content: |
c2s_ports = { 5222 }
c2s_direct_tls_ports = { 5223 }
s2s_ports = { 5269 }
s2s_direct_tls_ports = { 5270 }
http_ports = { 5280 }
https_ports = { 5281 }
certs:
content: |
ssl = {
certificate = "/etc/prosody/certs/default/cert.pem";
key = "/etc/prosody/certs/default/key.pem";
}
https_ssl = {
certificate = "/etc/prosody/certs/default/cert.pem";
key = "/etc/prosody/certs/default/key.pem";
}
prosody.test:
content: |
VirtualHost "prosody.test"
ssl = {
certificate = "/etc/prosody/certs/prosody.test/cert.pem";
key = "/etc/prosody/certs/prosody.test/key.pem";
}
https_ssl = {
certificate = "/etc/prosody/certs/prosody.test/cert.pem";
key = "/etc/prosody/certs/prosody.test/key.pem";
}
Component "conference.prosody.test" "muc"
Component "upload.prosody.test" "http_file_share"
http_host = "prosody.test"
default_cert:
content: |
-----BEGIN CERTIFICATE-----
MIIBjTCCATOgAwIBAgIUHgRikamjjEvfFlgG8cvseqHLigwwCgYIKoZIzj0EAwIw
FDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MDMyMDAzMDQxOFoXDTM1MDMxODAz
MDQxOFowFDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0D
AQcDQgAEnkOuXfiEG9RGOQD2cdtrhrhXoezQfFhqZ1yRvRwSzsSYKtYy3nuxbUM8
2XHjCbWMkypFReE6XZsX9ZsbSFAA+KNjMGEwHQYDVR0OBBYEFP5v5zz46rklftxb
2xTCZnbbbBNSMB8GA1UdIwQYMBaAFP5v5zz46rklftxb2xTCZnbbbBNSMAkGA1Ud
EwQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MAoGCCqGSM49BAMCA0gAMEUCIFEm
d3YAgkJKaOqrt/6BjCOvqsekIyEothnzFXPKw3BJAiEA/ZeBwdjZoS/QBbEwCGJP
pzhlFHfHsxL1b9EnHO71Oug=
-----END CERTIFICATE-----
default_key:
content: |
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgSL/IsO/NndNHsHeW
3QrAZZ76dt1uuTMO25o/aq4/jFmhRANCAASeQ65d+IQb1EY5APZx22uGuFeh7NB8
WGpnXJG9HBLOxJgq1jLee7FtQzzZceMJtYyTKkVF4Tpdmxf1mxtIUAD4
-----END PRIVATE KEY-----
prosody_test_cert:
content: |
-----BEGIN CERTIFICATE-----
MIIBpTCCAUygAwIBAgIUXSWcjaVe4N7DU0wsJdyvh8qbGxYwCgYIKoZIzj0EAwIw
FzEVMBMGA1UEAwwMcHJvc29keS50ZXN0MB4XDTI1MDMyMDAzMDUwMloXDTM1MDMx
ODAzMDUwMlowFzEVMBMGA1UEAwwMcHJvc29keS50ZXN0MFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEDA7YY3d8MvXehX30jR3sTIOeq8junY0a4Cw9eunxlh+JKiP1
7A4KGKXw5vh9USv2A6/JvYDzwjGF63ReyUaRMKN2MHQwHQYDVR0OBBYEFCsWn4GY
n8tiDGytYMT6l0JC3ffXMB8GA1UdIwQYMBaAFCsWn4GYn8tiDGytYMT6l0JC3ffX
MAkGA1UdEwQCMAAwJwYDVR0RBCAwHoIMcHJvc29keS50ZXN0gg4qLnByb3NvZHku
dGVzdDAKBggqhkjOPQQDAgNHADBEAiBo86SBXH7VWKse+M/7FoSkjsy6v98gLH/y
t4U5nLXCdwIgSB+e3HX7AB4cwxLk1+oCZdZKD2my5u6KSSZN5JhLYdo=
-----END CERTIFICATE-----
prosody_test_key:
content: |
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgUWS9uS0n2dd66Cdc
+8ZeENLLdmtJk1YJgyzPxhCXvtKhRANCAAQMDthjd3wy9d6FffSNHexMg56ryO6d
jRrgLD166fGWH4kqI/XsDgoYpfDm+H1RK/YDr8m9gPPCMYXrdF7JRpEw
-----END PRIVATE KEY-----
4. Start compose project.
I use 'docker compose up --force-recreate' to test the behavior.
5. Connect to the server using the client.
Your account would be login:root@prosody.test password:root.
I use gajim to test this.
6. Test the connection with testssl.sh.
docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 prosody.test:5281
docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test --starttls xmpp prosody.test:5222
docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test prosody.test:5223
docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test --starttls xmpp prosody.test:5269
docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test prosody.test:5270
docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 prosody.test:5281
7. Test the connection with curl.
curl --connect-to prosody.test::127.0.0.1: https://prosody.test:5281/file_share/ -v -k
8. Test the connection with openssl.
openssl s_client -connect 127.0.0.1:5222 -starttls xmpp -xmpphost prosody.test -showcerts < /dev/null
openssl s_client -connect 127.0.0.1:5223 -servername prosody.test -showcerts < /dev/null
openssl s_client -connect 127.0.0.1:5269 -starttls xmpp-server -xmpphost prosody.test -showcerts < /dev/null
openssl s_client -connect 127.0.0.1:5270 -servername prosody.test -showcerts < /dev/null
openssl s_client -connect 127.0.0.1:5281 -servername prosody.test -showcerts < /dev/null
Observed behavior:
On ports 5222 and 5269, prosody responds with the correct self-signed certificate,
but on ports 5223, 5270, and 5281, prosody uses the default certificate.
Expected behavior:
Prosody should return correct certificates on direct_tls and https ports.
Additional:
Sources for this issue: https://gist.github.com/vitoyucepi/7bab622a9db24d0a0cf53502b2b3ca31
MattJ
on
Thanks for the report! Can reproduce...
Changes
tags Status-Accepted Milestone-13.0
Vito
on
I have two remarks:
1. This problem exists in 0.12.
2. It's necessary to check what happens on certificate reload.
MattJ
on
The issue is not present in 0.12 for me, so your issue may be different. I appreciate the detailed report, but it's a bit hard to follow all the docker and YAML.
I've created #1915 to track the issue I can reproduce.
Details: When I define custom ssl config for a virtual host, it doesn't apply to connections on direct_tls port, such as 5223. Reproduction: 1. Create the default self-signed certificate. openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -days 3650 -nodes -sha256 -subj '/CN=localhost' -addext 'basicConstraints=CA:false' -addext 'subjectAltName = DNS:localhost' -out default.cert.pem -keyout default.key.pem 2. Create certificate for virtual host. openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -days 3650 -nodes -sha256 -subj '/CN=prosody.test' -addext 'basicConstraints=CA:false' -addext 'subjectAltName = DNS:prosody.test, DNS:*.prosody.test' -out prosody.test.cert.pem -keyout prosody.test.key.pem 3. Create a compose.yaml file. Insert your own keys and certificates or use the ones I provide. services: prosody: image: "prosodyim/prosody:13.0" restart: always ports: - "5222:5222" - "5223:5223" - "5269:5269" - "5270:5270" - "5280:5280" - "5281:5281" volumes: - prosody_data:/var/lib/prosody configs: - source: ports target: /etc/prosody/conf.d/01-ports.cfg.lua mode: 0666 - source: certs target: /etc/prosody/conf.d/02-certs.cfg.lua mode: 0666 - source: prosody.test target: /etc/prosody/conf.d/90-localhost.cfg.lua mode: 0666 - source: default_cert target: /etc/prosody/certs/default/cert.pem mode: 0666 - source: default_key target: /etc/prosody/certs/default/key.pem mode: 0666 - source: prosody_test_cert target: /etc/prosody/certs/prosody.test/cert.pem mode: 0666 - source: prosody_test_key target: /etc/prosody/certs/prosody.test/key.pem mode: 0666 environment: LOCAL: root DOMAIN: prosody.test PASSWORD: root PROSODY_ADMINS: root@prosody.test PROSODY_CERTIFICATES: /path/does/not/exist volumes: prosody_data: {} configs: ports: content: | c2s_ports = { 5222 } c2s_direct_tls_ports = { 5223 } s2s_ports = { 5269 } s2s_direct_tls_ports = { 5270 } http_ports = { 5280 } https_ports = { 5281 } certs: content: | ssl = { certificate = "/etc/prosody/certs/default/cert.pem"; key = "/etc/prosody/certs/default/key.pem"; } https_ssl = { certificate = "/etc/prosody/certs/default/cert.pem"; key = "/etc/prosody/certs/default/key.pem"; } prosody.test: content: | VirtualHost "prosody.test" ssl = { certificate = "/etc/prosody/certs/prosody.test/cert.pem"; key = "/etc/prosody/certs/prosody.test/key.pem"; } https_ssl = { certificate = "/etc/prosody/certs/prosody.test/cert.pem"; key = "/etc/prosody/certs/prosody.test/key.pem"; } Component "conference.prosody.test" "muc" Component "upload.prosody.test" "http_file_share" http_host = "prosody.test" default_cert: content: | -----BEGIN CERTIFICATE----- MIIBjTCCATOgAwIBAgIUHgRikamjjEvfFlgG8cvseqHLigwwCgYIKoZIzj0EAwIw FDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MDMyMDAzMDQxOFoXDTM1MDMxODAz MDQxOFowFDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0D AQcDQgAEnkOuXfiEG9RGOQD2cdtrhrhXoezQfFhqZ1yRvRwSzsSYKtYy3nuxbUM8 2XHjCbWMkypFReE6XZsX9ZsbSFAA+KNjMGEwHQYDVR0OBBYEFP5v5zz46rklftxb 2xTCZnbbbBNSMB8GA1UdIwQYMBaAFP5v5zz46rklftxb2xTCZnbbbBNSMAkGA1Ud EwQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MAoGCCqGSM49BAMCA0gAMEUCIFEm d3YAgkJKaOqrt/6BjCOvqsekIyEothnzFXPKw3BJAiEA/ZeBwdjZoS/QBbEwCGJP pzhlFHfHsxL1b9EnHO71Oug= -----END CERTIFICATE----- default_key: content: | -----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgSL/IsO/NndNHsHeW 3QrAZZ76dt1uuTMO25o/aq4/jFmhRANCAASeQ65d+IQb1EY5APZx22uGuFeh7NB8 WGpnXJG9HBLOxJgq1jLee7FtQzzZceMJtYyTKkVF4Tpdmxf1mxtIUAD4 -----END PRIVATE KEY----- prosody_test_cert: content: | -----BEGIN CERTIFICATE----- MIIBpTCCAUygAwIBAgIUXSWcjaVe4N7DU0wsJdyvh8qbGxYwCgYIKoZIzj0EAwIw FzEVMBMGA1UEAwwMcHJvc29keS50ZXN0MB4XDTI1MDMyMDAzMDUwMloXDTM1MDMx ODAzMDUwMlowFzEVMBMGA1UEAwwMcHJvc29keS50ZXN0MFkwEwYHKoZIzj0CAQYI KoZIzj0DAQcDQgAEDA7YY3d8MvXehX30jR3sTIOeq8junY0a4Cw9eunxlh+JKiP1 7A4KGKXw5vh9USv2A6/JvYDzwjGF63ReyUaRMKN2MHQwHQYDVR0OBBYEFCsWn4GY n8tiDGytYMT6l0JC3ffXMB8GA1UdIwQYMBaAFCsWn4GYn8tiDGytYMT6l0JC3ffX MAkGA1UdEwQCMAAwJwYDVR0RBCAwHoIMcHJvc29keS50ZXN0gg4qLnByb3NvZHku dGVzdDAKBggqhkjOPQQDAgNHADBEAiBo86SBXH7VWKse+M/7FoSkjsy6v98gLH/y t4U5nLXCdwIgSB+e3HX7AB4cwxLk1+oCZdZKD2my5u6KSSZN5JhLYdo= -----END CERTIFICATE----- prosody_test_key: content: | -----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgUWS9uS0n2dd66Cdc +8ZeENLLdmtJk1YJgyzPxhCXvtKhRANCAAQMDthjd3wy9d6FffSNHexMg56ryO6d jRrgLD166fGWH4kqI/XsDgoYpfDm+H1RK/YDr8m9gPPCMYXrdF7JRpEw -----END PRIVATE KEY----- 4. Start compose project. I use 'docker compose up --force-recreate' to test the behavior. 5. Connect to the server using the client. Your account would be login:root@prosody.test password:root. I use gajim to test this. 6. Test the connection with testssl.sh. docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 prosody.test:5281 docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test --starttls xmpp prosody.test:5222 docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test prosody.test:5223 docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test --starttls xmpp prosody.test:5269 docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test prosody.test:5270 docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 prosody.test:5281 7. Test the connection with curl. curl --connect-to prosody.test::127.0.0.1: https://prosody.test:5281/file_share/ -v -k 8. Test the connection with openssl. openssl s_client -connect 127.0.0.1:5222 -starttls xmpp -xmpphost prosody.test -showcerts < /dev/null openssl s_client -connect 127.0.0.1:5223 -servername prosody.test -showcerts < /dev/null openssl s_client -connect 127.0.0.1:5269 -starttls xmpp-server -xmpphost prosody.test -showcerts < /dev/null openssl s_client -connect 127.0.0.1:5270 -servername prosody.test -showcerts < /dev/null openssl s_client -connect 127.0.0.1:5281 -servername prosody.test -showcerts < /dev/null Observed behavior: On ports 5222 and 5269, prosody responds with the correct self-signed certificate, but on ports 5223, 5270, and 5281, prosody uses the default certificate. Expected behavior: Prosody should return correct certificates on direct_tls and https ports. Additional: Sources for this issue: https://gist.github.com/vitoyucepi/7bab622a9db24d0a0cf53502b2b3ca31
Thanks for the report! Can reproduce...
ChangesI have two remarks: 1. This problem exists in 0.12. 2. It's necessary to check what happens on certificate reload.
The issue is not present in 0.12 for me, so your issue may be different. I appreciate the detailed report, but it's a bit hard to follow all the docker and YAML. I've created #1915 to track the issue I can reproduce.
ChangesMilestone-13.0Status-AcceptedStatus-NewThe prosody bugtracker is not very good for tracking lots of code and long issues, so I created a github gist with the issue available at https://gist.github.com/vitoyucepi/7bab622a9db24d0a0cf53502b2b3ca31 .
I've redone the reproduction in the github repository. Have a look at https://github.com/vitoyucepi/prosody-issue-1911 . I added the test script using the github actions. Here's the result: https://github.com/vitoyucepi/prosody-issue-1911/actions/runs/14146213005 . As I said, the problem exists in both 13.0 and 0.12.