#1911 Certificates defined inside virtualhost doesn't apply to direct tls ports

Reporter Vito
Owner Nobody
Created
Updated
Stars ★ (1)
Tags
  • Priority-Medium
  • Type-Defect
  • Status-New
  1. Vito on

    Details: When I define custom ssl config for a virtual host, it doesn't apply to connections on direct_tls port, such as 5223. Reproduction: 1. Create the default self-signed certificate. openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -days 3650 -nodes -sha256 -subj '/CN=localhost' -addext 'basicConstraints=CA:false' -addext 'subjectAltName = DNS:localhost' -out default.cert.pem -keyout default.key.pem 2. Create certificate for virtual host. openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -days 3650 -nodes -sha256 -subj '/CN=prosody.test' -addext 'basicConstraints=CA:false' -addext 'subjectAltName = DNS:prosody.test, DNS:*.prosody.test' -out prosody.test.cert.pem -keyout prosody.test.key.pem 3. Create a compose.yaml file. Insert your own keys and certificates or use the ones I provide. services: prosody: image: "prosodyim/prosody:13.0" restart: always ports: - "5222:5222" - "5223:5223" - "5269:5269" - "5270:5270" - "5280:5280" - "5281:5281" volumes: - prosody_data:/var/lib/prosody configs: - source: ports target: /etc/prosody/conf.d/01-ports.cfg.lua mode: 0666 - source: certs target: /etc/prosody/conf.d/02-certs.cfg.lua mode: 0666 - source: prosody.test target: /etc/prosody/conf.d/90-localhost.cfg.lua mode: 0666 - source: default_cert target: /etc/prosody/certs/default/cert.pem mode: 0666 - source: default_key target: /etc/prosody/certs/default/key.pem mode: 0666 - source: prosody_test_cert target: /etc/prosody/certs/prosody.test/cert.pem mode: 0666 - source: prosody_test_key target: /etc/prosody/certs/prosody.test/key.pem mode: 0666 environment: LOCAL: root DOMAIN: prosody.test PASSWORD: root PROSODY_ADMINS: root@prosody.test PROSODY_CERTIFICATES: /path/does/not/exist volumes: prosody_data: {} configs: ports: content: | c2s_ports = { 5222 } c2s_direct_tls_ports = { 5223 } s2s_ports = { 5269 } s2s_direct_tls_ports = { 5270 } http_ports = { 5280 } https_ports = { 5281 } certs: content: | ssl = { certificate = "/etc/prosody/certs/default/cert.pem"; key = "/etc/prosody/certs/default/key.pem"; } https_ssl = { certificate = "/etc/prosody/certs/default/cert.pem"; key = "/etc/prosody/certs/default/key.pem"; } prosody.test: content: | VirtualHost "prosody.test" ssl = { certificate = "/etc/prosody/certs/prosody.test/cert.pem"; key = "/etc/prosody/certs/prosody.test/key.pem"; } https_ssl = { certificate = "/etc/prosody/certs/prosody.test/cert.pem"; key = "/etc/prosody/certs/prosody.test/key.pem"; } Component "conference.prosody.test" "muc" Component "upload.prosody.test" "http_file_share" http_host = "prosody.test" default_cert: content: | -----BEGIN CERTIFICATE----- MIIBjTCCATOgAwIBAgIUHgRikamjjEvfFlgG8cvseqHLigwwCgYIKoZIzj0EAwIw FDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MDMyMDAzMDQxOFoXDTM1MDMxODAz MDQxOFowFDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0D AQcDQgAEnkOuXfiEG9RGOQD2cdtrhrhXoezQfFhqZ1yRvRwSzsSYKtYy3nuxbUM8 2XHjCbWMkypFReE6XZsX9ZsbSFAA+KNjMGEwHQYDVR0OBBYEFP5v5zz46rklftxb 2xTCZnbbbBNSMB8GA1UdIwQYMBaAFP5v5zz46rklftxb2xTCZnbbbBNSMAkGA1Ud EwQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MAoGCCqGSM49BAMCA0gAMEUCIFEm d3YAgkJKaOqrt/6BjCOvqsekIyEothnzFXPKw3BJAiEA/ZeBwdjZoS/QBbEwCGJP pzhlFHfHsxL1b9EnHO71Oug= -----END CERTIFICATE----- default_key: content: | -----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgSL/IsO/NndNHsHeW 3QrAZZ76dt1uuTMO25o/aq4/jFmhRANCAASeQ65d+IQb1EY5APZx22uGuFeh7NB8 WGpnXJG9HBLOxJgq1jLee7FtQzzZceMJtYyTKkVF4Tpdmxf1mxtIUAD4 -----END PRIVATE KEY----- prosody_test_cert: content: | -----BEGIN CERTIFICATE----- MIIBpTCCAUygAwIBAgIUXSWcjaVe4N7DU0wsJdyvh8qbGxYwCgYIKoZIzj0EAwIw FzEVMBMGA1UEAwwMcHJvc29keS50ZXN0MB4XDTI1MDMyMDAzMDUwMloXDTM1MDMx ODAzMDUwMlowFzEVMBMGA1UEAwwMcHJvc29keS50ZXN0MFkwEwYHKoZIzj0CAQYI KoZIzj0DAQcDQgAEDA7YY3d8MvXehX30jR3sTIOeq8junY0a4Cw9eunxlh+JKiP1 7A4KGKXw5vh9USv2A6/JvYDzwjGF63ReyUaRMKN2MHQwHQYDVR0OBBYEFCsWn4GY n8tiDGytYMT6l0JC3ffXMB8GA1UdIwQYMBaAFCsWn4GYn8tiDGytYMT6l0JC3ffX MAkGA1UdEwQCMAAwJwYDVR0RBCAwHoIMcHJvc29keS50ZXN0gg4qLnByb3NvZHku dGVzdDAKBggqhkjOPQQDAgNHADBEAiBo86SBXH7VWKse+M/7FoSkjsy6v98gLH/y t4U5nLXCdwIgSB+e3HX7AB4cwxLk1+oCZdZKD2my5u6KSSZN5JhLYdo= -----END CERTIFICATE----- prosody_test_key: content: | -----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgUWS9uS0n2dd66Cdc +8ZeENLLdmtJk1YJgyzPxhCXvtKhRANCAAQMDthjd3wy9d6FffSNHexMg56ryO6d jRrgLD166fGWH4kqI/XsDgoYpfDm+H1RK/YDr8m9gPPCMYXrdF7JRpEw -----END PRIVATE KEY----- 4. Start compose project. I use 'docker compose up --force-recreate' to test the behavior. 5. Connect to the server using the client. Your account would be login:root@prosody.test password:root. I use gajim to test this. 6. Test the connection with testssl.sh. docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 prosody.test:5281 docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test --starttls xmpp prosody.test:5222 docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test prosody.test:5223 docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test --starttls xmpp prosody.test:5269 docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 --xmpphost prosody.test prosody.test:5270 docker run --rm -it drwetter/testssl.sh -S --ip 192.168.0.1 prosody.test:5281 7. Test the connection with curl. curl --connect-to prosody.test::127.0.0.1: https://prosody.test:5281/file_share/ -v -k 8. Test the connection with openssl. openssl s_client -connect 127.0.0.1:5222 -starttls xmpp -xmpphost prosody.test -showcerts < /dev/null openssl s_client -connect 127.0.0.1:5223 -servername prosody.test -showcerts < /dev/null openssl s_client -connect 127.0.0.1:5269 -starttls xmpp-server -xmpphost prosody.test -showcerts < /dev/null openssl s_client -connect 127.0.0.1:5270 -servername prosody.test -showcerts < /dev/null openssl s_client -connect 127.0.0.1:5281 -servername prosody.test -showcerts < /dev/null Observed behavior: On ports 5222 and 5269, prosody responds with the correct self-signed certificate, but on ports 5223, 5270, and 5281, prosody uses the default certificate. Expected behavior: Prosody should return correct certificates on direct_tls and https ports. Additional: Sources for this issue: https://gist.github.com/vitoyucepi/7bab622a9db24d0a0cf53502b2b3ca31

  2. MattJ on

    Thanks for the report! Can reproduce...

    Changes
    • tags Status-Accepted Milestone-13.0
  3. Vito on

    I have two remarks: 1. This problem exists in 0.12. 2. It's necessary to check what happens on certificate reload.

  4. MattJ on

    The issue is not present in 0.12 for me, so your issue may be different. I appreciate the detailed report, but it's a bit hard to follow all the docker and YAML. I've created #1915 to track the issue I can reproduce.

    Changes
    • tags Milestone-13.0 Status-Accepted Status-New
  5. Vito on

    The prosody bugtracker is not very good for tracking lots of code and long issues, so I created a github gist with the issue available at https://gist.github.com/vitoyucepi/7bab622a9db24d0a0cf53502b2b3ca31 .

  6. Vito on

    I've redone the reproduction in the github repository. Have a look at https://github.com/vitoyucepi/prosody-issue-1911 . I added the test script using the github actions. Here's the result: https://github.com/vitoyucepi/prosody-issue-1911/actions/runs/14146213005 . As I said, the problem exists in both 13.0 and 0.12.

New comment

Not published. Used for spam prevention and optional update notifications.