#1916 Impossible to override certificate verification policy in 13.0
Reporter
MattJ
Owner
MattJ
Created
Updated
Stars
★ (1)
Tags
Status-Fixed
Priority-Medium
Type-Defect
Milestone-13.0
MattJ
on
Various options in Prosody allow control over the behaviour of the certificate verification process For example, some deployments choose to allow falling back to traditional "dialback" authentication (XEP-0220), while others verify via DANE, hard-coded fingerprints, or other custom plugins.
Implementing this flexibility requires us to override OpenSSL's default certificate verification, to allow Prosody to verify the certificate itself, apply custom policies and make decisions based on the outcome.
Since Prosody 13.0, this override appears to not be working for at least s2s connections.
May be related to #1915 and/or commit https://hg.prosody.im/trunk/rev/99d2100d2918 .
Various options in Prosody allow control over the behaviour of the certificate verification process For example, some deployments choose to allow falling back to traditional "dialback" authentication (XEP-0220), while others verify via DANE, hard-coded fingerprints, or other custom plugins. Implementing this flexibility requires us to override OpenSSL's default certificate verification, to allow Prosody to verify the certificate itself, apply custom policies and make decisions based on the outcome. Since Prosody 13.0, this override appears to not be working for at least s2s connections. May be related to #1915 and/or commit https://hg.prosody.im/trunk/rev/99d2100d2918 .
Fixed by https://hg.prosody.im/trunk/rev/a5d5fefb8b68 (commit contains an explanation).
Changes