If I have c2s_require_encryption = true but don't have SSL certs set up, there is no way for a connection to be made. The connection fails in a way that confused me, because all I did was run Prosody for testing without thinking about encryption. Here's the XMPP console from Pidgin: <features xmlns='http://etherx.jabber.org/streams'/> <iq type='get' id='purpled216ad07'> <query xmlns='jabber:iq:auth'> <username>kousu</username> </query> </iq> <iq id='purpled216ad07' type='error'> <error type='cancel'> <service-unavailable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/> </error> </iq> Logged out. However if I enable mod_legacyauth I get: <features xmlns='http://etherx.jabber.org/streams'/> <iq type='get' id='purple9a4824e9'> <query xmlns='jabber:iq:auth'> <username>kousu</username> </query> </iq> <iq id='purple9a4824e9' type='error'> <error type='modify'> <not-acceptable xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/> <text xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>Encryption (SSL or TLS) is required to connect to this server</text> </error> </iq> Now, Pidgin doesn't actually display this message in the UI, but it's there and in theory clients could pick it up, so I request that Prosody print print this message for *all* streams if c2s_encryption_required and the client isn't using encryption. I am using Prosody 0.9.10-1 and Pidgin 2.10.12-1 on ArchLinux.

It would also help if Prosody printed "TLS error" or something to the log. Right now I just see: <code> socket debug server.lua: accepted new client connection from 127.0.0.1:47692 to 5222 c2s26b0350 info Client connected c2s26b0350 debug Client sent opening <stream:stream> to localhost c2s26b0350 debug Sent reply <stream:stream> to client c2s26b0350 debug Received[c2s_unauthed]: <iq id='purpled216ad07' type='get'> stanzarouter debug Unhandled c2s_unauthed stanza: iq; xmlns=jabber:iq:auth c2s26b0350 debug Received </stream:stream> c2s26b0350 info c2s stream for <127.0.0.1> closed: session closed c2s26b0350 debug Destroying session for (unknown) ((unknown)@localhost) c2s26b0350 info Client disconnected: connection closed c2s26b0350 debug Destroying session for (unknown) ((unknown)@(unknown)) socket debug server.lua: closed client handler and removed socket from list </code> which didn't clue me in to where the problem was.

Hi, thanks for the report and sorry about the delay. This should already be communicated in the form of a <starttls> feature with a <required> child, unless there is a problem with your TLS config, in which case there should be errors in your log file from when Prosody starts about that. Further, in 0.10 Prosody will close the connection and yell loudly if there is no way for a client to proceed.

• owner Zash

• tags Milestone-0.10

This prosodyctl check addition should catch this: https://hg.prosody.im/0.10/rev/82d8c11ab0cb As previously mentioned, prosody 0.10 will already close the connection with a stream error when there is no way to proceed, like if encryption is required but no certificate is configured. See #285. Not sure what else we can do, so I'll close this now.

• tags Status-Fixed

I don't think this is fixed. I'm currently running prosody trunk (revision 7656 [1]) on Archlinux [2]. Trying to connect using profanity-0.5.0 fails and I get the same logs as @kousu commented above [3]: Oct 13 15:29:07 server prosody[2545]: socket: server.lua: closed client handler and removed socket from list Oct 13 15:29:07 server prosody[2545]: c2s2805cf0: Destroying session for (unknown) ((unknown)@(unknown)) Oct 13 15:29:07 server prosody[2545]: c2s2805cf0: Client disconnected: connection closed Oct 13 15:29:07 server prosody[2545]: c2s2805cf0: Destroying session for (unknown) ((unknown)@example.com) Oct 13 15:29:07 server prosody[2545]: c2s2805cf0: c2s stream for <client-address> closed: session closed Oct 13 15:29:07 server prosody[2545]: c2s2805cf0: Received </stream:stream> Oct 13 15:29:07 server prosody[2545]: stanzarouter: Unhandled c2s_unauthed stanza: iq; xmlns=jabber:iq:auth Oct 13 15:29:07 server prosody[2545]: c2s2805cf0: Received[c2s_unauthed]: <iq id='_xmpp_auth1' type='set'> Oct 13 15:29:07 server prosody[2545]: c2s2805cf0: Sent reply <stream:stream> to client Oct 13 15:29:07 server prosody[2545]: c2s2805cf0: Client sent opening <stream:stream> to example.com Oct 13 15:29:07 server prosody[2545]: c2s2805cf0: Client connected Oct 13 15:29:07 server prosody[2545]: socket: server.lua: accepted new client connection from <client-address> to 5222 Oct 13 15:28:43 server systemd[1]: Started XMPP (Jabber) Server. Oct 13 15:28:43 server prosodyctl[2542]: Started Oct 13 15:28:42 server prosody[2545]: mod_posix: Successfully daemonized to PID 2545 Oct 13 15:28:42 server prosody[2543]: mod_posix: Prosody is about to detach from the console, disabling further console output Oct 13 15:28:42 server systemd[1]: Starting XMPP (Jabber) Server... Connecting via plaintext ("c2s_require_encryption = false") works, so I assume something is wrong with my TLS setup. The problem is, that I don't know where the problem is. Prosody doesn't give any TLS error messages even with debug logging and `prosodyctl check` also exits without an error: # luac5.1 -p /etc/prosody/prosody.cfg.lua # $ sudo prosodyctl check [sudo] password for wlhlm: Checking config... Done. Checking DNS for host wilhelm.re... Checking certificates... Checking certificate for wilhelm.re Certificate: /etc/ssl/wilhelm.re.chain.crt All checks passed, congratulations! [1]: https://hg.prosody.im/trunk/rev/296543556065 [2]: https://www.archlinux.org/packages/community/x86_64/prosody/ [3]: https://prosody.im/issues/issue/617#comment-2