- Prosody 0.9.11
After updating luasec to luasec-0.6, s2s connections are no longer possible.
The following log entries are visible (replacing external host with XXX):
2016-11-17T12:58:23+01:00 router prosody: s2sin7ab42ba40: incoming s2s stream XXX->k8n.de closed: Your server's certificate is invalid, expired, or not trusted by k8n.de
2016-11-17T12:58:23+01:00 router prosody: s2sin7ab42ba40: Destroying incoming session XXX->k8n.de: Your server's certificate is invalid, expired, or not trusted by k8n.de
Downgrading to luasec-0.5.1 makes the connection work again:
2016-11-17T14:30:18+01:00 router prosody: x509: Cert dNSName XXX matched hostname
The affected certificates are from letsencrypt, currently unable to determine if only those are affected
The involved servers are correctly returning the full chain (i.e. cert and intermediate)
Hi. What OS is this?
Is OpenSSL or Libressl used? Which version?
Also consider filing an issue in Gentoo.
I've managed to reproduce while investigating an unrelated issue.
It appears that the remote server doesn't send a certificate. Seems to only happen with Prosody 0.9.x and LuaSec 0.6. It works with LuaSec 0.5.1 and/or Prosody 0.10.
I was recently pointed out to https://prosody.im/doc/depends#luasec because it says "The newly released LuaSec 0.6 does not work with Prosody 0.9.x". I think this is related to this issue and the page above needs to be updated. Can someone confirm this and update the page to mention Prosody 0.9.12 now supports LuaSec 0.6? (provided I'm not mistaken of course).