#781 S2S certificates not trusted with luasec-0.6

Reporter Daniel Kenzelmann
Owner Zash
Stars ★ (1)
  • Priority-Medium
  • Milestone-0.9
  • Type-Defect
  • Status-Fixed
  1. Daniel Kenzelmann on

    - Prosody 0.9.11 After updating luasec to luasec-0.6, s2s connections are no longer possible. The following log entries are visible (replacing external host with XXX): 2016-11-17T12:58:23+01:00 router prosody[5962]: s2sin7ab42ba40: incoming s2s stream XXX->k8n.de closed: Your server's certificate is invalid, expired, or not trusted by k8n.de 2016-11-17T12:58:23+01:00 router prosody[5962]: s2sin7ab42ba40: Destroying incoming session XXX->k8n.de: Your server's certificate is invalid, expired, or not trusted by k8n.de Downgrading to luasec-0.5.1 makes the connection work again: 2016-11-17T14:30:18+01:00 router prosody[15955]: x509: Cert dNSName XXX matched hostname The affected certificates are from letsencrypt, currently unable to determine if only those are affected The involved servers are correctly returning the full chain (i.e. cert and intermediate)

  2. Zash on

    Hi. What OS is this?

    • owner Zash
    • tags Status-NeedInfo
  3. Daniel Kenzelmann on

    Gentoo Linux

  4. Zash on

    Is OpenSSL or Libressl used? Which version? Also consider filing an issue in Gentoo.

  5. Daniel Kenzelmann on

    OpenSSL 1.0.2j

  6. Zash on

    I've managed to reproduce while investigating an unrelated issue. It appears that the remote server doesn't send a certificate. Seems to only happen with Prosody 0.9.x and LuaSec 0.6. It works with LuaSec 0.5.1 and/or Prosody 0.10.

    • tags Status-Accepted Milestone-0.9
  7. Zash on

    Oh, the way Prosody checks if LuaSec supports certificate validation was also broken in 0.6. https://hg.prosody.im/0.9/file/0.9.11/core/certmanager.lua#l35 -- ssl.x509 is nil here, so Prosody doesn't ask for a client certificate, the remote server doesn't send one.

    • tags Status-Started
  8. Zash on

    Fixed in https://hg.prosody.im/0.9/rev/2a7b52437167 Thanks for the report

    • tags Status-Fixed
  9. Adrien on

    Hi, I was recently pointed out to https://prosody.im/doc/depends#luasec because it says "The newly released LuaSec 0.6 does not work with Prosody 0.9.x". I think this is related to this issue and the page above needs to be updated. Can someone confirm this and update the page to mention Prosody 0.9.12 now supports LuaSec 0.6? (provided I'm not mistaken of course). Thanks. :)

New comment

Not published. Used for spam prevention and optional update notifications.