What steps will reproduce the problem?
1. Ensure there is no global 'ssl' option
2. Enable legacy_ssl_ports or HTTPS
What is the expected output? What do you see instead?
The port is opened and accepts connections, but TLS handshakes fail with "no cipher overlap".
What version of the product are you using?
0.9.x
Please provide any additional information below.
The issue appears to be related to the duplicate_ssl_config() function in portmanager, which returns an empty table if there is no config to use. This is accepted by LuaSec, but then no key/certificate is loaded and no ciphers are enabled.
We should fail to open the port, potential triggers:
- The SSL config is empty (i.e. next(config) == nil)
- duplicate_ssl_config() should just return nil (and we would need to error on that)
- duplicate_ssl_config returns { failed = true } (ick?)
- There is no key/certificate field in the config (is that valid in any cases?)
Zash
on
In 0.10, it checks that key and certificate fields are present for server contexts, or an error is thrown. While contexts without those could be useful sometimes, eg with anonymous ciphers, I believe those cases to be extremely rare.
Zash
on
How does this relate to the new automagic configuration?
What steps will reproduce the problem? 1. Ensure there is no global 'ssl' option 2. Enable legacy_ssl_ports or HTTPS What is the expected output? What do you see instead? The port is opened and accepts connections, but TLS handshakes fail with "no cipher overlap". What version of the product are you using? 0.9.x Please provide any additional information below. The issue appears to be related to the duplicate_ssl_config() function in portmanager, which returns an empty table if there is no config to use. This is accepted by LuaSec, but then no key/certificate is loaded and no ciphers are enabled. We should fail to open the port, potential triggers: - The SSL config is empty (i.e. next(config) == nil) - duplicate_ssl_config() should just return nil (and we would need to error on that) - duplicate_ssl_config returns { failed = true } (ick?) - There is no key/certificate field in the config (is that valid in any cases?)
In 0.10, it checks that key and certificate fields are present for server contexts, or an error is thrown. While contexts without those could be useful sometimes, eg with anonymous ciphers, I believe those cases to be extremely rare.
How does this relate to the new automagic configuration?
This was fixed in https://hg.prosody.im/trunk/rev/576488cffc3a
Changes