#786 Prosody doesn't know about FreeBSD 10.1's cert store
Reporter
kousu
Owner
Zash
Created
Updated
Stars
★ (1)
Tags
Type-Defect
Priority-Medium
OpSys-FreeBSD
Status-Invalid
kousu
on
What steps will reproduce the problem?
1. Set `s2s_secure_auth = true` on your prosody server
4. Login and try to add a buddy on a different server.
What is the expected output? What do you see instead?
I expect the s2s connection to go through. On a working system this looks like:
```
s2sin804228880 debug Incoming s2s received <stream:stream version='1.0' from='kousu.ca' xml:lang='en' xmlns='http://etherx.jabber.org/streams' to='federation.definitelyreal.coffee'>
s2sin804228880 debug certificate chain validation result: valid
x509 debug Cert dNSName kousu.ca matched hostname
s2sin804228880 debug certificate identity validation result: valid
```
but on this system it looks like
```
socket debug server.lua: ssl handshake done
s2sout8040c6580 debug Sending stream header...
s2sout8040c6580 debug sending: <?xml version='1.0'?>
s2sout8040c6580 debug sending: <stream:stream xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='federation.definitelyreal.coffee' to='kousu.ca' xml:lang='en' xmlns='jabber:server'>
s2sout8040c6580 debug certificate chain validation result: invalid
s2sout8040c6580 debug certificate error(s) at depth 1: unable to get local issuer certificate, certificate not trusted
mod_s2s warn Forbidding insecure connection to/from kousu.ca
s2sout8040c6580 debug sending: </stream:stream>
```
What version of the product are you using? On what operating system?
root@federation:/usr/home/kousu # uname -a
FreeBSD federation.definitelyreal.coffee 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
root@federation:/usr/home/kousu # pkg info prosody
prosody-0.9.10
Name : prosody
Version : 0.9.10
Installed on : Thu Nov 24 22:51:22 2016 EST
Origin : net-im/prosody
Architecture : freebsd:10:x86:64
Prefix : /usr/local
Categories : net-im
Licenses : MIT
Maintainer : lx@FreeBSD.org
WWW : http://www.prosody.im/
Comment : Simple extensible XMPP server written in Lua
Options :
LUAJIT : off
Shared Libs required:
libidn.so.11
Annotations :
cpe : cpe:2.3:a:prosody:prosody:0.9.10:::::freebsd10:x64
repo_type : binary
repository : FreeBSD
Flat size : 891KiB
Description :
Prosody is a flexible communications server for Jabber/XMPP written in Lua. It
aims to be easy to use, and light on resources. For developers it aims to be
easy to extend and give a flexible system on which to rapidly develop added
functionality, or prototype new protocols.
WWW: http://www.prosody.im/
root@federation:/usr/home/kousu #
Please provide any additional information below.
This can be fixed by
1. `pkg install ca_root_nss`
2. adding "cafile":
```
ssl = {
key = "/usr/local/etc/letsencrypt/live/federation.definitelyreal.coffee/privkey.pem";
certificate = "/usr/local/etc/letsencrypt/live/federation.definitelyreal.coffee/fullchain.pem";
cafile = "/usr/local/share/certs/ca-root-nss.crt";
}
```
Upon experimentation, it seems that this is more a FreeBSD + OpenSSL problem than a prosody problem. On FreeBSD 10.1 (the server), it fails:
```
root@federation:/usr/home/kousu # openssl s_client -connect comms.kousu.ca:6697 -verify 1
[...]
Verify return code: 27 (certificate not trusted)
---
^C
```
unless I specify the CAfile:
```
root@federation:/usr/home/kousu # openssl s_client -connect comms.kousu.ca:6697 -verify 1 -CAfile /usr/local/share/certs/ca-root-nss.crt
[...]
Verify return code: 0 (ok)
---
^C
```
but on 10.3 (my laptop) it just automagically works:
```
[kousu@requiem ~]$ openssl s_client -connect comms.kousu.ca:6697 -verify 1
[...]
Verify return code: 0 (ok)
```
So I think all I would like prosody to do is update some docs: https://prosody.im/doc/certificates mentions capath as being required sometimes, but it doesn't mention cafile. FreeBSD 10.1, at least, needs cafile, so I would appreciate a note to that effect on that page.
Zash
on
As you said, this is more of a FreeBSD or OpenSSL problem than a Prosody problem. Take it up with their package maintainers. They may wish to patch certmanager on install or something.
What steps will reproduce the problem? 1. Set `s2s_secure_auth = true` on your prosody server 4. Login and try to add a buddy on a different server. What is the expected output? What do you see instead? I expect the s2s connection to go through. On a working system this looks like: ``` s2sin804228880 debug Incoming s2s received <stream:stream version='1.0' from='kousu.ca' xml:lang='en' xmlns='http://etherx.jabber.org/streams' to='federation.definitelyreal.coffee'> s2sin804228880 debug certificate chain validation result: valid x509 debug Cert dNSName kousu.ca matched hostname s2sin804228880 debug certificate identity validation result: valid ``` but on this system it looks like ``` socket debug server.lua: ssl handshake done s2sout8040c6580 debug Sending stream header... s2sout8040c6580 debug sending: <?xml version='1.0'?> s2sout8040c6580 debug sending: <stream:stream xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='federation.definitelyreal.coffee' to='kousu.ca' xml:lang='en' xmlns='jabber:server'> s2sout8040c6580 debug certificate chain validation result: invalid s2sout8040c6580 debug certificate error(s) at depth 1: unable to get local issuer certificate, certificate not trusted mod_s2s warn Forbidding insecure connection to/from kousu.ca s2sout8040c6580 debug sending: </stream:stream> ``` What version of the product are you using? On what operating system? root@federation:/usr/home/kousu # uname -a FreeBSD federation.definitelyreal.coffee 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 root@federation:/usr/home/kousu # pkg info prosody prosody-0.9.10 Name : prosody Version : 0.9.10 Installed on : Thu Nov 24 22:51:22 2016 EST Origin : net-im/prosody Architecture : freebsd:10:x86:64 Prefix : /usr/local Categories : net-im Licenses : MIT Maintainer : lx@FreeBSD.org WWW : http://www.prosody.im/ Comment : Simple extensible XMPP server written in Lua Options : LUAJIT : off Shared Libs required: libidn.so.11 Annotations : cpe : cpe:2.3:a:prosody:prosody:0.9.10:::::freebsd10:x64 repo_type : binary repository : FreeBSD Flat size : 891KiB Description : Prosody is a flexible communications server for Jabber/XMPP written in Lua. It aims to be easy to use, and light on resources. For developers it aims to be easy to extend and give a flexible system on which to rapidly develop added functionality, or prototype new protocols. WWW: http://www.prosody.im/ root@federation:/usr/home/kousu # Please provide any additional information below. This can be fixed by 1. `pkg install ca_root_nss` 2. adding "cafile": ``` ssl = { key = "/usr/local/etc/letsencrypt/live/federation.definitelyreal.coffee/privkey.pem"; certificate = "/usr/local/etc/letsencrypt/live/federation.definitelyreal.coffee/fullchain.pem"; cafile = "/usr/local/share/certs/ca-root-nss.crt"; } ``` Upon experimentation, it seems that this is more a FreeBSD + OpenSSL problem than a prosody problem. On FreeBSD 10.1 (the server), it fails: ``` root@federation:/usr/home/kousu # openssl s_client -connect comms.kousu.ca:6697 -verify 1 [...] Verify return code: 27 (certificate not trusted) --- ^C ``` unless I specify the CAfile: ``` root@federation:/usr/home/kousu # openssl s_client -connect comms.kousu.ca:6697 -verify 1 -CAfile /usr/local/share/certs/ca-root-nss.crt [...] Verify return code: 0 (ok) --- ^C ``` but on 10.3 (my laptop) it just automagically works: ``` [kousu@requiem ~]$ openssl s_client -connect comms.kousu.ca:6697 -verify 1 [...] Verify return code: 0 (ok) ``` So I think all I would like prosody to do is update some docs: https://prosody.im/doc/certificates mentions capath as being required sometimes, but it doesn't mention cafile. FreeBSD 10.1, at least, needs cafile, so I would appreciate a note to that effect on that page.
As you said, this is more of a FreeBSD or OpenSSL problem than a Prosody problem. Take it up with their package maintainers. They may wish to patch certmanager on install or something.
Changes