#786 Prosody doesn't know about FreeBSD 10.1's cert store

Reporter kousu
Owner Zash
Stars ★ (1)  
  • OpSys-FreeBSD
  • Priority-Medium
  • Type-Defect
  • Status-Invalid
  1. kousu on

    What steps will reproduce the problem? 1. Set `s2s_secure_auth = true` on your prosody server 4. Login and try to add a buddy on a different server. What is the expected output? What do you see instead? I expect the s2s connection to go through. On a working system this looks like: ``` s2sin804228880 debug Incoming s2s received <stream:stream version='1.0' from='kousu.ca' xml:lang='en' xmlns='http://etherx.jabber.org/streams' to='federation.definitelyreal.coffee'> s2sin804228880 debug certificate chain validation result: valid x509 debug Cert dNSName kousu.ca matched hostname s2sin804228880 debug certificate identity validation result: valid ``` but on this system it looks like ``` socket debug server.lua: ssl handshake done s2sout8040c6580 debug Sending stream header... s2sout8040c6580 debug sending: <?xml version='1.0'?> s2sout8040c6580 debug sending: <stream:stream xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='federation.definitelyreal.coffee' to='kousu.ca' xml:lang='en' xmlns='jabber:server'> s2sout8040c6580 debug certificate chain validation result: invalid s2sout8040c6580 debug certificate error(s) at depth 1: unable to get local issuer certificate, certificate not trusted mod_s2s warn Forbidding insecure connection to/from kousu.ca s2sout8040c6580 debug sending: </stream:stream> ``` What version of the product are you using? On what operating system? root@federation:/usr/home/kousu # uname -a FreeBSD federation.definitelyreal.coffee 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 root@federation:/usr/home/kousu # pkg info prosody prosody-0.9.10 Name : prosody Version : 0.9.10 Installed on : Thu Nov 24 22:51:22 2016 EST Origin : net-im/prosody Architecture : freebsd:10:x86:64 Prefix : /usr/local Categories : net-im Licenses : MIT Maintainer : lx@FreeBSD.org WWW : http://www.prosody.im/ Comment : Simple extensible XMPP server written in Lua Options : LUAJIT : off Shared Libs required: libidn.so.11 Annotations : cpe : cpe:2.3:a:prosody:prosody:0.9.10:::::freebsd10:x64 repo_type : binary repository : FreeBSD Flat size : 891KiB Description : Prosody is a flexible communications server for Jabber/XMPP written in Lua. It aims to be easy to use, and light on resources. For developers it aims to be easy to extend and give a flexible system on which to rapidly develop added functionality, or prototype new protocols. WWW: http://www.prosody.im/ root@federation:/usr/home/kousu # Please provide any additional information below. This can be fixed by 1. `pkg install ca_root_nss` 2. adding "cafile": ``` ssl = { key = "/usr/local/etc/letsencrypt/live/federation.definitelyreal.coffee/privkey.pem"; certificate = "/usr/local/etc/letsencrypt/live/federation.definitelyreal.coffee/fullchain.pem"; cafile = "/usr/local/share/certs/ca-root-nss.crt"; } ``` Upon experimentation, it seems that this is more a FreeBSD + OpenSSL problem than a prosody problem. On FreeBSD 10.1 (the server), it fails: ``` root@federation:/usr/home/kousu # openssl s_client -connect comms.kousu.ca:6697 -verify 1 [...] Verify return code: 27 (certificate not trusted) --- ^C ``` unless I specify the CAfile: ``` root@federation:/usr/home/kousu # openssl s_client -connect comms.kousu.ca:6697 -verify 1 -CAfile /usr/local/share/certs/ca-root-nss.crt [...] Verify return code: 0 (ok) --- ^C ``` but on 10.3 (my laptop) it just automagically works: ``` [kousu@requiem ~]$ openssl s_client -connect comms.kousu.ca:6697 -verify 1 [...] Verify return code: 0 (ok) ``` So I think all I would like prosody to do is update some docs: https://prosody.im/doc/certificates mentions capath as being required sometimes, but it doesn't mention cafile. FreeBSD 10.1, at least, needs cafile, so I would appreciate a note to that effect on that page.

  2. Zash on

    As you said, this is more of a FreeBSD or OpenSSL problem than a Prosody problem. Take it up with their package maintainers. They may wish to patch certmanager on install or something.

    • tags Status-Invalid OpSys-FreeBSD
    • owner Zash

New comment