#752 Missing SSL/TLS configuration should fail

Reporter MattJ
Owner Nobody
Created
Updated
Stars ★ (1)  
Tags
  • Priority-Medium
  • Type-Defect
  • Status-Accepted
  1. MattJ on

    What steps will reproduce the problem? 1. Ensure there is no global 'ssl' option 2. Enable legacy_ssl_ports or HTTPS What is the expected output? What do you see instead? The port is opened and accepts connections, but TLS handshakes fail with "no cipher overlap". What version of the product are you using? 0.9.x Please provide any additional information below. The issue appears to be related to the duplicate_ssl_config() function in portmanager, which returns an empty table if there is no config to use. This is accepted by LuaSec, but then no key/certificate is loaded and no ciphers are enabled. We should fail to open the port, potential triggers: - The SSL config is empty (i.e. next(config) == nil) - duplicate_ssl_config() should just return nil (and we would need to error on that) - duplicate_ssl_config returns { failed = true } (ick?) - There is no key/certificate field in the config (is that valid in any cases?)

  2. Zash on

    In 0.10, it checks that key and certificate fields are present for server contexts, or an error is thrown. While contexts without those could be useful sometimes, eg with anonymous ciphers, I believe those cases to be extremely rare.

  3. Zash on

    How does this relate to the new automagic configuration?

  4. Zash on

    Changes
    • tags Status-Accepted

New comment