#781 S2S certificates not trusted with luasec-0.6

Reporter Daniel Kenzelmann
Owner Zash
Created
Updated
Stars ★ (1)  
Tags
  • Milestone-0.9
  • Status-Fixed
  • Type-Defect
  • Priority-Medium
  1. Daniel Kenzelmann on

    - Prosody 0.9.11 After updating luasec to luasec-0.6, s2s connections are no longer possible. The following log entries are visible (replacing external host with XXX): 2016-11-17T12:58:23+01:00 router prosody[5962]: s2sin7ab42ba40: incoming s2s stream XXX->k8n.de closed: Your server's certificate is invalid, expired, or not trusted by k8n.de 2016-11-17T12:58:23+01:00 router prosody[5962]: s2sin7ab42ba40: Destroying incoming session XXX->k8n.de: Your server's certificate is invalid, expired, or not trusted by k8n.de Downgrading to luasec-0.5.1 makes the connection work again: 2016-11-17T14:30:18+01:00 router prosody[15955]: x509: Cert dNSName XXX matched hostname The affected certificates are from letsencrypt, currently unable to determine if only those are affected The involved servers are correctly returning the full chain (i.e. cert and intermediate)

  2. Zash on

    Hi. What OS is this?

    Changes
    • tags Status-NeedInfo
    • owner Zash
  3. Daniel Kenzelmann on

    Gentoo Linux

  4. Zash on

    Is OpenSSL or Libressl used? Which version? Also consider filing an issue in Gentoo.

  5. Daniel Kenzelmann on

    OpenSSL 1.0.2j

  6. Zash on

    I've managed to reproduce while investigating an unrelated issue. It appears that the remote server doesn't send a certificate. Seems to only happen with Prosody 0.9.x and LuaSec 0.6. It works with LuaSec 0.5.1 and/or Prosody 0.10.

    Changes
    • tags Milestone-0.9 Status-Accepted
  7. Zash on

    Oh, the way Prosody checks if LuaSec supports certificate validation was also broken in 0.6. https://hg.prosody.im/0.9/file/0.9.11/core/certmanager.lua#l35 -- ssl.x509 is nil here, so Prosody doesn't ask for a client certificate, the remote server doesn't send one.

    Changes
    • tags Status-Started
  8. Zash on

    Fixed in https://hg.prosody.im/0.9/rev/2a7b52437167 Thanks for the report

    Changes
    • tags Status-Fixed

New comment