- Prosody 0.9.11
After updating luasec to luasec-0.6, s2s connections are no longer possible.
The following log entries are visible (replacing external host with XXX):
2016-11-17T12:58:23+01:00 router prosody: s2sin7ab42ba40: incoming s2s stream XXX->k8n.de closed: Your server's certificate is invalid, expired, or not trusted by k8n.de
2016-11-17T12:58:23+01:00 router prosody: s2sin7ab42ba40: Destroying incoming session XXX->k8n.de: Your server's certificate is invalid, expired, or not trusted by k8n.de
Downgrading to luasec-0.5.1 makes the connection work again:
2016-11-17T14:30:18+01:00 router prosody: x509: Cert dNSName XXX matched hostname
The affected certificates are from letsencrypt, currently unable to determine if only those are affected
The involved servers are correctly returning the full chain (i.e. cert and intermediate)
Hi. What OS is this?
Is OpenSSL or Libressl used? Which version?
Also consider filing an issue in Gentoo.
I've managed to reproduce while investigating an unrelated issue.
It appears that the remote server doesn't send a certificate. Seems to only happen with Prosody 0.9.x and LuaSec 0.6. It works with LuaSec 0.5.1 and/or Prosody 0.10.