On Mon, Nov 03, 2014 at 12:27:44PM +0400, Sergei Golovan wrote:

> Hi Alexander,
> It seems like you've disabled TLS for your server.
[…]
> There's no ssl options in localhost.cfg.lua.
> 
> > /etc/prosody/prosody.cfg.lua changed:
> ...
> > -- These are the SSL/TLS-related settings. If you don't want
> > -- to use SSL/TLS, you may comment or remove this
> > -- ssl = {
> > --      key = "/etc/prosody/certs/localhost.key";
> > --      certificate = "/etc/prosody/certs/localhost.cert";
> > --}
> 
> The ssl options are commented out.
[…]
> Could you try to add the following lines to your
> /etc/prosody/conf.d/localhost.cfg.lua and look if TLS is back after
> Prosody restart?
> ssl = {
>       key = "/etc/prosody/certs/localhost.key";
>       certificate = "/etc/prosody/certs/localhost.cert";
> }
> 
> Make sure that /etc/prosody/certs/localhost.key and
> /etc/prosody/certs/localhost.cert exist. They should link to
> ../../ssl/private/ssl-cert-snakeoil.key and
> ../../ssl/certs/ssl-cert-snakeoil.pem respectively.

I'm hitting the same problem. I commented out the snakeoil certificates,
and used proper certificates in the right virtual host; however, prosody
refuses to start without a global ssl setting.

Ok, I can work around it by enabling a global ssl setting pointing to
the snakeoil certs, but why would I want to do that? Why is prosody
needing bogus certificates to start, if they are not used? And if they
are used, what are snakeoil certs being actually used for?

From a security perspective, this worries me quite a bit.


Enrico

-- 
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <[email protected]>

Attachment: signature.asc
Description: PGP signature

Reply via email to