Hello prosody developers, I've faced a slight problem when trying to use Prosody with SSL.
I have following in the global part of my prosody.cfg.lua: ssl = { key = ".../ssl.key"; certificate = ".../ssl.crt"; } When I try to start the server, it gives a few lines of this: SSL/TLS: Error initialising for ...: OpenSSL does not support ECDH OK, fair enough. My OpenSSL installation hasn't got ECDH enabled and I don't need it anyway, so let's not use it: ciphers = "HIGH:!PSK:!SRP:!3DES:!aNULL" Still the same error. So I went to see what causes luasec to do that: -- Set elliptic curve if cfg.curve then succ, msg = context.setcurve(ctx, cfg.curve) if not succ then return nil, msg end end [..] #ifdef OPENSSL_NO_ECDH static int set_curve(lua_State *L) { ... lua_pushstring(L, "OpenSSL does not support ECDH"); .... // Fail } [..] OK, so it happens if we set the curve. Let's try to "not set" it: curve = ""; Doesn't help, as it's set to the default value in that case. So let's try not to set it at all specifically: --- certmanager.lua 2014-01-12 11:41:40.000000000 +0000 +++ certmanager.lua 2014-03-16 20:17:55.804035803 +0000 @@ -69,7 +69,6 @@ verifyext = user_ssl_config.verifyext or default_verifyext; options = user_ssl_config.options or default_options; depth = user_ssl_config.depth; - curve = user_ssl_config.curve or "secp384r1"; ciphers = user_ssl_config.ciphers or "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; dhparam = user_ssl_config.dhparam; }; This gets it. Of course, I could just enable ECDH, but unfortunately it is not a trivial task on my distribution (it's EC2 Amazon Linux) - you need to build it from sources with some flag set, which sounds like a potential source of even more problems. I've tried installing the current master of prosody and got the same results. So what do you think about it, guys? Am I doing something wrong, or this should be fixed? I'll be more than happy to fix it myself and pull-request, if we agree on how this should be dealt with. I am not very good with all that SSL terminology, but is it required to have curve set to something even if we don't intend to use ECDH? Regards, Artur -- You received this message because you are subscribed to the Google Groups "prosody-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev+unsubscr...@googlegroups.com. To post to this group, send email to prosody-dev@googlegroups.com. Visit this group at http://groups.google.com/group/prosody-dev. For more options, visit https://groups.google.com/d/optout.