Hello prosody developers,
I've faced a slight problem when trying to use Prosody with SSL.
I have following in the global part of my prosody.cfg.lua:
ssl = {
key = ".../ssl.key";
certificate = ".../ssl.crt";
}
When I try to start the server, it gives a few lines of this:
SSL/TLS: Error initialising for ...: OpenSSL does not support ECDH
OK, fair enough. My OpenSSL installation hasn't got ECDH enabled and I
don't need it anyway, so let's not use it:
ciphers = "HIGH:!PSK:!SRP:!3DES:!aNULL"
Still the same error.
So I went to see what causes luasec to do that:
-- Set elliptic curve
if cfg.curve then
succ, msg = context.setcurve(ctx, cfg.curve)
if not succ then return nil, msg end
end
[..]
#ifdef OPENSSL_NO_ECDH
static int set_curve(lua_State *L)
{
...
lua_pushstring(L, "OpenSSL does not support ECDH");
.... // Fail
}
[..]
OK, so it happens if we set the curve. Let's try to "not set" it:
curve = "";
Doesn't help, as it's set to the default value in that case. So let's try
not to set it at all specifically:
--- certmanager.lua 2014-01-12 11:41:40.000000000 +0000
+++ certmanager.lua 2014-03-16 20:17:55.804035803 +0000
@@ -69,7 +69,6 @@
verifyext = user_ssl_config.verifyext or default_verifyext;
options = user_ssl_config.options or default_options;
depth = user_ssl_config.depth;
- curve = user_ssl_config.curve or "secp384r1";
ciphers = user_ssl_config.ciphers or
"HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL";
dhparam = user_ssl_config.dhparam;
};
This gets it.
Of course, I could just enable ECDH, but unfortunately it is not a trivial
task on my distribution (it's EC2 Amazon Linux) - you need to build it from
sources with some flag set, which sounds like a potential source of even
more problems.
I've tried installing the current master of prosody and got the same
results.
So what do you think about it, guys? Am I doing something wrong, or this
should be fixed? I'll be more than happy to fix it myself and pull-request,
if we agree on how this should be dealt with. I am not very good with all
that SSL terminology, but is it required to have curve set to something
even if we don't intend to use ECDH?
Regards,
Artur
--
You received this message because you are subscribed to the Google Groups
"prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to prosody-dev+unsubscr...@googlegroups.com.
To post to this group, send email to prosody-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.
