Hello prosody developers,

I've faced a slight problem when trying to use Prosody with SSL. 

I have following in the global part of my prosody.cfg.lua:

ssl = {
        key = ".../ssl.key";
        certificate = ".../ssl.crt";

When I try to start the server, it gives a few lines of this:

SSL/TLS: Error initialising for ...: OpenSSL does not support ECDH

OK, fair enough. My OpenSSL installation hasn't got ECDH enabled and I 
don't need it anyway, so let's not use it:

ciphers = "HIGH:!PSK:!SRP:!3DES:!aNULL"

Still the same error.

So I went to see what causes luasec to do that:

-- Set elliptic curve
if cfg.curve then
  succ, msg = context.setcurve(ctx, cfg.curve)
  if not succ then return nil, msg end



static int set_curve(lua_State *L)


  lua_pushstring(L, "OpenSSL does not support ECDH");
  .... // Fail


OK, so it happens if we set the curve. Let's try to "not set" it:

curve = "";

Doesn't help, as it's set to the default value in that case. So let's try 
not to set it at all specifically:

--- certmanager.lua     2014-01-12 11:41:40.000000000 +0000
+++ certmanager.lua 2014-03-16 20:17:55.804035803 +0000
@@ -69,7 +69,6 @@
                verifyext = user_ssl_config.verifyext or default_verifyext;
                options = user_ssl_config.options or default_options;
                depth = user_ssl_config.depth;
-               curve = user_ssl_config.curve or "secp384r1";
                ciphers = user_ssl_config.ciphers or 
                dhparam = user_ssl_config.dhparam;

This gets it.

Of course, I could just enable ECDH, but unfortunately it is not a trivial 
task on my distribution (it's EC2 Amazon Linux) - you need to build it from 
sources with some flag set, which sounds like a potential source of even 
more problems.

I've tried installing the current master of prosody and got the same 

So what do you think about it, guys? Am I doing something wrong, or this 
should be fixed? I'll be more than happy to fix it myself and pull-request, 
if we agree on how this should be dealt with. I am not very good with all 
that SSL terminology, but is it required to have curve set to something 
even if we don't intend to use ECDH?


You received this message because you are subscribed to the Google Groups 
"prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to prosody-dev+unsubscr...@googlegroups.com.
To post to this group, send email to prosody-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.

Reply via email to