Hi Artur,

Sorry for the delay in replying, I've only just realised I've had this
draft open for nearly 4 days already.

On 16 March 2014 20:31, Artur Bekasov <artur.beka...@gmail.com> wrote:
> Hello prosody developers,
> I've faced a slight problem when trying to use Prosody with SSL.
> I have following in the global part of my prosody.cfg.lua:
> ssl = {
>         key = ".../ssl.key";
>         certificate = ".../ssl.crt";
> }
> When I try to start the server, it gives a few lines of this:
> SSL/TLS: Error initialising for ...: OpenSSL does not support ECDH

> Of course, I could just enable ECDH, but unfortunately it is not a trivial
> task on my distribution (it's EC2 Amazon Linux) - you need to build it from
> sources with some flag set, which sounds like a potential source of even
> more problems.

Right, RedHat and derived distributions have it disabled in OpenSSL
over patent fears: https://bugzilla.redhat.com/show_bug.cgi?id=319901

> I've tried installing the current master of prosody and got the same
> results.

I don't see an easy way for us to detect whether OpenSSL supports it
or not (but we've been discussing for a while the need for LuaSec to
be able to report capabilities to us).

> So what do you think about it, guys? Am I doing something wrong, or this
> should be fixed? I'll be more than happy to fix it myself and pull-request,
> if we agree on how this should be dealt with. I am not very good with all
> that SSL terminology, but is it required to have curve set to something even
> if we don't intend to use ECDH?

I'm not sure yet what the best solution is, though I lean towards it
being taken care of by packagers. It could for example be allowing you
to set curve = false to remove a dependency on ECDH. This doesn't
currently work, but arguably it should.

Later on we could make it automatic if LuaSec adds an API for detecting this.


You received this message because you are subscribed to the Google Groups 
"prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to prosody-dev+unsubscr...@googlegroups.com.
To post to this group, send email to prosody-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.

Reply via email to