Hi Artur,

Sorry for the delay in replying, I've only just realised I've had this
draft open for nearly 4 days already.

On 16 March 2014 20:31, Artur Bekasov <artur.beka...@gmail.com> wrote:
> Hello prosody developers,
>
> I've faced a slight problem when trying to use Prosody with SSL.
>
> I have following in the global part of my prosody.cfg.lua:
>
> ssl = {
>         key = ".../ssl.key";
>         certificate = ".../ssl.crt";
> }
>
>
> When I try to start the server, it gives a few lines of this:
>
> SSL/TLS: Error initialising for ...: OpenSSL does not support ECDH
>

> Of course, I could just enable ECDH, but unfortunately it is not a trivial
> task on my distribution (it's EC2 Amazon Linux) - you need to build it from
> sources with some flag set, which sounds like a potential source of even
> more problems.

Right, RedHat and derived distributions have it disabled in OpenSSL
over patent fears: https://bugzilla.redhat.com/show_bug.cgi?id=319901

> I've tried installing the current master of prosody and got the same
> results.

I don't see an easy way for us to detect whether OpenSSL supports it
or not (but we've been discussing for a while the need for LuaSec to
be able to report capabilities to us).

> So what do you think about it, guys? Am I doing something wrong, or this
> should be fixed? I'll be more than happy to fix it myself and pull-request,
> if we agree on how this should be dealt with. I am not very good with all
> that SSL terminology, but is it required to have curve set to something even
> if we don't intend to use ECDH?

I'm not sure yet what the best solution is, though I lean towards it
being taken care of by packagers. It could for example be allowing you
to set curve = false to remove a dependency on ECDH. This doesn't
currently work, but arguably it should.

Later on we could make it automatic if LuaSec adds an API for detecting this.

Regards,
Matthew

-- 
You received this message because you are subscribed to the Google Groups 
"prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to prosody-dev+unsubscr...@googlegroups.com.
To post to this group, send email to prosody-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.

Reply via email to