Re: [prosody-dev] Error when using with OpenSSL without ECDH
Hi Artur,
Sorry for the delay in replying, I've only just realised I've had this
draft open for nearly 4 days already.
On 16 March 2014 20:31, Artur Bekasov artur.beka...@gmail.com wrote:
Hello prosody developers,
I've faced a slight problem when trying to use Prosody with SSL.
I have following in the global part of my prosody.cfg.lua:
ssl = {
key = .../ssl.key;
certificate = .../ssl.crt;
}
When I try to start the server, it gives a few lines of this:
SSL/TLS: Error initialising for ...: OpenSSL does not support ECDH
Of course, I could just enable ECDH, but unfortunately it is not a trivial
task on my distribution (it's EC2 Amazon Linux) - you need to build it from
sources with some flag set, which sounds like a potential source of even
more problems.
Right, RedHat and derived distributions have it disabled in OpenSSL
over patent fears: https://bugzilla.redhat.com/show_bug.cgi?id=319901
I've tried installing the current master of prosody and got the same
results.
I don't see an easy way for us to detect whether OpenSSL supports it
or not (but we've been discussing for a while the need for LuaSec to
be able to report capabilities to us).
So what do you think about it, guys? Am I doing something wrong, or this
should be fixed? I'll be more than happy to fix it myself and pull-request,
if we agree on how this should be dealt with. I am not very good with all
that SSL terminology, but is it required to have curve set to something even
if we don't intend to use ECDH?
I'm not sure yet what the best solution is, though I lean towards it
being taken care of by packagers. It could for example be allowing you
to set curve = false to remove a dependency on ECDH. This doesn't
currently work, but arguably it should.
Later on we could make it automatic if LuaSec adds an API for detecting this.
Regards,
Matthew
--
You received this message because you are subscribed to the Google Groups
prosody-dev group.
To unsubscribe from this group and stop receiving emails from it, send an email
to prosody-dev+unsubscr...@googlegroups.com.
To post to this group, send email to prosody-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.
Re: [prosody-dev] Error when using with OpenSSL without ECDH
Whats your openssl version? The EC support in openssl is present in
recents versions.
El 20/03/14 15:58, Matthew Wild escribió:
Hi Artur,
Sorry for the delay in replying, I've only just realised I've had this
draft open for nearly 4 days already.
On 16 March 2014 20:31, Artur Bekasov artur.beka...@gmail.com wrote:
Hello prosody developers,
I've faced a slight problem when trying to use Prosody with SSL.
I have following in the global part of my prosody.cfg.lua:
ssl = {
key = .../ssl.key;
certificate = .../ssl.crt;
}
When I try to start the server, it gives a few lines of this:
SSL/TLS: Error initialising for ...: OpenSSL does not support ECDH
Of course, I could just enable ECDH, but unfortunately it is not a trivial
task on my distribution (it's EC2 Amazon Linux) - you need to build it from
sources with some flag set, which sounds like a potential source of even
more problems.
Right, RedHat and derived distributions have it disabled in OpenSSL
over patent fears: https://bugzilla.redhat.com/show_bug.cgi?id=319901
I've tried installing the current master of prosody and got the same
results.
I don't see an easy way for us to detect whether OpenSSL supports it
or not (but we've been discussing for a while the need for LuaSec to
be able to report capabilities to us).
So what do you think about it, guys? Am I doing something wrong, or this
should be fixed? I'll be more than happy to fix it myself and pull-request,
if we agree on how this should be dealt with. I am not very good with all
that SSL terminology, but is it required to have curve set to something even
if we don't intend to use ECDH?
I'm not sure yet what the best solution is, though I lean towards it
being taken care of by packagers. It could for example be allowing you
to set curve = false to remove a dependency on ECDH. This doesn't
currently work, but arguably it should.
Later on we could make it automatic if LuaSec adds an API for detecting this.
Regards,
Matthew
--
You received this message because you are subscribed to the Google Groups
prosody-dev group.
To unsubscribe from this group and stop receiving emails from it, send an email
to prosody-dev+unsubscr...@googlegroups.com.
To post to this group, send email to prosody-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.
