FS#48480 - [prosody] [lua51-sec] luasec TLS support broken after rebuild

Attached to Project: Community Packages
Opened by Hermann Zahnweh (eigengrau) - Sunday, 06 March 2016, 14:37 GMT
Last edited by Sergej Pupykin (sergej) - Wednesday, 09 March 2016, 22:13 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sergej Pupykin (sergej)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 9
Private No

Details

Description:
After the recent openssl rebuild, prosody TLS support has ceased to function, with prosody reporting that luasec cannot be found. Cf. log messages below. Accordingly, client authentication and s2s communication don’t work anymore, since these rely on TLS encryption.

Additional info:
- prosody 0.9.10-1
- lua51-sec 1:0.5-5
- openssl 1.0.2.g-3

Mär 06 14:18:31 eigengrau prosodyctl[354]: **************************
Mär 06 14:18:31 eigengrau prosodyctl[354]: Prosody was unable to find LuaSec
Mär 06 14:18:31 eigengrau prosodyctl[354]: This package can be obtained in the following ways:
Mär 06 14:18:31 eigengrau prosodyctl[354]: Source: http://www.inf.puc-rio.br/~brunoos/luasec/
Mär 06 14:18:31 eigengrau prosodyctl[354]: Debian/Ubuntu: http://prosody.im/download/start#debian_and_ubuntu
Mär 06 14:18:31 eigengrau prosodyctl[354]: luarocks: luarocks install luasec
Mär 06 14:18:31 eigengrau prosodyctl[354]: SSL/TLS support will not be available
Mär 06 14:18:31 eigengrau prosodyctl[354]: More help can be found on our website, at http://prosody.im/doc/depends
Mär 06 14:18:31 eigengrau prosodyctl[354]: **************************
Mär 06 14:18:30 eigengrau systemd[1]: Started XMPP (Jabber) Server.
Mär 06 14:18:30 eigengrau prosody[458]: mod_posix: Successfully daemonized to PID 458
Mär 06 14:18:31 eigengrau prosodyctl[354]: **************************
Mär 06 14:18:31 eigengrau prosodyctl[354]: Prosody was unable to find LuaSec
Mär 06 14:18:31 eigengrau prosodyctl[354]: This package can be obtained in the following ways:
Mär 06 14:18:31 eigengrau prosodyctl[354]: Source: http://www.inf.puc-rio.br/~brunoos/luasec/
Mär 06 14:18:31 eigengrau prosodyctl[354]: Debian/Ubuntu: http://prosody.im/download/start#debian_and_ubuntu
Mär 06 14:18:31 eigengrau prosodyctl[354]: luarocks: luarocks install luasec
Mär 06 14:18:31 eigengrau prosodyctl[354]: SSL/TLS support will not be available
Mär 06 14:18:31 eigengrau prosodyctl[354]: More help can be found on our website, at http://prosody.im/doc/depends
Mär 06 14:18:31 eigengrau prosodyctl[354]: **************************
Mär 06 14:18:31 eigengrau prosodyctl[354]: Started
Mär 06 14:18:31 eigengrau prosody[458]: localhost:tls: Unable to initialize TLS: LuaSec (required for encryption) was not found
Mär 06 14:18:31 eigengrau prosody[458]: localhost:tls: Unable to initialize TLS: LuaSec (required for encryption) was not found
This task depends upon

Closed by  Sergej Pupykin (sergej)
Wednesday, 09 March 2016, 22:13 GMT
Reason for closing:  Fixed
Comment by Hermann Zahnweh (eigengrau) - Sunday, 06 March 2016, 14:39 GMT
Set prosody log levels to debug. Sadly, this yields no additional output.
Comment by Benjamin Richter (Waldteufel) - Sunday, 06 March 2016, 15:10 GMT
It seems that luasec assumes that SSLv3 is available:

~> lua5.1
Lua 5.1.5 Copyright (C) 1994-2012 Lua.org, PUC-Rio
> ssl = require('ssl')
error loading module 'ssl.core' from file '/usr/lib/lua/5.1/ssl.so':
/usr/lib/lua/5.1/ssl.so: undefined symbol: SSLv3_method
stack traceback:
[C]: ?
[C]: in function 'require'
/usr/share/lua/5.1/ssl.lua:7: in main chunk
[C]: in function 'require'
stdin:1: in main chunk
[C]: ?

I managed to work around that by building the package from source and commenting out the line in src/context.c

if (!strcmp(method, "sslv3")) return SSLv3_method();
Comment by Hermann Zahnweh (eigengrau) - Sunday, 06 March 2016, 16:30 GMT
Thank you Benjamin. Seems this may have been fixed in luasec 0.6, which has been tagged three days ago:

https://github.com/brunoos/luasec/pull/55
Comment by Benjamin Richter (Waldteufel) - Sunday, 06 March 2016, 17:03 GMT
I tried installing luasec 0.6 from luarocks and it led to other strange problems with prosody, so I would recommend backporting the patch instead of upgrading to 0.6.
Comment by Florian Bruhin (The-Compiler) - Monday, 07 March 2016, 06:45 GMT
I've had the same issue, and I can confirm Waldteufel's workaround works. Haven't tried 0.6.
Comment by Lauri Niskanen (Ape) - Monday, 07 March 2016, 08:06 GMT
Downgrading openssl fixed the issue.
Comment by Florian Bruhin (The-Compiler) - Monday, 07 March 2016, 08:08 GMT
Downgrading openssl when the upgrade fixed multiple serious security issues might not be a good idea ;)
https://lists.archlinux.org/pipermail/arch-security/2016-March/000567.html
Comment by Geert Hendrickx (ghen) - Monday, 07 March 2016, 10:53 GMT
I have no problem with protocol = "tlsv1_2" in my prosody.cfg.lua...
Comment by Levente Polyak (anthraxx) - Monday, 07 March 2016, 13:29 GMT
there is a related ticket with a patch (did not yet look at the diff, just noticed): https://bugs.archlinux.org/48426
Comment by Sergej Pupykin (sergej) - Monday, 07 March 2016, 13:50 GMT
please try lua-sec-1:0.6-1
Comment by Nils Czernia (freaknils) - Monday, 07 March 2016, 13:58 GMT
Same thing here with lua-sec-1:0.6-1
Comment by Benjamin Richter (Waldteufel) - Monday, 07 March 2016, 14:09 GMT
It's not the _same_ problem with lua-sec-1:0.6-1. Now, loading the ssl module works

~> lua5.1
Lua 5.1.5 Copyright (C) 1994-2012 Lua.org, PUC-Rio
> ssl = require('ssl')
>

but prosody still fails to establish ssl connections (even though the module is loaded!).
Comment by Geert Hendrickx (ghen) - Monday, 07 March 2016, 14:22 GMT
Unfortunately, lua-sec 1:0.6-1 broke it for me (unable to establish connection), whereas 1:0.5-5 was fine, with prosody ssl protocol="tlsv1_2".
Comment by Kai Hildebrandt (derhil) - Monday, 07 March 2016, 20:34 GMT
lua-sec 1:0.6-2: Prosody was unable to find LuaSec
Comment by Sergej Pupykin (sergej) - Monday, 07 March 2016, 22:55 GMT
lua51-sec-2:0.5.1-1 should work with protocol = "tlsv1_2"
Comment by Sergej Pupykin (sergej) - Monday, 07 March 2016, 22:56 GMT
0.6 looks incompatible with prosody
Comment by Tom (tomarchbug) - Monday, 07 March 2016, 23:21 GMT
I've tried with latest everything, and with 0.5-1. How can I get "lua51-sec-2:0.5.1-1"? there is no such package here, latest before 0.6 was 0.5-5.
I tried setting protocol with both 0.5-5 and 0.6 and neither worked.
Also, unlike what Benjamin said, I still can't import the ssl module, even not with 0.6.

Are you sure 0.6 is broken with prosody? Has anyone reported that upstream?

Edit: managed to get 0.5.1 and can confirm it works when setting "protocol".
Comment by Sergej Pupykin (sergej) - Tuesday, 08 March 2016, 07:19 GMT
Not sure about 0.6. Built without any patches it cannot be detected by prosody.
Comment by Hermann Zahnweh (eigengrau) - Wednesday, 09 March 2016, 00:16 GMT
  • Field changed: Percent Complete (100% → 0%)
Thanks for shipping with the patch. The patch might not be ideal, though, since
it doesn’t only patch out the sslv3 method, but also sslv23. Unless I’m
mistaken, we don’t want to disable sslv23, since that protocol specifier is
actually unproblematic even when openssl doesn’t ship with ssl2 or ssl3. The
Prosody handbook states that sslv23 includes TLS (all versions).

When you leave sslv23 enabled, it seems you can actually run prosody/luasec
without hard-coding it to protocol tlsv1_2. This would be preferable, since many
servers only support tlsv1 or tlsv1_1 and s2s communications will fail
otherwise.

The handbook also states that one could also set protocol = "tlsv1+", but this
doesn’t seem to work. Do you agree that the following version of the patch might
be preferable?

https://ptpb.pw/3BzG.patch
Comment by Levente Polyak (anthraxx) - Wednesday, 09 March 2016, 00:31 GMT
Maybe I'm missing something, but what exactly was the problem with sslv23 that it got removed?

The sslv23 option provides the greatest range of compatibility, one may assume from the name that it is only ssl2 and ssl3, however that is not the case. ssl23 is still exposed in openssl and should include all available options including tlsv1, tlsv1_1, tlsv1_2.

The same also applies to the lua-sec package (not lua51-sec)
Comment by Florian Bruhin (The-Compiler) - Wednesday, 09 March 2016, 05:43 GMT
I agree with Levente here, I had to set the protocol to TLSv1 for now as Xabber (an Android client) doesn't seem to support TLSv1.2.
I'd rather not downgrade the protocol for all clients so one of them continues to work ;)
Comment by Sergej Pupykin (sergej) - Wednesday, 09 March 2016, 13:30 GMT
it looks like we should wait for prosody 0.10
it supports
protocol = "tlsv1+"
tlsv1_1+, tlsv1_2+, etc
Comment by Sergej Pupykin (sergej) - Wednesday, 09 March 2016, 13:33 GMT
also you may try luasec 2:0.5.1-2
Comment by Sergej Pupykin (sergej) - Wednesday, 09 March 2016, 22:13 GMT
luasec 2:0.5.1-2 works with protocol="sslv23" with psi+ and xabber.

did not check which protocol version actually used.

Loading...