Hi, On Sun, 24 Sep 2017 16:16:59 +0200 Leah Oswald <debian-b...@leahoswald.de> wrote: > It seems that this bug occures becaus the package lua5.1-sec that is a > dependency of prosody resolves to the lua-sec package with version 0.6-3 > in debian stretch. But lua-sec with version 0.6 isn't supported by > prosody 0.9.x. See: https://prosody.im/doc/depends > > It seems this issue makes prosody mostly unusable for encrypted > connections.
I don't think this analysis is correct. I've tested connecting prosody with jabber.ccc-mannheim.de on stretch and captured the packets. The two sides just can't agree on a TLS cipher/curve. jabber.ccc-mannheim.de supports only ECDHE ciphers and the secp256r1 (aka prime256v1) curve. Prosody by default allows only the secp384r1 curve. You can verify this with: openssl s_client -cipher ECDHE-RSA-AES128-GCM-SHA256 -curves prime256v1 -starttls xmpp-server -connect falster.c3ma.de:xmpp-server works openssl s_client -cipher ECDHE-RSA-AES128-GCM-SHA256 -curves secp384r1 -starttls xmpp-server -connect falster.c3ma.de:xmpp-server fails You can of course argue whether allowing only secp384r1 is a good default. Felix
