Http upload using Prosodys mod_http_upload gives SSL error #35

Open
Mrfuyu opened this Issue Apr 11, 2016 · 3 comments

Projects

None yet

4 participants

@Mrfuyu
Mrfuyu commented Apr 11, 2016

@anurodhp You wrote in your blog that you was testing XEP-0363 with Prosody as Server. Did you use the mod_http_upload for prosody or an external component like the HttpUploadComponent? If you used the mod then is it handling the SSL request by itself or did you configure e.g. Apache to handle this?
I use simply the mod_http_upload in it's default settings from Prosody with a certificate from Let's Encrypt and i also get this error that "There was an error uploading the file to the server: SSL Error" like @tristan-k posted . Viewing a sent picture in Safari is possible.

Maybe this is a mod_http_upload problem with iOS/OSX.

I testet my https://domain.tld:5281 with
Free SSL Server Test by htbridge.com and got

​** Test For Compliance With PCI DSS Requirements **

SUPPORTED PROTOCOLS
TLSv1.0Good configuration
TLSv1.1Good configuration
TLSv1.2Good configuration

SUPPORTED CIPHERS
TLS_RSA_WITH_AES_128_CBC_SHAGood configuration
TLS_RSA_WITH_AES_256_CBC_SHAGood configuration
TLS_RSA_WITH_CAMELLIA_128_CBC_SHAGood configuration
TLS_RSA_WITH_CAMELLIA_256_CBC_SHAGood configuration
TLS_RSA_WITH_AES_128_CBC_SHA256Good configuration
TLS_RSA_WITH_AES_256_CBC_SHA256Good configuration
TLS_RSA_WITH_AES_128_GCM_SHA256Good configuration
TLS_RSA_WITH_AES_256_GCM_SHA384Good configuration

** Test For Compliance With NIST Guidelines **

SUPPORTED PROTOCOLS
TLSv1.0Good configuration
TLSv1.1Good configuration
TLSv1.2Good configuration

SUPPORTED CIPHERS
TLS_RSA_WITH_AES_128_CBC_SHAGood configuration
TLS_RSA_WITH_AES_256_CBC_SHAGood configuration
TLS_RSA_WITH_CAMELLIA_128_CBC_SHANon-compliant with NIST guidelines
TLS_RSA_WITH_CAMELLIA_256_CBC_SHANon-compliant with NIST guidelines
TLS_RSA_WITH_AES_128_CBC_SHA256Good configuration
TLS_RSA_WITH_AES_256_CBC_SHA256Good configuration
TLS_RSA_WITH_AES_128_GCM_SHA256Good configuration
TLS_RSA_WITH_AES_256_GCM_SHA384Good configuration

@Toubledix

I think it's not a mod_http_upload issue because i also have this problem with Monal but not with other Clients for iOS. It's sad that there's this error otherwise Monal would be quite nice.

@casperklein

I can confirm this. I just looked for an IOS jabber client and tried Monal. Pretty good first impression. The only negative thing I noticed was this ssl issue when trying to send an image with prosody (mod_http_upload):

May 05 21:05:46 socket debug server.lua: auto-starting ssl negotiation...
May 05 21:05:46 socket debug server.lua: attempting to start tls on tcp{client}: 0x14bdab8
May 05 21:05:46 socket debug server.lua: accepted new client connection from 79.220.xxx.xxx:49448 to 10000
May 05 21:05:46 socket debug server.lua: ssl handshake error: no shared cipher
May 05 21:05:46 socket debug server.lua: closed client handler and removed socket from list
@anurodhp
Owner
anurodhp commented May 7, 2016

Interesting, thanks for the report I think this is a good clue
"ssl handshake error: no shared cipher" . I think it might be an SSL configuration on the server.
The connections are standard iOS HTTPS connections. There isn't much I can configure short of reducing the security requirements.

his might be helpful: http://useyourloaf.com/blog/app-transport-security/
the list of requirements on this page as well:
https://infinum.co/the-capsized-eight/articles/using-app-transport-security-ios9-makes-your-apps-a-little-bit-more-secure

Specifically none of the listed ciphers are available on @Mrfuyu 's server. On a mac, try
nscurl --ats-diagnostics (your server)

to see if it works on iOS and OS X.


ATS list of requirements
Here is the list of requirements from Apple docs that ATS specifies:

The server must support at least Transport Layer Security (TLS) protocol version 1.2.
Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.)
Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key. Invalid certificates result in a hard failure and no connection.
These are the accepted ciphers:

TLSECDHEECDSAWITHAES256GCM_SHA384
TLSECDHEECDSAWITHAES128GCM_SHA256
TLSECDHEECDSAWITHAES256CBC_SHA384
TLSECDHEECDSAWITHAES256CBC_SHA
TLSECDHEECDSAWITHAES128CBC_SHA256
TLSECDHEECDSAWITHAES128CBC_SHA
TLSECDHERSAWITHAES256GCM_SHA384
TLSECDHERSAWITHAES128GCM_SHA256
TLSECDHERSAWITHAES256CBC_SHA384
TLSECDHERSAWITHAES128CBC_SHA256
TLSECDHERSAWITHAES128CBC_SHA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment