prosody
0.11.11
core/certmanager.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Annotate

core/certmanager.lua @ 12089:76b4e3f12b53 0.11 0.11.11

mod_pep: Wipe pubsub service on user deletion Data is already wiped from storage, but this ensures everything is properly unsubscribed, possibly with notifications etc. Clears recipient cache as well, since it is no longer relevant.
author Kim Alvefur <zash@zash.se>
date Thu, 04 Nov 2021 01:00:06 +0100
parent 11551:aaf9c6b6d18d
child 11560:3bbb1af92514
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3369
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
1 -- Prosody IM
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5746
diff changeset
4 --
3369
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
6 -- COPYING file in the source package for more information.
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
7 --
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
8
6564
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
9 local softreq = require"util.dependencies".softreq;
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
10 local ssl = softreq"ssl";
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
11 if not ssl then
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
12 return {
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
13 create_context = function ()
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
14 return nil, "LuaSec (required for encryption) was not found";
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
15 end;
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
16 reload_ssl_config = function () end;
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
17 }
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
18 end
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
19
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 local configmanager = require "core.configmanager";
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
21 local log = require "util.logger".init("certmanager");
6565
ffc0a57889aa certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents: 6564
diff changeset
22 local ssl_context = ssl.context or softreq"ssl.context";
ffc0a57889aa certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents: 6564
diff changeset
23 local ssl_x509 = ssl.x509 or softreq"ssl.x509";
6564
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
24 local ssl_newcontext = ssl.newcontext;
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
25 local new_config = require"util.sslconfig".new;
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
26 local stat = require "lfs".attributes;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27
7160
5c1ee8c06235 certmanager: Localize tonumber
Matthew Wild <mwild1@gmail.com>
parents: 7145
diff changeset
28 local tonumber, tostring = tonumber, tostring;
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
29 local pairs = pairs;
8404
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
30 local t_remove = table.remove;
5820
6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents: 5816
diff changeset
31 local type = type;
6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents: 5816
diff changeset
32 local io_open = io.open;
6294
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
33 local select = select;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35 local prosody = prosody;
6165
6a184b16b717 core.certmanager, core.moduleapi, mod_storage_sql, mod_storage_sql2: Import from util.paths
Kim Alvefur <zash@zash.se>
parents: 6089
diff changeset
36 local resolve_path = require"util.paths".resolve_relative_path;
7531
2db68d1a6eeb certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed)
Kim Alvefur <zash@zash.se>
parents: 7319
diff changeset
37 local config_path = prosody.paths.config or ".";
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
38
11549
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
39 local function test_option(option)
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
40 return not not ssl_newcontext({mode="server",protocol="sslv23",options={ option }});
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
41 end
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
42
6564
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
43 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)");
7319
afa83f3ccaad certmanager: Explicitly tonumber() version number segments before doing arithmetic and avoid relying on implicit coercion (thanks David Favro)
Matthew Wild <mwild1@gmail.com>
parents: 7160
diff changeset
44 local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor);
11548
55ef50d6cf65 core.certmanager: Attempt to directly access LuaSec config table
Kim Alvefur <zash@zash.se>
parents: 10721
diff changeset
45 local luasec_has = ssl.config or softreq"ssl.config" or {
8403
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
46 algorithms = {
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
47 ec = luasec_version >= 5;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
48 };
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
49 capabilities = {
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
50 curves_list = luasec_version >= 7;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
51 };
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
52 options = {
11549
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
53 cipher_server_preference = test_option("cipher_server_preference");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
54 no_ticket = test_option("no_ticket");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
55 no_compression = test_option("no_compression");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
56 single_dh_use = test_option("single_dh_use");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
57 single_ecdh_use = test_option("single_ecdh_use");
11551
aaf9c6b6d18d certmanager: Disable renegotiation by default
Matthew Wild <mwild1@gmail.com>
parents: 11549
diff changeset
58 no_renegotiation = test_option("no_renegotiation");
8403
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
59 };
6566
1f396f0fe832 certmanager: Improve "detection" of features that depend on LuaSec version
Kim Alvefur <zash@zash.se>
parents: 6565
diff changeset
60 };
4899
0b8134015635 certmanager: Don't use no_ticket option before LuaSec 0.4
Matthew Wild <mwild1@gmail.com>
parents: 4890
diff changeset
61
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
62 local _ENV = nil;
8555
4f0f5b49bb03 vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents: 8494
diff changeset
63 -- luacheck: std none
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
64
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
65 -- Global SSL options if not overridden per-host
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
66 local global_ssl_config = configmanager.get("*", "ssl");
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
67
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
68 local global_certificates = configmanager.get("*", "certificates") or "certs";
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
69
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
70 local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", };
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
71 local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", };
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
72
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
73 local function find_cert(user_certs, name)
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
74 local certs = resolve_path(config_path, user_certs or global_certificates);
8259
db063671b73e certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents: 8159
diff changeset
75 log("debug", "Searching %s for a key and certificate for %s...", certs, name);
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
76 for i = 1, #crt_try do
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
77 local crt_path = certs .. crt_try[i]:format(name);
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
78 local key_path = certs .. key_try[i]:format(name);
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
79
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
80 if stat(crt_path, "mode") == "file" then
10709
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
81 if crt_path == key_path then
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
82 if key_path:sub(-4) == ".crt" then
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
83 key_path = key_path:sub(1, -4) .. "key";
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
84 elseif key_path:sub(-13) == "fullchain.pem" then
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
85 key_path = key_path:sub(1, -14) .. "privkey.pem";
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
86 end
10709
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
87 end
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
88
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
89 if stat(key_path, "mode") == "file" then
8259
db063671b73e certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents: 8159
diff changeset
90 log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name);
7145
b1a109858502 certmanager: Try filename.key if certificate is set to a full filename ending with .crt
Kim Alvefur <zash@zash.se>
parents: 7144
diff changeset
91 return { certificate = crt_path, key = key_path };
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
92 end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
93 end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
94 end
8259
db063671b73e certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents: 8159
diff changeset
95 log("debug", "No certificate/key found for %s", name);
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
96 end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
97
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
98 local function find_host_cert(host)
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
99 if not host then return nil; end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
100 return find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$"));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
101 end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
102
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
103 local function find_service_cert(service, port)
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
104 local cert_config = configmanager.get("*", service.."_certificate");
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
105 if type(cert_config) == "table" then
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
106 cert_config = cert_config[port] or cert_config.default;
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
107 end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
108 return find_cert(cert_config, service);
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
109 end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
110
6079
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
111 -- Built-in defaults
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
112 local core_defaults = {
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
113 capath = "/etc/ssl/certs";
6568
b54b33f59c6e certmanager: Limit certificate chain depth to 9
Kim Alvefur <zash@zash.se>
parents: 6567
diff changeset
114 depth = 9;
6078
30ac122acdd3 certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Kim Alvefur <zash@zash.se>
parents: 6077
diff changeset
115 protocol = "tlsv1+";
6565
ffc0a57889aa certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents: 6564
diff changeset
116 verify = (ssl_x509 and { "peer", "client_once", }) or "none";
6079
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
117 options = {
8403
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
118 cipher_server_preference = luasec_has.options.cipher_server_preference;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
119 no_ticket = luasec_has.options.no_ticket;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
120 no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
121 single_dh_use = luasec_has.options.single_dh_use;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
122 single_ecdh_use = luasec_has.options.single_ecdh_use;
11551
aaf9c6b6d18d certmanager: Disable renegotiation by default
Matthew Wild <mwild1@gmail.com>
parents: 11549
diff changeset
123 no_renegotiation = luasec_has.options.no_renegotiation;
6079
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
124 };
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
125 verifyext = { "lsec_continue", "lsec_ignore_purpose" };
8405
a3cf899fd61b certmanager: Set single curve conditioned on LuaSec advertising EC crypto support
Kim Alvefur <zash@zash.se>
parents: 8404
diff changeset
126 curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1";
8279
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
127 curveslist = {
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
128 "X25519",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
129 "P-384",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
130 "P-256",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
131 "P-521",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
132 };
7663
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
133 ciphers = { -- Enabled ciphers in order of preference:
10721
3a1b1d3084fb core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)
Kim Alvefur <zash@zash.se>
parents: 10709
diff changeset
134 "HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange
7663
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
135 "HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
136 "HIGH", -- Other "High strength" ciphers
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
137 -- Disabled cipher suites:
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
138 "!PSK", -- Pre-Shared Key - not used for XMPP
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
139 "!SRP", -- Secure Remote Password - not used for XMPP
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
140 "!3DES", -- 3DES - slow and of questionable security
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
141 "!aNULL", -- Ciphers that does not authenticate the connection
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
142 };
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
143 }
8404
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
144
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
145 if luasec_has.curves then
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
146 for i = #core_defaults.curveslist, 1, -1 do
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
147 if not luasec_has.curves[ core_defaults.curveslist[i] ] then
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
148 t_remove(core_defaults.curveslist, i);
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
149 end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
150 end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
151 else
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
152 core_defaults.curveslist = nil;
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
153 end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
154
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
155 local path_options = { -- These we pass through resolve_path()
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
156 key = true, certificate = true, cafile = true, capath = true, dhparam = true
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
157 }
5282
4cd57cb49f99 core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents: 4992
diff changeset
158
6570
70e65ac65219 certmanager: Fix compat for MattJs old LuaSec fork
Kim Alvefur <zash@zash.se>
parents: 6569
diff changeset
159 if luasec_version < 5 and ssl_x509 then
5282
4cd57cb49f99 core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents: 4992
diff changeset
160 -- COMPAT mw/luasec-hg
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
161 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
162 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6);
5282
4cd57cb49f99 core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents: 4992
diff changeset
163 end
4cd57cb49f99 core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents: 4992
diff changeset
164 end
5678
b7ebeae14053 certmanager: Add single_dh_use and single_ecdh_use to default options
Matthew Wild <mwild1@gmail.com>
parents: 5676
diff changeset
165
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
166 local function create_context(host, mode, ...)
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
167 local cfg = new_config();
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
168 cfg:apply(core_defaults);
8827
1a29b56a2d63 core.certmanager: Allow all non-whitespace in service name (fixes #1019)
Kim Alvefur <zash@zash.se>
parents: 8494
diff changeset
169 local service_name, port = host:match("^(%S+) port (%d+)$");
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
170 if service_name then
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
171 cfg:apply(find_service_cert(service_name, tonumber(port)));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
172 else
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
173 cfg:apply(find_host_cert(host));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
174 end
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
175 cfg:apply({
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
176 mode = mode,
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
177 -- We can't read the password interactively when daemonized
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
178 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
179 });
7144
f855ba7da30e certmanager: Apply global ssl config later so certificate/key is not overwritten by magic
Kim Alvefur <zash@zash.se>
parents: 7140
diff changeset
180 cfg:apply(global_ssl_config);
6076
e0713386319a certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents: 6075
diff changeset
181
6294
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
182 for i = select('#', ...), 1, -1 do
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
183 cfg:apply(select(i, ...));
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
184 end
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
185 local user_ssl_config = cfg:final();
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
186
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
187 if mode == "server" then
8494
4f75f4da6d4e certmanager: Check for missing certificate before key in configuration (should be marginally less confusing)
Kim Alvefur <zash@zash.se>
parents: 8405
diff changeset
188 if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
189 if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
6077
6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents: 6076
diff changeset
190 end
6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents: 6076
diff changeset
191
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
192 for option in pairs(path_options) do
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
193 if type(user_ssl_config[option]) == "string" then
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
194 user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]);
6903
5ff42d85d4d5 core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default)
Kim Alvefur <zash@zash.se>
parents: 6779
diff changeset
195 else
5ff42d85d4d5 core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default)
Kim Alvefur <zash@zash.se>
parents: 6779
diff changeset
196 user_ssl_config[option] = nil;
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
197 end
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
198 end
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
199
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
200 -- LuaSec expects dhparam to be a callback that takes two arguments.
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
201 -- We ignore those because it is mostly used for having a separate
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
202 -- set of params for EXPORT ciphers, which we don't have by default.
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
203 if type(user_ssl_config.dhparam) == "string" then
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
204 local f, err = io_open(user_ssl_config.dhparam);
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
205 if not f then return nil, "Could not open DH parameters: "..err end
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
206 local dhparam = f:read("*a");
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
207 f:close();
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
208 user_ssl_config.dhparam = function() return dhparam; end
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
209 end
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
210
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
211 local ctx, err = ssl_newcontext(user_ssl_config);
4359
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
212
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
213 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care
4359
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
214 -- of it ourselves (W/A for #x)
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
215 if ctx and user_ssl_config.ciphers then
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
216 local success;
6565
ffc0a57889aa certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents: 6564
diff changeset
217 success, err = ssl_context.setcipher(ctx, user_ssl_config.ciphers);
4359
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
218 if not success then ctx = nil; end
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
219 end
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
220
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
221 if not ctx then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
222 err = err or "invalid ssl config"
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
223 local file = err:match("^error loading (.-) %(");
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
224 if file then
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
225 local typ;
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
226 if file == "private key" then
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
227 typ = file;
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
228 file = user_ssl_config.key or "your private key";
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
229 elseif file == "certificate" then
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
230 typ = file;
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
231 file = user_ssl_config.certificate or "your certificate file";
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
232 end
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
233 local reason = err:match("%((.+)%)$") or "some reason";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
234 if reason == "Permission denied" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
235 reason = "Check that the permissions allow Prosody to read this file.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
236 elseif reason == "No such file or directory" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
237 reason = "Check that the path is correct, and the file exists.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
238 elseif reason == "system lib" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
239 reason = "Previous error (see logs), or other system error.";
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
240 elseif reason == "no start line" then
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
241 reason = "Check that the file contains a "..(typ or file);
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
242 elseif reason == "(null)" or not reason then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
243 reason = "Check that the file exists and the permissions are correct";
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
244 else
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
245 reason = "Reason: "..tostring(reason):lower();
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
246 end
4925
55f6e0673e33 certmanager: Add quotes around cert file path when logging.
Waqas Hussain <waqas20@gmail.com>
parents: 4900
diff changeset
247 log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host);
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
248 else
4855
a31ea431d906 certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL)
Matthew Wild <mwild1@gmail.com>
parents: 4656
diff changeset
249 log("error", "SSL/TLS: Error initialising for %s: %s", host, err);
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
250 end
3540
bc139431830b Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents: 3402
diff changeset
251 end
6526
873538f0b18c certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)
Kim Alvefur <zash@zash.se>
parents: 6520
diff changeset
252 return ctx, err, user_ssl_config;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
253 end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
254
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
255 local function reload_ssl_config()
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
256 global_ssl_config = configmanager.get("*", "ssl");
8159
3850993a9bda certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929)
Kim Alvefur <zash@zash.se>
parents: 7743
diff changeset
257 global_certificates = configmanager.get("*", "certificates") or "certs";
8403
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
258 if luasec_has.options.no_compression then
6080
b7d1607df87d certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents: 6079
diff changeset
259 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
b7d1607df87d certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents: 6079
diff changeset
260 end
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
261 end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
262
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
263 prosody.events.add_handler("config-reloaded", reload_ssl_config);
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
264
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
265 return {
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
266 create_context = create_context;
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
267 reload_ssl_config = reload_ssl_config;
8274
3798955049e3 prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys
Kim Alvefur <zash@zash.se>
parents: 8259
diff changeset
268 find_cert = find_cert;
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
269 };