prosody
0b01f40df0f9
core/certmanager.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Annotate

core/certmanager.lua @ 13854:0b01f40df0f9 13.0

mod_http_file_share: Add media-src 'self' to Content-Security-Policy header This allows certain media files to be loaded when navigated to directly in a web browser. Note that in some browsers (Chrome), the media gets transformed internally into a HTML page with some basic styles, but these are blocked due to our default-src policy of 'none' Although this could be unblocked with style-src unsafe-inline, it is not our plan to fix this, because this would have negative security implications. The reason for our CSP is to prevent the file share service from being used to host malicious HTML/CSS/JS. Yes, CSS can be malicious. Our file share service is for uploading and downloading files, it is not a substitute for website/content hosting.
author Matthew Wild <mwild1@gmail.com>
date Fri, 18 Apr 2025 12:25:06 +0100
parent 13821:4aed38a1c971
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3369
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
1 -- Prosody IM
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5746
diff changeset
4 --
3369
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
6 -- COPYING file in the source package for more information.
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
7 --
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
8
12972
ead41e25ebc0 core: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12508
diff changeset
9 local configmanager = require "prosody.core.configmanager";
ead41e25ebc0 core: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12508
diff changeset
10 local log = require "prosody.util.logger".init("certmanager");
ead41e25ebc0 core: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12508
diff changeset
11 local new_config = require"prosody.net.server".tls_builder;
13115
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents: 12972
diff changeset
12 local tls = require "prosody.net.tls_luasec";
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
13 local stat = require "lfs".attributes;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14
12972
ead41e25ebc0 core: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12508
diff changeset
15 local x509 = require "prosody.util.x509";
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
16 local lfs = require "lfs";
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
17
7160
5c1ee8c06235 certmanager: Localize tonumber
Matthew Wild <mwild1@gmail.com>
parents: 7145
diff changeset
18 local tonumber, tostring = tonumber, tostring;
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
19 local pairs = pairs;
8404
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
20 local t_remove = table.remove;
5820
6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents: 5816
diff changeset
21 local type = type;
6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents: 5816
diff changeset
22 local io_open = io.open;
6294
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
23 local select = select;
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
24 local now = os.time;
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
25 local next = next;
11538
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
26 local pcall = pcall;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 local prosody = prosody;
12972
ead41e25ebc0 core: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12508
diff changeset
29 local pathutil = require"prosody.util.paths";
11533
f97592336399 core.certmanager: Join paths with OS-aware util.paths function
Kim Alvefur <zash@zash.se>
parents: 11532
diff changeset
30 local resolve_path = pathutil.resolve_relative_path;
7531
2db68d1a6eeb certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed)
Kim Alvefur <zash@zash.se>
parents: 7319
diff changeset
31 local config_path = prosody.paths.config or ".";
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
33 local _ENV = nil;
8555
4f0f5b49bb03 vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents: 8494
diff changeset
34 -- luacheck: std none
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36 -- Global SSL options if not overridden per-host
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
37 local global_ssl_config = configmanager.get("*", "ssl");
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
38
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
39 local global_certificates = configmanager.get("*", "certificates") or "certs";
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
40
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
41 local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", };
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
42 local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", };
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
43
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
44 local function find_cert(user_certs, name)
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
45 local certs = resolve_path(config_path, user_certs or global_certificates);
8259
db063671b73e certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents: 8159
diff changeset
46 log("debug", "Searching %s for a key and certificate for %s...", certs, name);
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
47 for i = 1, #crt_try do
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
48 local crt_path = certs .. crt_try[i]:format(name);
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
49 local key_path = certs .. key_try[i]:format(name);
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
50
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
51 if stat(crt_path, "mode") == "file" then
10709
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
52 if crt_path == key_path then
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
53 if key_path:sub(-4) == ".crt" then
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
54 key_path = key_path:sub(1, -4) .. "key";
11531
2bd91d4a0fcf core.certmanager: Check for complete filename
Kim Alvefur <zash@zash.se>
parents: 11368
diff changeset
55 elseif key_path:sub(-14) == "/fullchain.pem" then
10709
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
56 key_path = key_path:sub(1, -14) .. "privkey.pem";
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
57 end
10709
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
58 end
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
59
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
60 if stat(key_path, "mode") == "file" then
8259
db063671b73e certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents: 8159
diff changeset
61 log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name);
7145
b1a109858502 certmanager: Try filename.key if certificate is set to a full filename ending with .crt
Kim Alvefur <zash@zash.se>
parents: 7144
diff changeset
62 return { certificate = crt_path, key = key_path };
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
63 end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
64 end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
65 end
8259
db063671b73e certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents: 8159
diff changeset
66 log("debug", "No certificate/key found for %s", name);
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
67 end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
68
11534
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
69 local function find_matching_key(cert_path)
12287
5cd075ed4fd3 core.certmanager: Relax certificate filename check #1713
Kim Alvefur <zash@zash.se>
parents: 12197
diff changeset
70 return (cert_path:gsub("%.crt$", ".key"):gsub("fullchain", "privkey"));
11534
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
71 end
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
72
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
73 local function index_certs(dir, files_by_name, depth_limit)
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
74 files_by_name = files_by_name or {};
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
75 depth_limit = depth_limit or 3;
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
76 if depth_limit <= 0 then return files_by_name; end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
77
11538
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
78 local ok, iter, v, i = pcall(lfs.dir, dir);
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
79 if not ok then
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
80 log("error", "Error indexing certificate directory %s: %s", dir, iter);
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
81 -- Return an empty index, otherwise this just triggers a nil indexing
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
82 -- error, plus this function would get called again.
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
83 -- Reloading the config after correcting the problem calls this again so
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
84 -- that's what should be done.
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
85 return {}, iter;
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
86 end
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
87 for file in iter, v, i do
11533
f97592336399 core.certmanager: Join paths with OS-aware util.paths function
Kim Alvefur <zash@zash.se>
parents: 11532
diff changeset
88 local full = pathutil.join(dir, file);
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
89 if lfs.attributes(full, "mode") == "directory" then
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
90 if file:sub(1,1) ~= "." then
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
91 index_certs(full, files_by_name, depth_limit-1);
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
92 end
12287
5cd075ed4fd3 core.certmanager: Relax certificate filename check #1713
Kim Alvefur <zash@zash.se>
parents: 12197
diff changeset
93 elseif file:find("%.crt$") or file:find("fullchain") then -- This should catch most fullchain files
13752
49bbdc22846d certmanager: Add more debug logging around cert indexing
Matthew Wild <mwild1@gmail.com>
parents: 13703
diff changeset
94 local f, err = io_open(full);
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
95 if f then
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
96 -- TODO look for chained certificates
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
97 local firstline = f:read();
12305
f8b8061461e3 core.certmanager: Ensure key exists for fullchain
Kim Alvefur <zash@zash.se>
parents: 12287
diff changeset
98 if firstline == "-----BEGIN CERTIFICATE-----" and lfs.attributes(find_matching_key(full), "mode") == "file" then
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
99 f:seek("set")
13116
58e793288d9c net.tls_luasec: Expose method for loading a certificate
Kim Alvefur <zash@zash.se>
parents: 13115
diff changeset
100 local cert = tls.load_certificate(f:read("*a"))
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
101 -- TODO if more than one cert is found for a name, the most recently
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
102 -- issued one should be used.
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
103 -- for now, just filter out expired certs
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
104 -- TODO also check if there's a corresponding key
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
105 if cert:validat(now()) then
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
106 local names = x509.get_identities(cert);
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
107 log("debug", "Found certificate %s with identities %q", full, names);
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
108 for name, services in pairs(names) do
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
109 -- TODO check services
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
110 if files_by_name[name] then
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
111 files_by_name[name][full] = services;
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
112 else
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
113 files_by_name[name] = { [full] = services; };
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
114 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
115 end
13752
49bbdc22846d certmanager: Add more debug logging around cert indexing
Matthew Wild <mwild1@gmail.com>
parents: 13703
diff changeset
116 else
49bbdc22846d certmanager: Add more debug logging around cert indexing
Matthew Wild <mwild1@gmail.com>
parents: 13703
diff changeset
117 log("debug", "Skipping expired certificate: %s", full);
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
118 end
13818
8a7dbb291b02 certmanager: Improve logging for all cases where certs are skipped
Matthew Wild <mwild1@gmail.com>
parents: 13752
diff changeset
119 else
8a7dbb291b02 certmanager: Improve logging for all cases where certs are skipped
Matthew Wild <mwild1@gmail.com>
parents: 13752
diff changeset
120 log("debug", "Skipping non-certificate (based on contents): %s", full);
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
121 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
122 f:close();
13752
49bbdc22846d certmanager: Add more debug logging around cert indexing
Matthew Wild <mwild1@gmail.com>
parents: 13703
diff changeset
123 elseif err then
13818
8a7dbb291b02 certmanager: Improve logging for all cases where certs are skipped
Matthew Wild <mwild1@gmail.com>
parents: 13752
diff changeset
124 log("debug", "Skipping file due to error: %s", err);
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
125 end
13818
8a7dbb291b02 certmanager: Improve logging for all cases where certs are skipped
Matthew Wild <mwild1@gmail.com>
parents: 13752
diff changeset
126 else
8a7dbb291b02 certmanager: Improve logging for all cases where certs are skipped
Matthew Wild <mwild1@gmail.com>
parents: 13752
diff changeset
127 log("debug", "Skipping non-certificate (based on filename): %s", full);
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
128 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
129 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
130 -- | hostname | filename | service |
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
131 return files_by_name;
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
132 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
133
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
134 local cert_index;
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
135
12104
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
136 local function find_cert_in_index(index, host)
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
137 if not host then return nil; end
12104
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
138 if not index then return nil; end
12105
47c9a76cce7d core.certmanager: Check index for wildcard certs
Kim Alvefur <zash@zash.se>
parents: 12104
diff changeset
139 local wildcard_host = host:gsub("^[^.]+%.", "*.");
47c9a76cce7d core.certmanager: Check index for wildcard certs
Kim Alvefur <zash@zash.se>
parents: 12104
diff changeset
140 local certs = index[host] or index[wildcard_host];
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
141 if certs then
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
142 local cert_filename, services = next(certs);
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
143 if services["*"] then
12507
e242a6e74424 core.certmanager: Expand debug messages about cert lookups in index
Kim Alvefur <zash@zash.se>
parents: 12362
diff changeset
144 log("debug", "Using cert %q from index for host %q", cert_filename, host);
11534
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
145 return {
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
146 certificate = cert_filename,
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
147 key = find_matching_key(cert_filename),
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
148 }
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
149 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
150 end
12104
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
151 return nil
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
152 end
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
153
12104
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
154 local function find_host_cert(host)
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
155 if not host then return nil; end
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
156 if not cert_index then
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
157 cert_index = index_certs(resolve_path(config_path, global_certificates));
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
158 end
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
159
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
160 return find_cert_in_index(cert_index, host) or find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$"));
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
161 end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
162
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
163 local function find_service_cert(service, port)
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
164 if not cert_index then
11537
a09685a7b330 core.certmanager: Resolve certs path relative to config dir
Kim Alvefur <zash@zash.se>
parents: 11534
diff changeset
165 cert_index = index_certs(resolve_path(config_path, global_certificates));
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
166 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
167 for _, certs in pairs(cert_index) do
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
168 for cert_filename, services in pairs(certs) do
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
169 if services[service] or services["*"] then
12507
e242a6e74424 core.certmanager: Expand debug messages about cert lookups in index
Kim Alvefur <zash@zash.se>
parents: 12362
diff changeset
170 log("debug", "Using cert %q from index for service %s port %d", cert_filename, service, port);
11534
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
171 return {
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
172 certificate = cert_filename,
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
173 key = find_matching_key(cert_filename),
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
174 }
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
175 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
176 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
177 end
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
178 local cert_config = configmanager.get("*", service.."_certificate");
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
179 if type(cert_config) == "table" then
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
180 cert_config = cert_config[port] or cert_config.default;
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
181 end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
182 return find_cert(cert_config, service);
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
183 end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
184
6079
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
185 -- Built-in defaults
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
186 local core_defaults = {
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
187 capath = "/etc/ssl/certs";
6568
b54b33f59c6e certmanager: Limit certificate chain depth to 9
Kim Alvefur <zash@zash.se>
parents: 6567
diff changeset
188 depth = 9;
6078
30ac122acdd3 certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Kim Alvefur <zash@zash.se>
parents: 6077
diff changeset
189 protocol = "tlsv1+";
9852
6ea3cafb6ac3 core.certmanager: Do not ask for client certificates by default
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
190 verify = "none";
6079
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
191 options = {
13115
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents: 12972
diff changeset
192 cipher_server_preference = tls.features.options.cipher_server_preference;
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents: 12972
diff changeset
193 no_ticket = tls.features.options.no_ticket;
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents: 12972
diff changeset
194 no_compression = tls.features.options.no_compression and configmanager.get("*", "ssl_compression") ~= true;
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents: 12972
diff changeset
195 single_dh_use = tls.features.options.single_dh_use;
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents: 12972
diff changeset
196 single_ecdh_use = tls.features.options.single_ecdh_use;
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents: 12972
diff changeset
197 no_renegotiation = tls.features.options.no_renegotiation;
6079
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
198 };
13115
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents: 12972
diff changeset
199 curve = tls.features.algorithms.ec and not tls.features.capabilities.curves_list and "secp384r1";
8279
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
200 curveslist = {
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
201 "X25519",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
202 "P-384",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
203 "P-256",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
204 "P-521",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
205 };
7663
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
206 ciphers = { -- Enabled ciphers in order of preference:
10721
3a1b1d3084fb core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)
Kim Alvefur <zash@zash.se>
parents: 10709
diff changeset
207 "HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange
7663
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
208 "HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
209 "HIGH", -- Other "High strength" ciphers
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
210 -- Disabled cipher suites:
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
211 "!PSK", -- Pre-Shared Key - not used for XMPP
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
212 "!SRP", -- Secure Remote Password - not used for XMPP
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
213 "!3DES", -- 3DES - slow and of questionable security
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
214 "!aNULL", -- Ciphers that does not authenticate the connection
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
215 };
13115
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents: 12972
diff changeset
216 dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" };
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
217 }
8404
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
218
13503
8b68e8faab52 core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param
Kim Alvefur <zash@zash.se>
parents: 13303
diff changeset
219 -- https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1
8b68e8faab52 core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param
Kim Alvefur <zash@zash.se>
parents: 13303
diff changeset
220 local ffdhe2048 = [[
8b68e8faab52 core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param
Kim Alvefur <zash@zash.se>
parents: 13303
diff changeset
221 -----BEGIN DH PARAMETERS-----
8b68e8faab52 core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param
Kim Alvefur <zash@zash.se>
parents: 13303
diff changeset
222 MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
8b68e8faab52 core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param
Kim Alvefur <zash@zash.se>
parents: 13303
diff changeset
223 +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
8b68e8faab52 core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param
Kim Alvefur <zash@zash.se>
parents: 13303
diff changeset
224 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
8b68e8faab52 core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param
Kim Alvefur <zash@zash.se>
parents: 13303
diff changeset
225 YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
8b68e8faab52 core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param
Kim Alvefur <zash@zash.se>
parents: 13303
diff changeset
226 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
8b68e8faab52 core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param
Kim Alvefur <zash@zash.se>
parents: 13303
diff changeset
227 ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
8b68e8faab52 core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param
Kim Alvefur <zash@zash.se>
parents: 13303
diff changeset
228 -----END DH PARAMETERS-----
8b68e8faab52 core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param
Kim Alvefur <zash@zash.se>
parents: 13303
diff changeset
229 ]]
8b68e8faab52 core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param
Kim Alvefur <zash@zash.se>
parents: 13303
diff changeset
230
12096
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
231 local mozilla_ssl_configs = {
12097
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents: 12096
diff changeset
232 -- https://wiki.mozilla.org/Security/Server_Side_TLS
13178
e689d4c45681 core.certmanager: Update Mozilla TLS config to version 5.7
Kim Alvefur <zash@zash.se>
parents: 12507
diff changeset
233 -- Version 5.7 as of 2023-07-09
12096
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
234 modern = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
235 protocol = "tlsv1_3";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
236 options = { cipher_server_preference = false };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
237 ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these
12097
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents: 12096
diff changeset
238 curveslist = { "X25519"; "prime256v1"; "secp384r1" };
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents: 12096
diff changeset
239 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
12096
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
240 };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
241 intermediate = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
242 protocol = "tlsv1_2+";
13503
8b68e8faab52 core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param
Kim Alvefur <zash@zash.se>
parents: 13303
diff changeset
243 dhparam = ffdhe2048;
12096
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
244 options = { cipher_server_preference = false };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
245 ciphers = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
246 "ECDHE-ECDSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
247 "ECDHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
248 "ECDHE-ECDSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
249 "ECDHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
250 "ECDHE-ECDSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
251 "ECDHE-RSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
252 "DHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
253 "DHE-RSA-AES256-GCM-SHA384";
13178
e689d4c45681 core.certmanager: Update Mozilla TLS config to version 5.7
Kim Alvefur <zash@zash.se>
parents: 12507
diff changeset
254 "DHE-RSA-CHACHA20-POLY1305";
12096
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
255 };
12097
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents: 12096
diff changeset
256 curveslist = { "X25519"; "prime256v1"; "secp384r1" };
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents: 12096
diff changeset
257 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
12096
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
258 };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
259 old = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
260 protocol = "tlsv1+";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
261 dhparam = nil; -- openssl dhparam 1024
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
262 options = { cipher_server_preference = true };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
263 ciphers = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
264 "ECDHE-ECDSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
265 "ECDHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
266 "ECDHE-ECDSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
267 "ECDHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
268 "ECDHE-ECDSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
269 "ECDHE-RSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
270 "DHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
271 "DHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
272 "DHE-RSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
273 "ECDHE-ECDSA-AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
274 "ECDHE-RSA-AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
275 "ECDHE-ECDSA-AES128-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
276 "ECDHE-RSA-AES128-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
277 "ECDHE-ECDSA-AES256-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
278 "ECDHE-RSA-AES256-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
279 "ECDHE-ECDSA-AES256-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
280 "ECDHE-RSA-AES256-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
281 "DHE-RSA-AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
282 "DHE-RSA-AES256-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
283 "AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
284 "AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
285 "AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
286 "AES256-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
287 "AES128-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
288 "AES256-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
289 "DES-CBC3-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
290 };
12120
0fcd80a55f15 core.certmanager: Add curveslist to 'old' Mozilla TLS preset
Kim Alvefur <zash@zash.se>
parents: 12105
diff changeset
291 curveslist = { "X25519"; "prime256v1"; "secp384r1" };
12097
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents: 12096
diff changeset
292 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
12096
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
293 };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
294 };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
295
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
296
13115
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents: 12972
diff changeset
297 if tls.features.curves then
8404
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
298 for i = #core_defaults.curveslist, 1, -1 do
13115
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents: 12972
diff changeset
299 if not tls.features.curves[ core_defaults.curveslist[i] ] then
8404
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
300 t_remove(core_defaults.curveslist, i);
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
301 end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
302 end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
303 else
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
304 core_defaults.curveslist = nil;
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
305 end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
306
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
307 local function create_context(host, mode, ...)
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
308 local cfg = new_config();
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
309 cfg:apply(core_defaults);
8827
1a29b56a2d63 core.certmanager: Allow all non-whitespace in service name (fixes #1019)
Kim Alvefur <zash@zash.se>
parents: 8494
diff changeset
310 local service_name, port = host:match("^(%S+) port (%d+)$");
11591
e7a964572f6b core.certmanager: Skip service certificate lookup for https client
Kim Alvefur <zash@zash.se>
parents: 11560
diff changeset
311 -- port 0 is used with client-only things that normally don't need certificates, e.g. https
e7a964572f6b core.certmanager: Skip service certificate lookup for https client
Kim Alvefur <zash@zash.se>
parents: 11560
diff changeset
312 if service_name and port ~= "0" then
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
313 log("debug", "Automatically locating certs for service %s on port %s", service_name, port);
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
314 cfg:apply(find_service_cert(service_name, tonumber(port)));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
315 else
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
316 log("debug", "Automatically locating certs for host %s", host);
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
317 cfg:apply(find_host_cert(host));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
318 end
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
319 cfg:apply({
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
320 mode = mode,
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
321 -- We can't read the password interactively when daemonized
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
322 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
323 });
12197
95d25e620dc2 core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation
Kim Alvefur <zash@zash.se>
parents: 12196
diff changeset
324 local profile = configmanager.get("*", "tls_profile") or "intermediate";
13291
24070d47a6e7 core.certmanager: Validate that 'tls_profile' is one of the valid values
Kim Alvefur <zash@zash.se>
parents: 13178
diff changeset
325 if mozilla_ssl_configs[profile] then
12197
95d25e620dc2 core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation
Kim Alvefur <zash@zash.se>
parents: 12196
diff changeset
326 cfg:apply(mozilla_ssl_configs[profile]);
13291
24070d47a6e7 core.certmanager: Validate that 'tls_profile' is one of the valid values
Kim Alvefur <zash@zash.se>
parents: 13178
diff changeset
327 elseif profile ~= "legacy" then
24070d47a6e7 core.certmanager: Validate that 'tls_profile' is one of the valid values
Kim Alvefur <zash@zash.se>
parents: 13178
diff changeset
328 log("error", "Invalid value for 'tls_profile': expected one of \"modern\", \"intermediate\" (default), \"old\" or \"legacy\" but got %q", profile);
24070d47a6e7 core.certmanager: Validate that 'tls_profile' is one of the valid values
Kim Alvefur <zash@zash.se>
parents: 13178
diff changeset
329 return nil, "Invalid configuration, 'tls_profile' had an unknown value.";
12098
9591b838e3b0 core.certmanager: Add "legacy" preset for keeping previous default settings
Kim Alvefur <zash@zash.se>
parents: 12097
diff changeset
330 end
12196
b05e0b422ff7 core.certmanager: Apply TLS preset before global settings (thanks Menel)
Kim Alvefur <zash@zash.se>
parents: 12150
diff changeset
331 cfg:apply(global_ssl_config);
6076
e0713386319a certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents: 6075
diff changeset
332
6294
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
333 for i = select('#', ...), 1, -1 do
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
334 cfg:apply(select(i, ...));
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
335 end
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
336 local user_ssl_config = cfg:final();
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
337
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
338 if mode == "server" then
10237
a36af4570b39 core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents: 10227
diff changeset
339 if not user_ssl_config.certificate then
13294
4a05fbda927f core.certmanager: Tweak log level of message about SNI being required
Kim Alvefur <zash@zash.se>
parents: 13292
diff changeset
340 log("debug", "No certificate present in SSL/TLS configuration for %s. SNI will be required.", host);
10237
a36af4570b39 core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents: 10227
diff changeset
341 end
a36af4570b39 core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents: 10227
diff changeset
342 if user_ssl_config.certificate and not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
6077
6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents: 6076
diff changeset
343 end
6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents: 6076
diff changeset
344
12480
7e9ebdc75ce4 net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents: 12362
diff changeset
345 local ctx, err = cfg:build();
4359
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
346
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
347 if not ctx then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
348 err = err or "invalid ssl config"
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
349 local file = err:match("^error loading (.-) %(");
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
350 if file then
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
351 local typ;
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
352 if file == "private key" then
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
353 typ = file;
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
354 file = user_ssl_config.key or "your private key";
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
355 elseif file == "certificate" then
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
356 typ = file;
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
357 file = user_ssl_config.certificate or "your certificate file";
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
358 end
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
359 local reason = err:match("%((.+)%)$") or "some reason";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
360 if reason == "Permission denied" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
361 reason = "Check that the permissions allow Prosody to read this file.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
362 elseif reason == "No such file or directory" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
363 reason = "Check that the path is correct, and the file exists.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
364 elseif reason == "system lib" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
365 reason = "Previous error (see logs), or other system error.";
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
366 elseif reason == "no start line" then
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
367 reason = "Check that the file contains a "..(typ or file);
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
368 elseif reason == "(null)" or not reason then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
369 reason = "Check that the file exists and the permissions are correct";
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
370 else
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
371 reason = "Reason: "..tostring(reason):lower();
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
372 end
4925
55f6e0673e33 certmanager: Add quotes around cert file path when logging.
Waqas Hussain <waqas20@gmail.com>
parents: 4900
diff changeset
373 log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host);
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
374 else
4855
a31ea431d906 certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL)
Matthew Wild <mwild1@gmail.com>
parents: 4656
diff changeset
375 log("error", "SSL/TLS: Error initialising for %s: %s", host, err);
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
376 end
3540
bc139431830b Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents: 3402
diff changeset
377 end
6526
873538f0b18c certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)
Kim Alvefur <zash@zash.se>
parents: 6520
diff changeset
378 return ctx, err, user_ssl_config;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
379 end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
380
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
381 local function reload_ssl_config()
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
382 global_ssl_config = configmanager.get("*", "ssl");
8159
3850993a9bda certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929)
Kim Alvefur <zash@zash.se>
parents: 7743
diff changeset
383 global_certificates = configmanager.get("*", "certificates") or "certs";
13115
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents: 12972
diff changeset
384 if tls.features.options.no_compression then
6080
b7d1607df87d certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents: 6079
diff changeset
385 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
b7d1607df87d certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents: 6079
diff changeset
386 end
13303
05c0ac580552 core.certmanager: Handle dane context setting same way on reload as on initialization
Kim Alvefur <zash@zash.se>
parents: 13294
diff changeset
387 if not configmanager.get("*", "use_dane") then
05c0ac580552 core.certmanager: Handle dane context setting same way on reload as on initialization
Kim Alvefur <zash@zash.se>
parents: 13294
diff changeset
388 core_defaults.dane = false;
05c0ac580552 core.certmanager: Handle dane context setting same way on reload as on initialization
Kim Alvefur <zash@zash.se>
parents: 13294
diff changeset
389 elseif tls.features.capabilities.dane then
05c0ac580552 core.certmanager: Handle dane context setting same way on reload as on initialization
Kim Alvefur <zash@zash.se>
parents: 13294
diff changeset
390 core_defaults.dane = { "no_ee_namechecks" };
05c0ac580552 core.certmanager: Handle dane context setting same way on reload as on initialization
Kim Alvefur <zash@zash.se>
parents: 13294
diff changeset
391 else
05c0ac580552 core.certmanager: Handle dane context setting same way on reload as on initialization
Kim Alvefur <zash@zash.se>
parents: 13294
diff changeset
392 core_defaults.dane = true;
05c0ac580552 core.certmanager: Handle dane context setting same way on reload as on initialization
Kim Alvefur <zash@zash.se>
parents: 13294
diff changeset
393 end
11537
a09685a7b330 core.certmanager: Resolve certs path relative to config dir
Kim Alvefur <zash@zash.se>
parents: 11534
diff changeset
394 cert_index = index_certs(resolve_path(config_path, global_certificates));
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
395 end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
396
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
397 prosody.events.add_handler("config-reloaded", reload_ssl_config);
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
398
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
399 return {
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
400 create_context = create_context;
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
401 reload_ssl_config = reload_ssl_config;
8274
3798955049e3 prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys
Kim Alvefur <zash@zash.se>
parents: 8259
diff changeset
402 find_cert = find_cert;
12104
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
403 index_certs = index_certs;
10463
fbeb7a3fc4eb core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support)
Kim Alvefur <zash@zash.se>
parents: 10237
diff changeset
404 find_host_cert = find_host_cert;
12104
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
405 find_cert_in_index = find_cert_in_index;
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
406 };