Software / code / prosody
Annotate
core/certmanager.lua @ 10721:3a1b1d3084fb 0.11
core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)
Backport of 94e341dee51c
The original intent of having kEDH before kEECDH was that if a `dhparam`
file was specified, this would be interpreted as a preference by the
admin for old and well-tested Diffie-Hellman key agreement over newer
elliptic curve ones. Otherwise the faster elliptic curve ciphersuites
would be preferred. This didn't really work as intended since this
affects the ClientHello on outgoing s2s connections, leading to some
servers using poorly configured kEDH.
With Debian shipping OpenSSL settings that enforce a higher security
level, this caused interoperability problems with servers that use DH
params smaller than 2048 bits. E.g. jabber.org at the time of this
writing has 1024 bit DH params.
MattJ says
> Curves have won, and OpenSSL is less weird about them now
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 25 Aug 2019 20:22:35 +0200 |
| parent | 10709:fcf7f50ccdd0 |
| child | 10722:3ddc7c9f35dc |
| child | 11548:55ef50d6cf65 |
| rev | line source |
|---|---|
|
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
1 -- Prosody IM |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5746
diff
changeset
|
4 -- |
|
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
5 -- This project is MIT/X11 licensed. Please see the |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
6 -- COPYING file in the source package for more information. |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
7 -- |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
8 |
|
6564
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
9 local softreq = require"util.dependencies".softreq; |
|
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
10 local ssl = softreq"ssl"; |
|
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
11 if not ssl then |
|
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
12 return { |
|
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
13 create_context = function () |
|
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
14 return nil, "LuaSec (required for encryption) was not found"; |
|
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
15 end; |
|
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
16 reload_ssl_config = function () end; |
|
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
17 } |
|
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
18 end |
|
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
19 |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 local configmanager = require "core.configmanager"; |
|
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
21 local log = require "util.logger".init("certmanager"); |
|
6565
ffc0a57889aa
certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents:
6564
diff
changeset
|
22 local ssl_context = ssl.context or softreq"ssl.context"; |
|
ffc0a57889aa
certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents:
6564
diff
changeset
|
23 local ssl_x509 = ssl.x509 or softreq"ssl.x509"; |
|
6564
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
24 local ssl_newcontext = ssl.newcontext; |
|
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
25 local new_config = require"util.sslconfig".new; |
|
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
26 local stat = require "lfs".attributes; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
|
7160
5c1ee8c06235
certmanager: Localize tonumber
Matthew Wild <mwild1@gmail.com>
parents:
7145
diff
changeset
|
28 local tonumber, tostring = tonumber, tostring; |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
29 local pairs = pairs; |
|
8404
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
30 local t_remove = table.remove; |
|
5820
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
31 local type = type; |
|
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
32 local io_open = io.open; |
|
6294
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
33 local select = select; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 local prosody = prosody; |
|
6165
6a184b16b717
core.certmanager, core.moduleapi, mod_storage_sql, mod_storage_sql2: Import from util.paths
Kim Alvefur <zash@zash.se>
parents:
6089
diff
changeset
|
36 local resolve_path = require"util.paths".resolve_relative_path; |
|
7531
2db68d1a6eeb
certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed)
Kim Alvefur <zash@zash.se>
parents:
7319
diff
changeset
|
37 local config_path = prosody.paths.config or "."; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 |
|
6564
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
39 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); |
|
7319
afa83f3ccaad
certmanager: Explicitly tonumber() version number segments before doing arithmetic and avoid relying on implicit coercion (thanks David Favro)
Matthew Wild <mwild1@gmail.com>
parents:
7160
diff
changeset
|
40 local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor); |
|
8403
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
41 local luasec_has = softreq"ssl.config" or { |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
42 algorithms = { |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
43 ec = luasec_version >= 5; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
44 }; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
45 capabilities = { |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
46 curves_list = luasec_version >= 7; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
47 }; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
48 options = { |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
49 cipher_server_preference = luasec_version >= 2; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
50 no_ticket = luasec_version >= 4; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
51 no_compression = luasec_version >= 5; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
52 single_dh_use = luasec_version >= 2; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
53 single_ecdh_use = luasec_version >= 2; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
54 }; |
|
6566
1f396f0fe832
certmanager: Improve "detection" of features that depend on LuaSec version
Kim Alvefur <zash@zash.se>
parents:
6565
diff
changeset
|
55 }; |
|
4899
0b8134015635
certmanager: Don't use no_ticket option before LuaSec 0.4
Matthew Wild <mwild1@gmail.com>
parents:
4890
diff
changeset
|
56 |
|
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
57 local _ENV = nil; |
|
8555
4f0f5b49bb03
vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8494
diff
changeset
|
58 -- luacheck: std none |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 -- Global SSL options if not overridden per-host |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
61 local global_ssl_config = configmanager.get("*", "ssl"); |
|
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
62 |
|
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
63 local global_certificates = configmanager.get("*", "certificates") or "certs"; |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
64 |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
65 local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", }; |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
66 local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", }; |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
67 |
|
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
68 local function find_cert(user_certs, name) |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
69 local certs = resolve_path(config_path, user_certs or global_certificates); |
|
8259
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8159
diff
changeset
|
70 log("debug", "Searching %s for a key and certificate for %s...", certs, name); |
|
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
71 for i = 1, #crt_try do |
|
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
72 local crt_path = certs .. crt_try[i]:format(name); |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
73 local key_path = certs .. key_try[i]:format(name); |
|
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
74 |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
75 if stat(crt_path, "mode") == "file" then |
|
10709
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
76 if crt_path == key_path then |
|
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
77 if key_path:sub(-4) == ".crt" then |
|
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
78 key_path = key_path:sub(1, -4) .. "key"; |
|
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
79 elseif key_path:sub(-13) == "fullchain.pem" then |
|
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
80 key_path = key_path:sub(1, -14) .. "privkey.pem"; |
|
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
81 end |
|
10709
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
82 end |
|
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
83 |
|
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
84 if stat(key_path, "mode") == "file" then |
|
8259
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8159
diff
changeset
|
85 log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name); |
|
7145
b1a109858502
certmanager: Try filename.key if certificate is set to a full filename ending with .crt
Kim Alvefur <zash@zash.se>
parents:
7144
diff
changeset
|
86 return { certificate = crt_path, key = key_path }; |
|
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
87 end |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
88 end |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
89 end |
|
8259
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8159
diff
changeset
|
90 log("debug", "No certificate/key found for %s", name); |
|
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
91 end |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
92 |
|
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
93 local function find_host_cert(host) |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
94 if not host then return nil; end |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
95 return find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$")); |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
96 end |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
97 |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
98 local function find_service_cert(service, port) |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
99 local cert_config = configmanager.get("*", service.."_certificate"); |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
100 if type(cert_config) == "table" then |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
101 cert_config = cert_config[port] or cert_config.default; |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
102 end |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
103 return find_cert(cert_config, service); |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
104 end |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
105 |
|
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
106 -- Built-in defaults |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
107 local core_defaults = { |
|
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
108 capath = "/etc/ssl/certs"; |
|
6568
b54b33f59c6e
certmanager: Limit certificate chain depth to 9
Kim Alvefur <zash@zash.se>
parents:
6567
diff
changeset
|
109 depth = 9; |
|
6078
30ac122acdd3
certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Kim Alvefur <zash@zash.se>
parents:
6077
diff
changeset
|
110 protocol = "tlsv1+"; |
|
6565
ffc0a57889aa
certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents:
6564
diff
changeset
|
111 verify = (ssl_x509 and { "peer", "client_once", }) or "none"; |
|
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
112 options = { |
|
8403
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
113 cipher_server_preference = luasec_has.options.cipher_server_preference; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
114 no_ticket = luasec_has.options.no_ticket; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
115 no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
116 single_dh_use = luasec_has.options.single_dh_use; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
117 single_ecdh_use = luasec_has.options.single_ecdh_use; |
|
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
118 }; |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
119 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; |
|
8405
a3cf899fd61b
certmanager: Set single curve conditioned on LuaSec advertising EC crypto support
Kim Alvefur <zash@zash.se>
parents:
8404
diff
changeset
|
120 curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1"; |
|
8279
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
121 curveslist = { |
|
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
122 "X25519", |
|
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
123 "P-384", |
|
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
124 "P-256", |
|
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
125 "P-521", |
|
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
126 }; |
|
7663
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
127 ciphers = { -- Enabled ciphers in order of preference: |
|
10721
3a1b1d3084fb
core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)
Kim Alvefur <zash@zash.se>
parents:
10709
diff
changeset
|
128 "HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange |
|
7663
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
129 "HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set |
|
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
130 "HIGH", -- Other "High strength" ciphers |
|
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
131 -- Disabled cipher suites: |
|
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
132 "!PSK", -- Pre-Shared Key - not used for XMPP |
|
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
133 "!SRP", -- Secure Remote Password - not used for XMPP |
|
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
134 "!3DES", -- 3DES - slow and of questionable security |
|
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
135 "!aNULL", -- Ciphers that does not authenticate the connection |
|
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
136 }; |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
137 } |
|
8404
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
138 |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
139 if luasec_has.curves then |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
140 for i = #core_defaults.curveslist, 1, -1 do |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
141 if not luasec_has.curves[ core_defaults.curveslist[i] ] then |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
142 t_remove(core_defaults.curveslist, i); |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
143 end |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
144 end |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
145 else |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
146 core_defaults.curveslist = nil; |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
147 end |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
148 |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
149 local path_options = { -- These we pass through resolve_path() |
|
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
150 key = true, certificate = true, cafile = true, capath = true, dhparam = true |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
151 } |
|
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
152 |
|
6570
70e65ac65219
certmanager: Fix compat for MattJs old LuaSec fork
Kim Alvefur <zash@zash.se>
parents:
6569
diff
changeset
|
153 if luasec_version < 5 and ssl_x509 then |
|
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
154 -- COMPAT mw/luasec-hg |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
155 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix |
|
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
156 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); |
|
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
157 end |
|
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
158 end |
|
5678
b7ebeae14053
certmanager: Add single_dh_use and single_ecdh_use to default options
Matthew Wild <mwild1@gmail.com>
parents:
5676
diff
changeset
|
159 |
|
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
160 local function create_context(host, mode, ...) |
|
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
161 local cfg = new_config(); |
|
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
162 cfg:apply(core_defaults); |
|
8827
1a29b56a2d63
core.certmanager: Allow all non-whitespace in service name (fixes #1019)
Kim Alvefur <zash@zash.se>
parents:
8494
diff
changeset
|
163 local service_name, port = host:match("^(%S+) port (%d+)$"); |
|
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
164 if service_name then |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
165 cfg:apply(find_service_cert(service_name, tonumber(port))); |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
166 else |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
167 cfg:apply(find_host_cert(host)); |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
168 end |
|
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
169 cfg:apply({ |
|
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
170 mode = mode, |
|
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
171 -- We can't read the password interactively when daemonized |
|
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
172 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; |
|
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
173 }); |
|
7144
f855ba7da30e
certmanager: Apply global ssl config later so certificate/key is not overwritten by magic
Kim Alvefur <zash@zash.se>
parents:
7140
diff
changeset
|
174 cfg:apply(global_ssl_config); |
|
6076
e0713386319a
certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents:
6075
diff
changeset
|
175 |
|
6294
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
176 for i = select('#', ...), 1, -1 do |
|
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
177 cfg:apply(select(i, ...)); |
|
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
178 end |
|
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
179 local user_ssl_config = cfg:final(); |
|
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
180 |
|
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
181 if mode == "server" then |
|
8494
4f75f4da6d4e
certmanager: Check for missing certificate before key in configuration (should be marginally less confusing)
Kim Alvefur <zash@zash.se>
parents:
8405
diff
changeset
|
182 if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end |
|
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
183 if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end |
|
6077
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
184 end |
|
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
185 |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
186 for option in pairs(path_options) do |
|
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
187 if type(user_ssl_config[option]) == "string" then |
|
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
188 user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]); |
|
6903
5ff42d85d4d5
core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default)
Kim Alvefur <zash@zash.se>
parents:
6779
diff
changeset
|
189 else |
|
5ff42d85d4d5
core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default)
Kim Alvefur <zash@zash.se>
parents:
6779
diff
changeset
|
190 user_ssl_config[option] = nil; |
|
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
191 end |
|
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
192 end |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
193 |
|
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
194 -- LuaSec expects dhparam to be a callback that takes two arguments. |
|
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
195 -- We ignore those because it is mostly used for having a separate |
|
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
196 -- set of params for EXPORT ciphers, which we don't have by default. |
|
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
197 if type(user_ssl_config.dhparam) == "string" then |
|
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
198 local f, err = io_open(user_ssl_config.dhparam); |
|
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
199 if not f then return nil, "Could not open DH parameters: "..err end |
|
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
200 local dhparam = f:read("*a"); |
|
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
201 f:close(); |
|
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
202 user_ssl_config.dhparam = function() return dhparam; end |
|
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
203 end |
|
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
204 |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
205 local ctx, err = ssl_newcontext(user_ssl_config); |
|
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
206 |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
207 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care |
|
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
208 -- of it ourselves (W/A for #x) |
|
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
209 if ctx and user_ssl_config.ciphers then |
|
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
210 local success; |
|
6565
ffc0a57889aa
certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents:
6564
diff
changeset
|
211 success, err = ssl_context.setcipher(ctx, user_ssl_config.ciphers); |
|
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
212 if not success then ctx = nil; end |
|
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
213 end |
|
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
214 |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
215 if not ctx then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
216 err = err or "invalid ssl config" |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
217 local file = err:match("^error loading (.-) %("); |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
218 if file then |
|
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
219 local typ; |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
220 if file == "private key" then |
|
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
221 typ = file; |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
222 file = user_ssl_config.key or "your private key"; |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
223 elseif file == "certificate" then |
|
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
224 typ = file; |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
225 file = user_ssl_config.certificate or "your certificate file"; |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
226 end |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
227 local reason = err:match("%((.+)%)$") or "some reason"; |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
228 if reason == "Permission denied" then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
229 reason = "Check that the permissions allow Prosody to read this file."; |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
230 elseif reason == "No such file or directory" then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
231 reason = "Check that the path is correct, and the file exists."; |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
232 elseif reason == "system lib" then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
233 reason = "Previous error (see logs), or other system error."; |
|
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
234 elseif reason == "no start line" then |
|
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
235 reason = "Check that the file contains a "..(typ or file); |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
236 elseif reason == "(null)" or not reason then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
237 reason = "Check that the file exists and the permissions are correct"; |
|
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
238 else |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
239 reason = "Reason: "..tostring(reason):lower(); |
|
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
240 end |
|
4925
55f6e0673e33
certmanager: Add quotes around cert file path when logging.
Waqas Hussain <waqas20@gmail.com>
parents:
4900
diff
changeset
|
241 log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host); |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
242 else |
|
4855
a31ea431d906
certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL)
Matthew Wild <mwild1@gmail.com>
parents:
4656
diff
changeset
|
243 log("error", "SSL/TLS: Error initialising for %s: %s", host, err); |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
244 end |
|
3540
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3402
diff
changeset
|
245 end |
|
6526
873538f0b18c
certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)
Kim Alvefur <zash@zash.se>
parents:
6520
diff
changeset
|
246 return ctx, err, user_ssl_config; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
247 end |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
248 |
|
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
249 local function reload_ssl_config() |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
250 global_ssl_config = configmanager.get("*", "ssl"); |
|
8159
3850993a9bda
certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929)
Kim Alvefur <zash@zash.se>
parents:
7743
diff
changeset
|
251 global_certificates = configmanager.get("*", "certificates") or "certs"; |
|
8403
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
252 if luasec_has.options.no_compression then |
|
6080
b7d1607df87d
certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents:
6079
diff
changeset
|
253 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; |
|
b7d1607df87d
certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents:
6079
diff
changeset
|
254 end |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
255 end |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
256 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
257 prosody.events.add_handler("config-reloaded", reload_ssl_config); |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
258 |
|
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
259 return { |
|
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
260 create_context = create_context; |
|
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
261 reload_ssl_config = reload_ssl_config; |
|
8274
3798955049e3
prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys
Kim Alvefur <zash@zash.se>
parents:
8259
diff
changeset
|
262 find_cert = find_cert; |
|
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
263 }; |
