Annotate

core/certmanager.lua @ 13090:3cea237f9d1d 0.12

mod_csi_simple: Clear delayed active mode timer on disable It should not be there afterwards. Noticed that it seems to fire some time after resumption claiming that the queue size is nil, implying that it may hold a reference to an expired session somehow.
author Kim Alvefur <zash@zash.se>
date Mon, 01 May 2023 14:52:38 +0200
parent 12507:e242a6e74424
child 12508:e6cfd0a6f0da
child 13178:e689d4c45681
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3369
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
1 -- Prosody IM
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5746
diff changeset
4 --
3369
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
6 -- COPYING file in the source package for more information.
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
7 --
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
8
12331
49739369dcad core.certmanager: Turn soft dependency on LuaSec into a hard
Kim Alvefur <zash@zash.se>
parents: 12287
diff changeset
9 local ssl = require "ssl";
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10 local configmanager = require "core.configmanager";
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
11 local log = require "util.logger".init("certmanager");
12331
49739369dcad core.certmanager: Turn soft dependency on LuaSec into a hard
Kim Alvefur <zash@zash.se>
parents: 12287
diff changeset
12 local ssl_context = ssl.context or require "ssl.context";
6564
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
13 local ssl_newcontext = ssl.newcontext;
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
14 local new_config = require"util.sslconfig".new;
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
15 local stat = require "lfs".attributes;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
17 local x509 = require "util.x509";
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
18 local lfs = require "lfs";
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
19
7160
5c1ee8c06235 certmanager: Localize tonumber
Matthew Wild <mwild1@gmail.com>
parents: 7145
diff changeset
20 local tonumber, tostring = tonumber, tostring;
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
21 local pairs = pairs;
8404
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
22 local t_remove = table.remove;
5820
6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents: 5816
diff changeset
23 local type = type;
6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents: 5816
diff changeset
24 local io_open = io.open;
6294
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
25 local select = select;
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
26 local now = os.time;
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
27 local next = next;
11538
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
28 local pcall = pcall;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 local prosody = prosody;
11533
f97592336399 core.certmanager: Join paths with OS-aware util.paths function
Kim Alvefur <zash@zash.se>
parents: 11532
diff changeset
31 local pathutil = require"util.paths";
f97592336399 core.certmanager: Join paths with OS-aware util.paths function
Kim Alvefur <zash@zash.se>
parents: 11532
diff changeset
32 local resolve_path = pathutil.resolve_relative_path;
7531
2db68d1a6eeb certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed)
Kim Alvefur <zash@zash.se>
parents: 7319
diff changeset
33 local config_path = prosody.paths.config or ".";
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34
11549
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
35 local function test_option(option)
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
36 return not not ssl_newcontext({mode="server",protocol="sslv23",options={ option }});
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
37 end
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
38
6564
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
39 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)");
7319
afa83f3ccaad certmanager: Explicitly tonumber() version number segments before doing arithmetic and avoid relying on implicit coercion (thanks David Favro)
Matthew Wild <mwild1@gmail.com>
parents: 7160
diff changeset
40 local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor);
12331
49739369dcad core.certmanager: Turn soft dependency on LuaSec into a hard
Kim Alvefur <zash@zash.se>
parents: 12287
diff changeset
41 local luasec_has = ssl.config or {
8403
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
42 algorithms = {
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
43 ec = luasec_version >= 5;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
44 };
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
45 capabilities = {
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
46 curves_list = luasec_version >= 7;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
47 };
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
48 options = {
11549
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
49 cipher_server_preference = test_option("cipher_server_preference");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
50 no_ticket = test_option("no_ticket");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
51 no_compression = test_option("no_compression");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
52 single_dh_use = test_option("single_dh_use");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents: 11548
diff changeset
53 single_ecdh_use = test_option("single_ecdh_use");
11551
aaf9c6b6d18d certmanager: Disable renegotiation by default
Matthew Wild <mwild1@gmail.com>
parents: 11549
diff changeset
54 no_renegotiation = test_option("no_renegotiation");
8403
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
55 };
6566
1f396f0fe832 certmanager: Improve "detection" of features that depend on LuaSec version
Kim Alvefur <zash@zash.se>
parents: 6565
diff changeset
56 };
4899
0b8134015635 certmanager: Don't use no_ticket option before LuaSec 0.4
Matthew Wild <mwild1@gmail.com>
parents: 4890
diff changeset
57
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
58 local _ENV = nil;
8555
4f0f5b49bb03 vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents: 8494
diff changeset
59 -- luacheck: std none
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
60
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
61 -- Global SSL options if not overridden per-host
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
62 local global_ssl_config = configmanager.get("*", "ssl");
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
63
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
64 local global_certificates = configmanager.get("*", "certificates") or "certs";
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
65
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
66 local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", };
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
67 local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", };
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
68
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
69 local function find_cert(user_certs, name)
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
70 local certs = resolve_path(config_path, user_certs or global_certificates);
8259
db063671b73e certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents: 8159
diff changeset
71 log("debug", "Searching %s for a key and certificate for %s...", certs, name);
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
72 for i = 1, #crt_try do
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
73 local crt_path = certs .. crt_try[i]:format(name);
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
74 local key_path = certs .. key_try[i]:format(name);
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
75
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
76 if stat(crt_path, "mode") == "file" then
10709
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
77 if crt_path == key_path then
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
78 if key_path:sub(-4) == ".crt" then
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
79 key_path = key_path:sub(1, -4) .. "key";
11531
2bd91d4a0fcf core.certmanager: Check for complete filename
Kim Alvefur <zash@zash.se>
parents: 11368
diff changeset
80 elseif key_path:sub(-14) == "/fullchain.pem" then
10709
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
81 key_path = key_path:sub(1, -14) .. "privkey.pem";
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
82 end
10709
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
83 end
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
84
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
85 if stat(key_path, "mode") == "file" then
8259
db063671b73e certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents: 8159
diff changeset
86 log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name);
7145
b1a109858502 certmanager: Try filename.key if certificate is set to a full filename ending with .crt
Kim Alvefur <zash@zash.se>
parents: 7144
diff changeset
87 return { certificate = crt_path, key = key_path };
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
88 end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
89 end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
90 end
8259
db063671b73e certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents: 8159
diff changeset
91 log("debug", "No certificate/key found for %s", name);
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
92 end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
93
11534
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
94 local function find_matching_key(cert_path)
12287
5cd075ed4fd3 core.certmanager: Relax certificate filename check #1713
Kim Alvefur <zash@zash.se>
parents: 12197
diff changeset
95 return (cert_path:gsub("%.crt$", ".key"):gsub("fullchain", "privkey"));
11534
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
96 end
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
97
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
98 local function index_certs(dir, files_by_name, depth_limit)
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
99 files_by_name = files_by_name or {};
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
100 depth_limit = depth_limit or 3;
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
101 if depth_limit <= 0 then return files_by_name; end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
102
11538
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
103 local ok, iter, v, i = pcall(lfs.dir, dir);
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
104 if not ok then
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
105 log("error", "Error indexing certificate directory %s: %s", dir, iter);
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
106 -- Return an empty index, otherwise this just triggers a nil indexing
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
107 -- error, plus this function would get called again.
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
108 -- Reloading the config after correcting the problem calls this again so
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
109 -- that's what should be done.
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
110 return {}, iter;
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
111 end
30feeb4d9d0b core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents: 11537
diff changeset
112 for file in iter, v, i do
11533
f97592336399 core.certmanager: Join paths with OS-aware util.paths function
Kim Alvefur <zash@zash.se>
parents: 11532
diff changeset
113 local full = pathutil.join(dir, file);
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
114 if lfs.attributes(full, "mode") == "directory" then
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
115 if file:sub(1,1) ~= "." then
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
116 index_certs(full, files_by_name, depth_limit-1);
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
117 end
12287
5cd075ed4fd3 core.certmanager: Relax certificate filename check #1713
Kim Alvefur <zash@zash.se>
parents: 12197
diff changeset
118 elseif file:find("%.crt$") or file:find("fullchain") then -- This should catch most fullchain files
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
119 local f = io_open(full);
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
120 if f then
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
121 -- TODO look for chained certificates
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
122 local firstline = f:read();
12305
f8b8061461e3 core.certmanager: Ensure key exists for fullchain
Kim Alvefur <zash@zash.se>
parents: 12287
diff changeset
123 if firstline == "-----BEGIN CERTIFICATE-----" and lfs.attributes(find_matching_key(full), "mode") == "file" then
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
124 f:seek("set")
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
125 local cert = ssl.loadcertificate(f:read("*a"))
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
126 -- TODO if more than one cert is found for a name, the most recently
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
127 -- issued one should be used.
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
128 -- for now, just filter out expired certs
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
129 -- TODO also check if there's a corresponding key
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
130 if cert:validat(now()) then
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
131 local names = x509.get_identities(cert);
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
132 log("debug", "Found certificate %s with identities %q", full, names);
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
133 for name, services in pairs(names) do
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
134 -- TODO check services
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
135 if files_by_name[name] then
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
136 files_by_name[name][full] = services;
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
137 else
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
138 files_by_name[name] = { [full] = services; };
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
139 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
140 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
141 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
142 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
143 f:close();
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
144 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
145 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
146 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
147 log("debug", "Certificate index: %q", files_by_name);
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
148 -- | hostname | filename | service |
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
149 return files_by_name;
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
150 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
151
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
152 local cert_index;
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
153
12104
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
154 local function find_cert_in_index(index, host)
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
155 if not host then return nil; end
12104
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
156 if not index then return nil; end
12105
47c9a76cce7d core.certmanager: Check index for wildcard certs
Kim Alvefur <zash@zash.se>
parents: 12104
diff changeset
157 local wildcard_host = host:gsub("^[^.]+%.", "*.");
47c9a76cce7d core.certmanager: Check index for wildcard certs
Kim Alvefur <zash@zash.se>
parents: 12104
diff changeset
158 local certs = index[host] or index[wildcard_host];
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
159 if certs then
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
160 local cert_filename, services = next(certs);
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
161 if services["*"] then
12507
e242a6e74424 core.certmanager: Expand debug messages about cert lookups in index
Kim Alvefur <zash@zash.se>
parents: 12362
diff changeset
162 log("debug", "Using cert %q from index for host %q", cert_filename, host);
11534
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
163 return {
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
164 certificate = cert_filename,
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
165 key = find_matching_key(cert_filename),
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
166 }
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
167 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
168 end
12104
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
169 return nil
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
170 end
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
171
12104
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
172 local function find_host_cert(host)
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
173 if not host then return nil; end
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
174 if not cert_index then
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
175 cert_index = index_certs(resolve_path(config_path, global_certificates));
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
176 end
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
177
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
178 return find_cert_in_index(cert_index, host) or find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$"));
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
179 end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
180
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
181 local function find_service_cert(service, port)
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
182 if not cert_index then
11537
a09685a7b330 core.certmanager: Resolve certs path relative to config dir
Kim Alvefur <zash@zash.se>
parents: 11534
diff changeset
183 cert_index = index_certs(resolve_path(config_path, global_certificates));
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
184 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
185 for _, certs in pairs(cert_index) do
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
186 for cert_filename, services in pairs(certs) do
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
187 if services[service] or services["*"] then
12507
e242a6e74424 core.certmanager: Expand debug messages about cert lookups in index
Kim Alvefur <zash@zash.se>
parents: 12362
diff changeset
188 log("debug", "Using cert %q from index for service %s port %d", cert_filename, service, port);
11534
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
189 return {
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
190 certificate = cert_filename,
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
191 key = find_matching_key(cert_filename),
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents: 11533
diff changeset
192 }
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
193 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
194 end
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
195 end
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
196 local cert_config = configmanager.get("*", service.."_certificate");
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
197 if type(cert_config) == "table" then
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
198 cert_config = cert_config[port] or cert_config.default;
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
199 end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
200 return find_cert(cert_config, service);
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
201 end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
202
6079
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
203 -- Built-in defaults
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
204 local core_defaults = {
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
205 capath = "/etc/ssl/certs";
6568
b54b33f59c6e certmanager: Limit certificate chain depth to 9
Kim Alvefur <zash@zash.se>
parents: 6567
diff changeset
206 depth = 9;
6078
30ac122acdd3 certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Kim Alvefur <zash@zash.se>
parents: 6077
diff changeset
207 protocol = "tlsv1+";
9852
6ea3cafb6ac3 core.certmanager: Do not ask for client certificates by default
Kim Alvefur <zash@zash.se>
parents: 8828
diff changeset
208 verify = "none";
6079
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
209 options = {
8403
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
210 cipher_server_preference = luasec_has.options.cipher_server_preference;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
211 no_ticket = luasec_has.options.no_ticket;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
212 no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
213 single_dh_use = luasec_has.options.single_dh_use;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
214 single_ecdh_use = luasec_has.options.single_ecdh_use;
11551
aaf9c6b6d18d certmanager: Disable renegotiation by default
Matthew Wild <mwild1@gmail.com>
parents: 11549
diff changeset
215 no_renegotiation = luasec_has.options.no_renegotiation;
6079
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
216 };
11368
0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents: 10919
diff changeset
217 verifyext = {
0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents: 10919
diff changeset
218 "lsec_continue", -- Continue past certificate verification errors
0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents: 10919
diff changeset
219 "lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents: 10919
diff changeset
220 };
8405
a3cf899fd61b certmanager: Set single curve conditioned on LuaSec advertising EC crypto support
Kim Alvefur <zash@zash.se>
parents: 8404
diff changeset
221 curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1";
8279
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
222 curveslist = {
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
223 "X25519",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
224 "P-384",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
225 "P-256",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
226 "P-521",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
227 };
7663
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
228 ciphers = { -- Enabled ciphers in order of preference:
10721
3a1b1d3084fb core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)
Kim Alvefur <zash@zash.se>
parents: 10709
diff changeset
229 "HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange
7663
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
230 "HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
231 "HIGH", -- Other "High strength" ciphers
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
232 -- Disabled cipher suites:
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
233 "!PSK", -- Pre-Shared Key - not used for XMPP
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
234 "!SRP", -- Secure Remote Password - not used for XMPP
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
235 "!3DES", -- 3DES - slow and of questionable security
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
236 "!aNULL", -- Ciphers that does not authenticate the connection
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
237 };
12150
653a48b5a25b core.certmanager: Disable DANE name checks (not needed for XMPP)
Kim Alvefur <zash@zash.se>
parents: 12120
diff changeset
238 dane = luasec_has.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" };
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
239 }
8404
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
240
12096
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
241 local mozilla_ssl_configs = {
12097
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents: 12096
diff changeset
242 -- https://wiki.mozilla.org/Security/Server_Side_TLS
12120
0fcd80a55f15 core.certmanager: Add curveslist to 'old' Mozilla TLS preset
Kim Alvefur <zash@zash.se>
parents: 12105
diff changeset
243 -- Version 5.6 as of 2021-12-26
12096
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
244 modern = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
245 protocol = "tlsv1_3";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
246 options = { cipher_server_preference = false };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
247 ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these
12097
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents: 12096
diff changeset
248 curveslist = { "X25519"; "prime256v1"; "secp384r1" };
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents: 12096
diff changeset
249 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
12096
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
250 };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
251 intermediate = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
252 protocol = "tlsv1_2+";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
253 dhparam = nil; -- ffdhe2048.txt
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
254 options = { cipher_server_preference = false };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
255 ciphers = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
256 "ECDHE-ECDSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
257 "ECDHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
258 "ECDHE-ECDSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
259 "ECDHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
260 "ECDHE-ECDSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
261 "ECDHE-RSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
262 "DHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
263 "DHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
264 };
12097
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents: 12096
diff changeset
265 curveslist = { "X25519"; "prime256v1"; "secp384r1" };
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents: 12096
diff changeset
266 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
12096
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
267 };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
268 old = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
269 protocol = "tlsv1+";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
270 dhparam = nil; -- openssl dhparam 1024
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
271 options = { cipher_server_preference = true };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
272 ciphers = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
273 "ECDHE-ECDSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
274 "ECDHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
275 "ECDHE-ECDSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
276 "ECDHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
277 "ECDHE-ECDSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
278 "ECDHE-RSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
279 "DHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
280 "DHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
281 "DHE-RSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
282 "ECDHE-ECDSA-AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
283 "ECDHE-RSA-AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
284 "ECDHE-ECDSA-AES128-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
285 "ECDHE-RSA-AES128-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
286 "ECDHE-ECDSA-AES256-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
287 "ECDHE-RSA-AES256-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
288 "ECDHE-ECDSA-AES256-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
289 "ECDHE-RSA-AES256-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
290 "DHE-RSA-AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
291 "DHE-RSA-AES256-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
292 "AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
293 "AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
294 "AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
295 "AES256-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
296 "AES128-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
297 "AES256-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
298 "DES-CBC3-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
299 };
12120
0fcd80a55f15 core.certmanager: Add curveslist to 'old' Mozilla TLS preset
Kim Alvefur <zash@zash.se>
parents: 12105
diff changeset
300 curveslist = { "X25519"; "prime256v1"; "secp384r1" };
12097
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents: 12096
diff changeset
301 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
12096
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
302 };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
303 };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
304
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents: 11709
diff changeset
305
8404
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
306 if luasec_has.curves then
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
307 for i = #core_defaults.curveslist, 1, -1 do
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
308 if not luasec_has.curves[ core_defaults.curveslist[i] ] then
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
309 t_remove(core_defaults.curveslist, i);
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
310 end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
311 end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
312 else
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
313 core_defaults.curveslist = nil;
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
314 end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
315
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
316 local path_options = { -- These we pass through resolve_path()
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
317 key = true, certificate = true, cafile = true, capath = true, dhparam = true
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
318 }
5282
4cd57cb49f99 core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents: 4992
diff changeset
319
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
320 local function create_context(host, mode, ...)
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
321 local cfg = new_config();
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
322 cfg:apply(core_defaults);
8827
1a29b56a2d63 core.certmanager: Allow all non-whitespace in service name (fixes #1019)
Kim Alvefur <zash@zash.se>
parents: 8494
diff changeset
323 local service_name, port = host:match("^(%S+) port (%d+)$");
11591
e7a964572f6b core.certmanager: Skip service certificate lookup for https client
Kim Alvefur <zash@zash.se>
parents: 11560
diff changeset
324 -- port 0 is used with client-only things that normally don't need certificates, e.g. https
e7a964572f6b core.certmanager: Skip service certificate lookup for https client
Kim Alvefur <zash@zash.se>
parents: 11560
diff changeset
325 if service_name and port ~= "0" then
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
326 log("debug", "Automatically locating certs for service %s on port %s", service_name, port);
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
327 cfg:apply(find_service_cert(service_name, tonumber(port)));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
328 else
11532
c0c859425c22 core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents: 11531
diff changeset
329 log("debug", "Automatically locating certs for host %s", host);
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
330 cfg:apply(find_host_cert(host));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
331 end
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
332 cfg:apply({
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
333 mode = mode,
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
334 -- We can't read the password interactively when daemonized
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
335 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
336 });
12197
95d25e620dc2 core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation
Kim Alvefur <zash@zash.se>
parents: 12196
diff changeset
337 local profile = configmanager.get("*", "tls_profile") or "intermediate";
95d25e620dc2 core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation
Kim Alvefur <zash@zash.se>
parents: 12196
diff changeset
338 if profile ~= "legacy" then
95d25e620dc2 core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation
Kim Alvefur <zash@zash.se>
parents: 12196
diff changeset
339 cfg:apply(mozilla_ssl_configs[profile]);
12098
9591b838e3b0 core.certmanager: Add "legacy" preset for keeping previous default settings
Kim Alvefur <zash@zash.se>
parents: 12097
diff changeset
340 end
12196
b05e0b422ff7 core.certmanager: Apply TLS preset before global settings (thanks Menel)
Kim Alvefur <zash@zash.se>
parents: 12150
diff changeset
341 cfg:apply(global_ssl_config);
6076
e0713386319a certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents: 6075
diff changeset
342
6294
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
343 for i = select('#', ...), 1, -1 do
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
344 cfg:apply(select(i, ...));
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
345 end
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
346 local user_ssl_config = cfg:final();
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
347
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
348 if mode == "server" then
10237
a36af4570b39 core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents: 10227
diff changeset
349 if not user_ssl_config.certificate then
a36af4570b39 core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents: 10227
diff changeset
350 log("info", "No certificate present in SSL/TLS configuration for %s. SNI will be required.", host);
a36af4570b39 core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents: 10227
diff changeset
351 end
a36af4570b39 core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents: 10227
diff changeset
352 if user_ssl_config.certificate and not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
6077
6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents: 6076
diff changeset
353 end
6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents: 6076
diff changeset
354
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
355 for option in pairs(path_options) do
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
356 if type(user_ssl_config[option]) == "string" then
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
357 user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]);
6903
5ff42d85d4d5 core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default)
Kim Alvefur <zash@zash.se>
parents: 6779
diff changeset
358 else
5ff42d85d4d5 core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default)
Kim Alvefur <zash@zash.se>
parents: 6779
diff changeset
359 user_ssl_config[option] = nil;
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
360 end
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
361 end
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
362
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
363 -- LuaSec expects dhparam to be a callback that takes two arguments.
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
364 -- We ignore those because it is mostly used for having a separate
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
365 -- set of params for EXPORT ciphers, which we don't have by default.
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
366 if type(user_ssl_config.dhparam) == "string" then
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
367 local f, err = io_open(user_ssl_config.dhparam);
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
368 if not f then return nil, "Could not open DH parameters: "..err end
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
369 local dhparam = f:read("*a");
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
370 f:close();
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
371 user_ssl_config.dhparam = function() return dhparam; end
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
372 end
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
373
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
374 local ctx, err = ssl_newcontext(user_ssl_config);
4359
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
375
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
376 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care
4359
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
377 -- of it ourselves (W/A for #x)
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
378 if ctx and user_ssl_config.ciphers then
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
379 local success;
6565
ffc0a57889aa certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents: 6564
diff changeset
380 success, err = ssl_context.setcipher(ctx, user_ssl_config.ciphers);
4359
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
381 if not success then ctx = nil; end
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
382 end
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
383
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
384 if not ctx then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
385 err = err or "invalid ssl config"
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
386 local file = err:match("^error loading (.-) %(");
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
387 if file then
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
388 local typ;
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
389 if file == "private key" then
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
390 typ = file;
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
391 file = user_ssl_config.key or "your private key";
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
392 elseif file == "certificate" then
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
393 typ = file;
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
394 file = user_ssl_config.certificate or "your certificate file";
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
395 end
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
396 local reason = err:match("%((.+)%)$") or "some reason";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
397 if reason == "Permission denied" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
398 reason = "Check that the permissions allow Prosody to read this file.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
399 elseif reason == "No such file or directory" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
400 reason = "Check that the path is correct, and the file exists.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
401 elseif reason == "system lib" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
402 reason = "Previous error (see logs), or other system error.";
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
403 elseif reason == "no start line" then
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
404 reason = "Check that the file contains a "..(typ or file);
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
405 elseif reason == "(null)" or not reason then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
406 reason = "Check that the file exists and the permissions are correct";
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
407 else
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
408 reason = "Reason: "..tostring(reason):lower();
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
409 end
4925
55f6e0673e33 certmanager: Add quotes around cert file path when logging.
Waqas Hussain <waqas20@gmail.com>
parents: 4900
diff changeset
410 log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host);
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
411 else
4855
a31ea431d906 certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL)
Matthew Wild <mwild1@gmail.com>
parents: 4656
diff changeset
412 log("error", "SSL/TLS: Error initialising for %s: %s", host, err);
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
413 end
3540
bc139431830b Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents: 3402
diff changeset
414 end
6526
873538f0b18c certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)
Kim Alvefur <zash@zash.se>
parents: 6520
diff changeset
415 return ctx, err, user_ssl_config;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
416 end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
417
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
418 local function reload_ssl_config()
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
419 global_ssl_config = configmanager.get("*", "ssl");
8159
3850993a9bda certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929)
Kim Alvefur <zash@zash.se>
parents: 7743
diff changeset
420 global_certificates = configmanager.get("*", "certificates") or "certs";
8403
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
421 if luasec_has.options.no_compression then
6080
b7d1607df87d certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents: 6079
diff changeset
422 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
b7d1607df87d certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents: 6079
diff changeset
423 end
11709
5810166f35d5 core.certmanager: Support 'use_dane' setting to enable DANE support
Kim Alvefur <zash@zash.se>
parents: 11591
diff changeset
424 core_defaults.dane = configmanager.get("*", "use_dane") or false;
11537
a09685a7b330 core.certmanager: Resolve certs path relative to config dir
Kim Alvefur <zash@zash.se>
parents: 11534
diff changeset
425 cert_index = index_certs(resolve_path(config_path, global_certificates));
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
426 end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
427
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
428 prosody.events.add_handler("config-reloaded", reload_ssl_config);
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
429
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
430 return {
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
431 create_context = create_context;
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
432 reload_ssl_config = reload_ssl_config;
8274
3798955049e3 prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys
Kim Alvefur <zash@zash.se>
parents: 8259
diff changeset
433 find_cert = find_cert;
12104
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
434 index_certs = index_certs;
10463
fbeb7a3fc4eb core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support)
Kim Alvefur <zash@zash.se>
parents: 10237
diff changeset
435 find_host_cert = find_host_cert;
12104
29765ac7f72f prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents: 12099
diff changeset
436 find_cert_in_index = find_cert_in_index;
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
437 };