Software / code / prosody
Annotate
certs/openssl.cnf @ 13792:4ea7bd7325be 13.0
core.portmanager: Restore use of per-host 'ssl' for SNI hosts. Fixes #1915.
This was an unintentional regression, as per-host 'ssl' options became valid
in 0.12 when SNI support was added for direct TLS ports. While we encourage
most people to use the simpler automatic certificate selection (and it seems
most do, given the overlooking of this bug), there are likely always going to
be use cases for manually-configured certificates.
The issue was introduced in commit 7e9ebdc75ce4 which inadvertently removed
the per-host option checking for SNI.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 29 Mar 2025 22:25:19 +0100 |
| parent | 12604:bd9e006a7a74 |
| rev | line source |
|---|---|
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 oid_section = new_oids |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 [ new_oids ] |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
|
5350
fba042a2c228
certs/openssl.cnf: Update XMPP-Core references to reflect RFC publication
Kim Alvefur <zash@zash.se>
parents:
4098
diff
changeset
|
5 # RFC 6120 section 13.7.1.4. defines this OID |
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 xmppAddr = 1.3.6.1.5.5.7.8.5 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 # RFC 4985 defines this OID |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 SRVName = 1.3.6.1.5.5.7.8.7 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 [ req ] |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 default_bits = 4096 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 default_keyfile = example.com.key |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 distinguished_name = distinguished_name |
|
6922
e0672860d208
cert/openssl.cnf: Split CSR and self-signed extensions into separate sections (see d2d7ad2563f9)
Kim Alvefur <zash@zash.se>
parents:
5350
diff
changeset
|
16 req_extensions = certrequest |
|
e0672860d208
cert/openssl.cnf: Split CSR and self-signed extensions into separate sections (see d2d7ad2563f9)
Kim Alvefur <zash@zash.se>
parents:
5350
diff
changeset
|
17 x509_extensions = selfsigned |
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 # ask about the DN? |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 prompt = no |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 [ distinguished_name ] |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 commonName = example.com |
|
3704
320738c67100
certs/openssl.cnf: Change countryName from UK to GB
Matthew Wild <mwild1@gmail.com>
parents:
3701
diff
changeset
|
25 countryName = GB |
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 localityName = The Internet |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 organizationName = Your Organisation |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 organizationalUnitName = XMPP Department |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 emailAddress = xmpp@example.com |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 |
|
6922
e0672860d208
cert/openssl.cnf: Split CSR and self-signed extensions into separate sections (see d2d7ad2563f9)
Kim Alvefur <zash@zash.se>
parents:
5350
diff
changeset
|
31 [ certrequest ] |
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 # for certificate requests (req_extensions) |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 basicConstraints = CA:FALSE |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 keyUsage = digitalSignature,keyEncipherment |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 extendedKeyUsage = serverAuth,clientAuth |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 subjectAltName = @subject_alternative_name |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 |
|
6922
e0672860d208
cert/openssl.cnf: Split CSR and self-signed extensions into separate sections (see d2d7ad2563f9)
Kim Alvefur <zash@zash.se>
parents:
5350
diff
changeset
|
40 [ selfsigned ] |
|
e0672860d208
cert/openssl.cnf: Split CSR and self-signed extensions into separate sections (see d2d7ad2563f9)
Kim Alvefur <zash@zash.se>
parents:
5350
diff
changeset
|
41 |
|
e0672860d208
cert/openssl.cnf: Split CSR and self-signed extensions into separate sections (see d2d7ad2563f9)
Kim Alvefur <zash@zash.se>
parents:
5350
diff
changeset
|
42 # and self-signed certificates (x509_extensions) |
|
e0672860d208
cert/openssl.cnf: Split CSR and self-signed extensions into separate sections (see d2d7ad2563f9)
Kim Alvefur <zash@zash.se>
parents:
5350
diff
changeset
|
43 |
|
e0672860d208
cert/openssl.cnf: Split CSR and self-signed extensions into separate sections (see d2d7ad2563f9)
Kim Alvefur <zash@zash.se>
parents:
5350
diff
changeset
|
44 basicConstraints = CA:TRUE |
|
e0672860d208
cert/openssl.cnf: Split CSR and self-signed extensions into separate sections (see d2d7ad2563f9)
Kim Alvefur <zash@zash.se>
parents:
5350
diff
changeset
|
45 subjectAltName = @subject_alternative_name |
|
e0672860d208
cert/openssl.cnf: Split CSR and self-signed extensions into separate sections (see d2d7ad2563f9)
Kim Alvefur <zash@zash.se>
parents:
5350
diff
changeset
|
46 |
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 [ subject_alternative_name ] |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 |
|
12604
bd9e006a7a74
various: Update IETF RFC URLs for tools.ietf.org transition
Kim Alvefur <zash@zash.se>
parents:
6922
diff
changeset
|
49 # See https://www.rfc-editor.org/rfc/rfc6120.html#section-13.7.1.2 for more info. |
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 DNS.0 = example.com |
|
4098
7d687c348295
certs/openssl.cnf: Specify output encoding.
Kim Alvefur <zash@zash.se>
parents:
3704
diff
changeset
|
52 otherName.0 = xmppAddr;FORMAT:UTF8,UTF8:example.com |
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 otherName.1 = SRVName;IA5STRING:_xmpp-client.example.com |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 otherName.2 = SRVName;IA5STRING:_xmpp-server.example.com |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 |
|
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 DNS.1 = conference.example.com |
|
4098
7d687c348295
certs/openssl.cnf: Specify output encoding.
Kim Alvefur <zash@zash.se>
parents:
3704
diff
changeset
|
57 otherName.3 = xmppAddr;FORMAT:UTF8,UTF8:conference.example.com |
|
3701
4f22615c8361
certs: Add a default OpenSSL configuration file, and a Makefile.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 otherName.4 = SRVName;IA5STRING:_xmpp-server.conference.example.com |
