Software /
code /
prosody
Annotate
core/certmanager.lua @ 6165:6a184b16b717
core.certmanager, core.moduleapi, mod_storage_sql, mod_storage_sql2: Import from util.paths
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 09 May 2014 19:35:29 +0200 |
parent | 6089:d774cb85664b |
child | 6293:851fb5e9fa0c |
rev | line source |
---|---|
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
1 -- Prosody IM |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5746
diff
changeset
|
4 -- |
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
5 -- This project is MIT/X11 licensed. Please see the |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
6 -- COPYING file in the source package for more information. |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
7 -- |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
8 |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 local configmanager = require "core.configmanager"; |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
10 local log = require "util.logger".init("certmanager"); |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 local ssl = ssl; |
2564
6b4fe320a6ea
certmanager: Fix traceback with no LuaSec
Matthew Wild <mwild1@gmail.com>
parents:
2563
diff
changeset
|
12 local ssl_newcontext = ssl and ssl.newcontext; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 |
4992
e79e4d1f75de
certmanager: Remove unused import of setmetatable
Matthew Wild <mwild1@gmail.com>
parents:
4991
diff
changeset
|
14 local tostring = tostring; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
15 local pairs = pairs; |
5820
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
16 local type = type; |
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
17 local io_open = io.open; |
6075
524060125f9c
certmanager: Concatenate cipher list if given as a table
Kim Alvefur <zash@zash.se>
parents:
6074
diff
changeset
|
18 local t_concat = table.concat; |
6089
d774cb85664b
certmanager: Move ssl.protocol handling to after ssl.options is a table (thanks Ralph)
Kim Alvefur <zash@zash.se>
parents:
6087
diff
changeset
|
19 local t_insert = table.insert; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 local prosody = prosody; |
6165
6a184b16b717
core.certmanager, core.moduleapi, mod_storage_sql, mod_storage_sql2: Import from util.paths
Kim Alvefur <zash@zash.se>
parents:
6089
diff
changeset
|
22 local resolve_path = require"util.paths".resolve_relative_path; |
3402
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
23 local config_path = prosody.paths.config; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 |
5621
63cfd59999b6
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x)
Matthew Wild <mwild1@gmail.com>
parents:
5377
diff
changeset
|
25 local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression; |
4991
bcbfcec620ac
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON)
Matthew Wild <mwild1@gmail.com>
parents:
4990
diff
changeset
|
26 if ssl then |
bcbfcec620ac
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON)
Matthew Wild <mwild1@gmail.com>
parents:
4990
diff
changeset
|
27 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); |
bcbfcec620ac
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON)
Matthew Wild <mwild1@gmail.com>
parents:
4990
diff
changeset
|
28 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; |
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
29 luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; |
5621
63cfd59999b6
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x)
Matthew Wild <mwild1@gmail.com>
parents:
5377
diff
changeset
|
30 luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; |
4991
bcbfcec620ac
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON)
Matthew Wild <mwild1@gmail.com>
parents:
4990
diff
changeset
|
31 end |
4899
0b8134015635
certmanager: Don't use no_ticket option before LuaSec 0.4
Matthew Wild <mwild1@gmail.com>
parents:
4890
diff
changeset
|
32 |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 module "certmanager" |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 -- Global SSL options if not overridden per-host |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
36 local global_ssl_config = configmanager.get("*", "ssl"); |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
37 |
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
38 -- Built-in defaults |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
39 local core_defaults = { |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
40 capath = "/etc/ssl/certs"; |
6078
30ac122acdd3
certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Kim Alvefur <zash@zash.se>
parents:
6077
diff
changeset
|
41 protocol = "tlsv1+"; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
42 verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; |
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
43 options = { |
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
44 cipher_server_preference = true; |
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
45 no_ticket = luasec_has_noticket; |
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
46 no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true; |
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
47 -- Has no_compression? Then it has these too... |
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
48 single_dh_use = luasec_has_no_compression; |
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
49 single_ecdh_use = luasec_has_no_compression; |
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
50 }; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
51 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
52 curve = "secp384r1"; |
5922 | 53 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
54 } |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
55 local path_options = { -- These we pass through resolve_path() |
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
56 key = true, certificate = true, cafile = true, capath = true, dhparam = true |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
57 } |
6077
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
58 local set_options = { |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
59 options = true, verify = true, verifyext = true |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
60 } |
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
61 |
5287
676a1a032d2f
certmanager: Fix nil index if no LuaSec available
Kim Alvefur <zash@zash.se>
parents:
5282
diff
changeset
|
62 if ssl and not luasec_has_verifyext and ssl.x509 then |
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
63 -- COMPAT mw/luasec-hg |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
64 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
65 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); |
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
66 end |
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
67 end |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
68 |
6077
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
69 local function merge_set(t, o) |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
70 if type(t) ~= "table" then t = { t } end |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
71 for k,v in pairs(t) do |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
72 if v == true or v == false then |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
73 o[k] = v; |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
74 else |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
75 o[v] = true; |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
76 end |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
77 end |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
78 return o; |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
79 end |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
80 |
6078
30ac122acdd3
certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Kim Alvefur <zash@zash.se>
parents:
6077
diff
changeset
|
81 local protocols = { "sslv2", "sslv3", "tlsv1", "tlsv1_1", "tlsv1_2" }; |
30ac122acdd3
certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Kim Alvefur <zash@zash.se>
parents:
6077
diff
changeset
|
82 for i = 1, #protocols do protocols[protocols[i] .. "+"] = i - 1; end |
30ac122acdd3
certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Kim Alvefur <zash@zash.se>
parents:
6077
diff
changeset
|
83 |
3571
675d65036f31
certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls
Matthew Wild <mwild1@gmail.com>
parents:
3540
diff
changeset
|
84 function create_context(host, mode, user_ssl_config) |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
85 user_ssl_config = user_ssl_config or {} |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
86 user_ssl_config.mode = mode; |
3370
7c87af1c9a68
certmanager: Fix to handle the case of no SSL configuration at all
Matthew Wild <mwild1@gmail.com>
parents:
3369
diff
changeset
|
87 |
3400 | 88 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
89 |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
90 if global_ssl_config then |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
91 for option,default_value in pairs(global_ssl_config) do |
6073
4a1fdd72e98a
certmanager: Check for non-nil values instead of true-ish values, allows removing defaults
Kim Alvefur <zash@zash.se>
parents:
5922
diff
changeset
|
92 if user_ssl_config[option] == nil then |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
93 user_ssl_config[option] = default_value; |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
94 end |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
95 end |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
96 end |
6073
4a1fdd72e98a
certmanager: Check for non-nil values instead of true-ish values, allows removing defaults
Kim Alvefur <zash@zash.se>
parents:
5922
diff
changeset
|
97 |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
98 for option,default_value in pairs(core_defaults) do |
6073
4a1fdd72e98a
certmanager: Check for non-nil values instead of true-ish values, allows removing defaults
Kim Alvefur <zash@zash.se>
parents:
5922
diff
changeset
|
99 if user_ssl_config[option] == nil then |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
100 user_ssl_config[option] = default_value; |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
101 end |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
102 end |
6076
e0713386319a
certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents:
6075
diff
changeset
|
103 |
6077
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
104 for option in pairs(set_options) do |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
105 local merged = {}; |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
106 merge_set(core_defaults[option], merged); |
6087
821756a862b0
certmanager: Fix traceback if no global 'ssl' section set (thanks albert)
Kim Alvefur <zash@zash.se>
parents:
6080
diff
changeset
|
107 if global_ssl_config then |
821756a862b0
certmanager: Fix traceback if no global 'ssl' section set (thanks albert)
Kim Alvefur <zash@zash.se>
parents:
6080
diff
changeset
|
108 merge_set(global_ssl_config[option], merged); |
821756a862b0
certmanager: Fix traceback if no global 'ssl' section set (thanks albert)
Kim Alvefur <zash@zash.se>
parents:
6080
diff
changeset
|
109 end |
6077
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
110 merge_set(user_ssl_config[option], merged); |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
111 local final_array = {}; |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
112 for opt, enable in pairs(merged) do |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
113 if enable then |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
114 final_array[#final_array+1] = opt; |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
115 end |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
116 end |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
117 user_ssl_config[option] = final_array; |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
118 end |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
119 |
6089
d774cb85664b
certmanager: Move ssl.protocol handling to after ssl.options is a table (thanks Ralph)
Kim Alvefur <zash@zash.se>
parents:
6087
diff
changeset
|
120 local min_protocol = protocols[user_ssl_config.protocol]; |
d774cb85664b
certmanager: Move ssl.protocol handling to after ssl.options is a table (thanks Ralph)
Kim Alvefur <zash@zash.se>
parents:
6087
diff
changeset
|
121 if min_protocol then |
d774cb85664b
certmanager: Move ssl.protocol handling to after ssl.options is a table (thanks Ralph)
Kim Alvefur <zash@zash.se>
parents:
6087
diff
changeset
|
122 user_ssl_config.protocol = "sslv23"; |
d774cb85664b
certmanager: Move ssl.protocol handling to after ssl.options is a table (thanks Ralph)
Kim Alvefur <zash@zash.se>
parents:
6087
diff
changeset
|
123 for i = 1, min_protocol do |
d774cb85664b
certmanager: Move ssl.protocol handling to after ssl.options is a table (thanks Ralph)
Kim Alvefur <zash@zash.se>
parents:
6087
diff
changeset
|
124 t_insert(user_ssl_config.options, "no_"..protocols[i]); |
d774cb85664b
certmanager: Move ssl.protocol handling to after ssl.options is a table (thanks Ralph)
Kim Alvefur <zash@zash.se>
parents:
6087
diff
changeset
|
125 end |
d774cb85664b
certmanager: Move ssl.protocol handling to after ssl.options is a table (thanks Ralph)
Kim Alvefur <zash@zash.se>
parents:
6087
diff
changeset
|
126 end |
d774cb85664b
certmanager: Move ssl.protocol handling to after ssl.options is a table (thanks Ralph)
Kim Alvefur <zash@zash.se>
parents:
6087
diff
changeset
|
127 |
6076
e0713386319a
certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents:
6075
diff
changeset
|
128 -- We can't read the password interactively when daemonized |
e0713386319a
certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents:
6075
diff
changeset
|
129 user_ssl_config.password = user_ssl_config.password or |
e0713386319a
certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents:
6075
diff
changeset
|
130 function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; |
e0713386319a
certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents:
6075
diff
changeset
|
131 |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
132 for option in pairs(path_options) do |
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
133 if type(user_ssl_config[option]) == "string" then |
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
134 user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]); |
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
135 end |
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
136 end |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
137 |
6075
524060125f9c
certmanager: Concatenate cipher list if given as a table
Kim Alvefur <zash@zash.se>
parents:
6074
diff
changeset
|
138 -- Allow the cipher list to be a table |
524060125f9c
certmanager: Concatenate cipher list if given as a table
Kim Alvefur <zash@zash.se>
parents:
6074
diff
changeset
|
139 if type(user_ssl_config.ciphers) == "table" then |
524060125f9c
certmanager: Concatenate cipher list if given as a table
Kim Alvefur <zash@zash.se>
parents:
6074
diff
changeset
|
140 user_ssl_config.ciphers = t_concat(user_ssl_config.ciphers, ":") |
524060125f9c
certmanager: Concatenate cipher list if given as a table
Kim Alvefur <zash@zash.se>
parents:
6074
diff
changeset
|
141 end |
524060125f9c
certmanager: Concatenate cipher list if given as a table
Kim Alvefur <zash@zash.se>
parents:
6074
diff
changeset
|
142 |
6074
6498554adb0d
certmanager: Allow non-server contexts to be without certificate and key
Kim Alvefur <zash@zash.se>
parents:
6073
diff
changeset
|
143 if mode == "server" then |
6498554adb0d
certmanager: Allow non-server contexts to be without certificate and key
Kim Alvefur <zash@zash.se>
parents:
6073
diff
changeset
|
144 if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end |
6498554adb0d
certmanager: Allow non-server contexts to be without certificate and key
Kim Alvefur <zash@zash.se>
parents:
6073
diff
changeset
|
145 if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end |
6498554adb0d
certmanager: Allow non-server contexts to be without certificate and key
Kim Alvefur <zash@zash.se>
parents:
6073
diff
changeset
|
146 end |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
147 |
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
148 -- LuaSec expects dhparam to be a callback that takes two arguments. |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
149 -- We ignore those because it is mostly used for having a separate |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
150 -- set of params for EXPORT ciphers, which we don't have by default. |
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
151 if type(user_ssl_config.dhparam) == "string" then |
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
152 local f, err = io_open(user_ssl_config.dhparam); |
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
153 if not f then return nil, "Could not open DH parameters: "..err end |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
154 local dhparam = f:read("*a"); |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
155 f:close(); |
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
156 user_ssl_config.dhparam = function() return dhparam; end |
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
157 end |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
158 |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
159 local ctx, err = ssl_newcontext(user_ssl_config); |
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
160 |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
161 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care |
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
162 -- of it ourselves (W/A for #x) |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
163 if ctx and user_ssl_config.ciphers then |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
164 local success; |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
165 success, err = ssl.context.setcipher(ctx, user_ssl_config.ciphers); |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
166 if not success then ctx = nil; end |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
167 end |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
168 |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
169 if not ctx then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
170 err = err or "invalid ssl config" |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
171 local file = err:match("^error loading (.-) %("); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
172 if file then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
173 if file == "private key" then |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
174 file = user_ssl_config.key or "your private key"; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
175 elseif file == "certificate" then |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
176 file = user_ssl_config.certificate or "your certificate file"; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
177 end |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
178 local reason = err:match("%((.+)%)$") or "some reason"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
179 if reason == "Permission denied" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
180 reason = "Check that the permissions allow Prosody to read this file."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
181 elseif reason == "No such file or directory" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
182 reason = "Check that the path is correct, and the file exists."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
183 elseif reason == "system lib" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
184 reason = "Previous error (see logs), or other system error."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
185 elseif reason == "(null)" or not reason then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
186 reason = "Check that the file exists and the permissions are correct"; |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
187 else |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
188 reason = "Reason: "..tostring(reason):lower(); |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
189 end |
4925
55f6e0673e33
certmanager: Add quotes around cert file path when logging.
Waqas Hussain <waqas20@gmail.com>
parents:
4900
diff
changeset
|
190 log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
191 else |
4855
a31ea431d906
certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL)
Matthew Wild <mwild1@gmail.com>
parents:
4656
diff
changeset
|
192 log("error", "SSL/TLS: Error initialising for %s: %s", host, err); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
193 end |
3540
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3402
diff
changeset
|
194 end |
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3402
diff
changeset
|
195 return ctx, err; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
196 end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
197 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
198 function reload_ssl_config() |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
199 global_ssl_config = configmanager.get("*", "ssl"); |
6080
b7d1607df87d
certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents:
6079
diff
changeset
|
200 if luasec_has_no_compression then |
b7d1607df87d
certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents:
6079
diff
changeset
|
201 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; |
b7d1607df87d
certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents:
6079
diff
changeset
|
202 end |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
203 end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
204 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
205 prosody.events.add_handler("config-reloaded", reload_ssl_config); |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
206 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
207 return _M; |