Software /
code /
prosody
Annotate
core/certmanager.lua @ 13251:7748dfb201de
core.portmanager: Hint at HTTP servers for conflicts over port 443
Since 443 is just as much a web port as port 80 these days, if not more.
What's with port 81 here?
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 29 Jul 2023 02:00:55 +0200 |
parent | 13179:1b1ed555f307 |
rev | line source |
---|---|
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
1 -- Prosody IM |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5746
diff
changeset
|
4 -- |
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
5 -- This project is MIT/X11 licensed. Please see the |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
6 -- COPYING file in the source package for more information. |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
7 -- |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
8 |
12972
ead41e25ebc0
core: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12508
diff
changeset
|
9 local configmanager = require "prosody.core.configmanager"; |
ead41e25ebc0
core: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12508
diff
changeset
|
10 local log = require "prosody.util.logger".init("certmanager"); |
ead41e25ebc0
core: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12508
diff
changeset
|
11 local new_config = require"prosody.net.server".tls_builder; |
13115
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12972
diff
changeset
|
12 local tls = require "prosody.net.tls_luasec"; |
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
13 local stat = require "lfs".attributes; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 |
12972
ead41e25ebc0
core: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12508
diff
changeset
|
15 local x509 = require "prosody.util.x509"; |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
16 local lfs = require "lfs"; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
17 |
7160
5c1ee8c06235
certmanager: Localize tonumber
Matthew Wild <mwild1@gmail.com>
parents:
7145
diff
changeset
|
18 local tonumber, tostring = tonumber, tostring; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
19 local pairs = pairs; |
8404
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
20 local t_remove = table.remove; |
5820
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
21 local type = type; |
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
22 local io_open = io.open; |
6294
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
23 local select = select; |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
24 local now = os.time; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
25 local next = next; |
11538
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
26 local pcall = pcall; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 local prosody = prosody; |
12972
ead41e25ebc0
core: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12508
diff
changeset
|
29 local pathutil = require"prosody.util.paths"; |
11533
f97592336399
core.certmanager: Join paths with OS-aware util.paths function
Kim Alvefur <zash@zash.se>
parents:
11532
diff
changeset
|
30 local resolve_path = pathutil.resolve_relative_path; |
7531
2db68d1a6eeb
certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed)
Kim Alvefur <zash@zash.se>
parents:
7319
diff
changeset
|
31 local config_path = prosody.paths.config or "."; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 |
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
33 local _ENV = nil; |
8555
4f0f5b49bb03
vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8494
diff
changeset
|
34 -- luacheck: std none |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 -- Global SSL options if not overridden per-host |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
37 local global_ssl_config = configmanager.get("*", "ssl"); |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
38 |
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
39 local global_certificates = configmanager.get("*", "certificates") or "certs"; |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
40 |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
41 local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", }; |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
42 local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", }; |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
43 |
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
44 local function find_cert(user_certs, name) |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
45 local certs = resolve_path(config_path, user_certs or global_certificates); |
8259
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8159
diff
changeset
|
46 log("debug", "Searching %s for a key and certificate for %s...", certs, name); |
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
47 for i = 1, #crt_try do |
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
48 local crt_path = certs .. crt_try[i]:format(name); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
49 local key_path = certs .. key_try[i]:format(name); |
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
50 |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
51 if stat(crt_path, "mode") == "file" then |
10709
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
52 if crt_path == key_path then |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
53 if key_path:sub(-4) == ".crt" then |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
54 key_path = key_path:sub(1, -4) .. "key"; |
11531
2bd91d4a0fcf
core.certmanager: Check for complete filename
Kim Alvefur <zash@zash.se>
parents:
11368
diff
changeset
|
55 elseif key_path:sub(-14) == "/fullchain.pem" then |
10709
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
56 key_path = key_path:sub(1, -14) .. "privkey.pem"; |
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
57 end |
10709
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
58 end |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
59 |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
60 if stat(key_path, "mode") == "file" then |
8259
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8159
diff
changeset
|
61 log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name); |
7145
b1a109858502
certmanager: Try filename.key if certificate is set to a full filename ending with .crt
Kim Alvefur <zash@zash.se>
parents:
7144
diff
changeset
|
62 return { certificate = crt_path, key = key_path }; |
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
63 end |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
64 end |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
65 end |
8259
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8159
diff
changeset
|
66 log("debug", "No certificate/key found for %s", name); |
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
67 end |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
68 |
11534
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
69 local function find_matching_key(cert_path) |
12287
5cd075ed4fd3
core.certmanager: Relax certificate filename check #1713
Kim Alvefur <zash@zash.se>
parents:
12197
diff
changeset
|
70 return (cert_path:gsub("%.crt$", ".key"):gsub("fullchain", "privkey")); |
11534
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
71 end |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
72 |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
73 local function index_certs(dir, files_by_name, depth_limit) |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
74 files_by_name = files_by_name or {}; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
75 depth_limit = depth_limit or 3; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
76 if depth_limit <= 0 then return files_by_name; end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
77 |
11538
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
78 local ok, iter, v, i = pcall(lfs.dir, dir); |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
79 if not ok then |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
80 log("error", "Error indexing certificate directory %s: %s", dir, iter); |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
81 -- Return an empty index, otherwise this just triggers a nil indexing |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
82 -- error, plus this function would get called again. |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
83 -- Reloading the config after correcting the problem calls this again so |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
84 -- that's what should be done. |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
85 return {}, iter; |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
86 end |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
87 for file in iter, v, i do |
11533
f97592336399
core.certmanager: Join paths with OS-aware util.paths function
Kim Alvefur <zash@zash.se>
parents:
11532
diff
changeset
|
88 local full = pathutil.join(dir, file); |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
89 if lfs.attributes(full, "mode") == "directory" then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
90 if file:sub(1,1) ~= "." then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
91 index_certs(full, files_by_name, depth_limit-1); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
92 end |
12287
5cd075ed4fd3
core.certmanager: Relax certificate filename check #1713
Kim Alvefur <zash@zash.se>
parents:
12197
diff
changeset
|
93 elseif file:find("%.crt$") or file:find("fullchain") then -- This should catch most fullchain files |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
94 local f = io_open(full); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
95 if f then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
96 -- TODO look for chained certificates |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
97 local firstline = f:read(); |
12305
f8b8061461e3
core.certmanager: Ensure key exists for fullchain
Kim Alvefur <zash@zash.se>
parents:
12287
diff
changeset
|
98 if firstline == "-----BEGIN CERTIFICATE-----" and lfs.attributes(find_matching_key(full), "mode") == "file" then |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
99 f:seek("set") |
13116
58e793288d9c
net.tls_luasec: Expose method for loading a certificate
Kim Alvefur <zash@zash.se>
parents:
13115
diff
changeset
|
100 local cert = tls.load_certificate(f:read("*a")) |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
101 -- TODO if more than one cert is found for a name, the most recently |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
102 -- issued one should be used. |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
103 -- for now, just filter out expired certs |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
104 -- TODO also check if there's a corresponding key |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
105 if cert:validat(now()) then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
106 local names = x509.get_identities(cert); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
107 log("debug", "Found certificate %s with identities %q", full, names); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
108 for name, services in pairs(names) do |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
109 -- TODO check services |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
110 if files_by_name[name] then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
111 files_by_name[name][full] = services; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
112 else |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
113 files_by_name[name] = { [full] = services; }; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
114 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
115 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
116 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
117 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
118 f:close(); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
119 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
120 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
121 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
122 log("debug", "Certificate index: %q", files_by_name); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
123 -- | hostname | filename | service | |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
124 return files_by_name; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
125 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
126 |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
127 local cert_index; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
128 |
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
129 local function find_cert_in_index(index, host) |
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
130 if not host then return nil; end |
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
131 if not index then return nil; end |
12105
47c9a76cce7d
core.certmanager: Check index for wildcard certs
Kim Alvefur <zash@zash.se>
parents:
12104
diff
changeset
|
132 local wildcard_host = host:gsub("^[^.]+%.", "*."); |
47c9a76cce7d
core.certmanager: Check index for wildcard certs
Kim Alvefur <zash@zash.se>
parents:
12104
diff
changeset
|
133 local certs = index[host] or index[wildcard_host]; |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
134 if certs then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
135 local cert_filename, services = next(certs); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
136 if services["*"] then |
12507
e242a6e74424
core.certmanager: Expand debug messages about cert lookups in index
Kim Alvefur <zash@zash.se>
parents:
12362
diff
changeset
|
137 log("debug", "Using cert %q from index for host %q", cert_filename, host); |
11534
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
138 return { |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
139 certificate = cert_filename, |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
140 key = find_matching_key(cert_filename), |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
141 } |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
142 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
143 end |
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
144 return nil |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
145 end |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
146 |
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
147 local function find_host_cert(host) |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
148 if not host then return nil; end |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
149 if not cert_index then |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
150 cert_index = index_certs(resolve_path(config_path, global_certificates)); |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
151 end |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
152 |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
153 return find_cert_in_index(cert_index, host) or find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$")); |
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
154 end |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
155 |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
156 local function find_service_cert(service, port) |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
157 if not cert_index then |
11537
a09685a7b330
core.certmanager: Resolve certs path relative to config dir
Kim Alvefur <zash@zash.se>
parents:
11534
diff
changeset
|
158 cert_index = index_certs(resolve_path(config_path, global_certificates)); |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
159 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
160 for _, certs in pairs(cert_index) do |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
161 for cert_filename, services in pairs(certs) do |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
162 if services[service] or services["*"] then |
12507
e242a6e74424
core.certmanager: Expand debug messages about cert lookups in index
Kim Alvefur <zash@zash.se>
parents:
12362
diff
changeset
|
163 log("debug", "Using cert %q from index for service %s port %d", cert_filename, service, port); |
11534
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
164 return { |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
165 certificate = cert_filename, |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
166 key = find_matching_key(cert_filename), |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
167 } |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
168 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
169 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
170 end |
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
171 local cert_config = configmanager.get("*", service.."_certificate"); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
172 if type(cert_config) == "table" then |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
173 cert_config = cert_config[port] or cert_config.default; |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
174 end |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
175 return find_cert(cert_config, service); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
176 end |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
177 |
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
178 -- Built-in defaults |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
179 local core_defaults = { |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
180 capath = "/etc/ssl/certs"; |
6568
b54b33f59c6e
certmanager: Limit certificate chain depth to 9
Kim Alvefur <zash@zash.se>
parents:
6567
diff
changeset
|
181 depth = 9; |
6078
30ac122acdd3
certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Kim Alvefur <zash@zash.se>
parents:
6077
diff
changeset
|
182 protocol = "tlsv1+"; |
9852
6ea3cafb6ac3
core.certmanager: Do not ask for client certificates by default
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
183 verify = "none"; |
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
184 options = { |
13115
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12972
diff
changeset
|
185 cipher_server_preference = tls.features.options.cipher_server_preference; |
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12972
diff
changeset
|
186 no_ticket = tls.features.options.no_ticket; |
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12972
diff
changeset
|
187 no_compression = tls.features.options.no_compression and configmanager.get("*", "ssl_compression") ~= true; |
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12972
diff
changeset
|
188 single_dh_use = tls.features.options.single_dh_use; |
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12972
diff
changeset
|
189 single_ecdh_use = tls.features.options.single_ecdh_use; |
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12972
diff
changeset
|
190 no_renegotiation = tls.features.options.no_renegotiation; |
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
191 }; |
11368
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10919
diff
changeset
|
192 verifyext = { |
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10919
diff
changeset
|
193 "lsec_continue", -- Continue past certificate verification errors |
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10919
diff
changeset
|
194 "lsec_ignore_purpose", -- Validate client certificates as if they were server certificates |
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10919
diff
changeset
|
195 }; |
13115
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12972
diff
changeset
|
196 curve = tls.features.algorithms.ec and not tls.features.capabilities.curves_list and "secp384r1"; |
8279
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
197 curveslist = { |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
198 "X25519", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
199 "P-384", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
200 "P-256", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
201 "P-521", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
202 }; |
7663
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
203 ciphers = { -- Enabled ciphers in order of preference: |
10721
3a1b1d3084fb
core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)
Kim Alvefur <zash@zash.se>
parents:
10709
diff
changeset
|
204 "HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange |
7663
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
205 "HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
206 "HIGH", -- Other "High strength" ciphers |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
207 -- Disabled cipher suites: |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
208 "!PSK", -- Pre-Shared Key - not used for XMPP |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
209 "!SRP", -- Secure Remote Password - not used for XMPP |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
210 "!3DES", -- 3DES - slow and of questionable security |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
211 "!aNULL", -- Ciphers that does not authenticate the connection |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
212 }; |
13115
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12972
diff
changeset
|
213 dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" }; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
214 } |
8404
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
215 |
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
216 local mozilla_ssl_configs = { |
12097
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
217 -- https://wiki.mozilla.org/Security/Server_Side_TLS |
13178
e689d4c45681
core.certmanager: Update Mozilla TLS config to version 5.7
Kim Alvefur <zash@zash.se>
parents:
12507
diff
changeset
|
218 -- Version 5.7 as of 2023-07-09 |
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
219 modern = { |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
220 protocol = "tlsv1_3"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
221 options = { cipher_server_preference = false }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
222 ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these |
12097
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
223 curveslist = { "X25519"; "prime256v1"; "secp384r1" }; |
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
224 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; |
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
225 }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
226 intermediate = { |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
227 protocol = "tlsv1_2+"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
228 dhparam = nil; -- ffdhe2048.txt |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
229 options = { cipher_server_preference = false }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
230 ciphers = { |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
231 "ECDHE-ECDSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
232 "ECDHE-RSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
233 "ECDHE-ECDSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
234 "ECDHE-RSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
235 "ECDHE-ECDSA-CHACHA20-POLY1305"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
236 "ECDHE-RSA-CHACHA20-POLY1305"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
237 "DHE-RSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
238 "DHE-RSA-AES256-GCM-SHA384"; |
13178
e689d4c45681
core.certmanager: Update Mozilla TLS config to version 5.7
Kim Alvefur <zash@zash.se>
parents:
12507
diff
changeset
|
239 "DHE-RSA-CHACHA20-POLY1305"; |
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
240 }; |
12097
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
241 curveslist = { "X25519"; "prime256v1"; "secp384r1" }; |
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
242 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; |
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
243 }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
244 old = { |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
245 protocol = "tlsv1+"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
246 dhparam = nil; -- openssl dhparam 1024 |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
247 options = { cipher_server_preference = true }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
248 ciphers = { |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
249 "ECDHE-ECDSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
250 "ECDHE-RSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
251 "ECDHE-ECDSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
252 "ECDHE-RSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
253 "ECDHE-ECDSA-CHACHA20-POLY1305"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
254 "ECDHE-RSA-CHACHA20-POLY1305"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
255 "DHE-RSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
256 "DHE-RSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
257 "DHE-RSA-CHACHA20-POLY1305"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
258 "ECDHE-ECDSA-AES128-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
259 "ECDHE-RSA-AES128-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
260 "ECDHE-ECDSA-AES128-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
261 "ECDHE-RSA-AES128-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
262 "ECDHE-ECDSA-AES256-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
263 "ECDHE-RSA-AES256-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
264 "ECDHE-ECDSA-AES256-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
265 "ECDHE-RSA-AES256-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
266 "DHE-RSA-AES128-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
267 "DHE-RSA-AES256-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
268 "AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
269 "AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
270 "AES128-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
271 "AES256-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
272 "AES128-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
273 "AES256-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
274 "DES-CBC3-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
275 }; |
12120
0fcd80a55f15
core.certmanager: Add curveslist to 'old' Mozilla TLS preset
Kim Alvefur <zash@zash.se>
parents:
12105
diff
changeset
|
276 curveslist = { "X25519"; "prime256v1"; "secp384r1" }; |
12097
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
277 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; |
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
278 }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
279 }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
280 |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
281 |
13115
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12972
diff
changeset
|
282 if tls.features.curves then |
8404
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
283 for i = #core_defaults.curveslist, 1, -1 do |
13115
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12972
diff
changeset
|
284 if not tls.features.curves[ core_defaults.curveslist[i] ] then |
8404
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
285 t_remove(core_defaults.curveslist, i); |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
286 end |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
287 end |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
288 else |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
289 core_defaults.curveslist = nil; |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
290 end |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
291 |
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
292 local function create_context(host, mode, ...) |
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
293 local cfg = new_config(); |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
294 cfg:apply(core_defaults); |
8827
1a29b56a2d63
core.certmanager: Allow all non-whitespace in service name (fixes #1019)
Kim Alvefur <zash@zash.se>
parents:
8494
diff
changeset
|
295 local service_name, port = host:match("^(%S+) port (%d+)$"); |
11591
e7a964572f6b
core.certmanager: Skip service certificate lookup for https client
Kim Alvefur <zash@zash.se>
parents:
11560
diff
changeset
|
296 -- port 0 is used with client-only things that normally don't need certificates, e.g. https |
e7a964572f6b
core.certmanager: Skip service certificate lookup for https client
Kim Alvefur <zash@zash.se>
parents:
11560
diff
changeset
|
297 if service_name and port ~= "0" then |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
298 log("debug", "Automatically locating certs for service %s on port %s", service_name, port); |
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
299 cfg:apply(find_service_cert(service_name, tonumber(port))); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
300 else |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
301 log("debug", "Automatically locating certs for host %s", host); |
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
302 cfg:apply(find_host_cert(host)); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
303 end |
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
304 cfg:apply({ |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
305 mode = mode, |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
306 -- We can't read the password interactively when daemonized |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
307 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
308 }); |
12197
95d25e620dc2
core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation
Kim Alvefur <zash@zash.se>
parents:
12196
diff
changeset
|
309 local profile = configmanager.get("*", "tls_profile") or "intermediate"; |
95d25e620dc2
core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation
Kim Alvefur <zash@zash.se>
parents:
12196
diff
changeset
|
310 if profile ~= "legacy" then |
95d25e620dc2
core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation
Kim Alvefur <zash@zash.se>
parents:
12196
diff
changeset
|
311 cfg:apply(mozilla_ssl_configs[profile]); |
12098
9591b838e3b0
core.certmanager: Add "legacy" preset for keeping previous default settings
Kim Alvefur <zash@zash.se>
parents:
12097
diff
changeset
|
312 end |
12196
b05e0b422ff7
core.certmanager: Apply TLS preset before global settings (thanks Menel)
Kim Alvefur <zash@zash.se>
parents:
12150
diff
changeset
|
313 cfg:apply(global_ssl_config); |
6076
e0713386319a
certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents:
6075
diff
changeset
|
314 |
6294
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
315 for i = select('#', ...), 1, -1 do |
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
316 cfg:apply(select(i, ...)); |
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
317 end |
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
318 local user_ssl_config = cfg:final(); |
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
319 |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
320 if mode == "server" then |
10237
a36af4570b39
core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents:
10227
diff
changeset
|
321 if not user_ssl_config.certificate then |
a36af4570b39
core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents:
10227
diff
changeset
|
322 log("info", "No certificate present in SSL/TLS configuration for %s. SNI will be required.", host); |
a36af4570b39
core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents:
10227
diff
changeset
|
323 end |
a36af4570b39
core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents:
10227
diff
changeset
|
324 if user_ssl_config.certificate and not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end |
6077
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
325 end |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
326 |
12480
7e9ebdc75ce4
net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents:
12362
diff
changeset
|
327 local ctx, err = cfg:build(); |
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
328 |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
329 if not ctx then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
330 err = err or "invalid ssl config" |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
331 local file = err:match("^error loading (.-) %("); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
332 if file then |
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
333 local typ; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
334 if file == "private key" then |
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
335 typ = file; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
336 file = user_ssl_config.key or "your private key"; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
337 elseif file == "certificate" then |
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
338 typ = file; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
339 file = user_ssl_config.certificate or "your certificate file"; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
340 end |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
341 local reason = err:match("%((.+)%)$") or "some reason"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
342 if reason == "Permission denied" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
343 reason = "Check that the permissions allow Prosody to read this file."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
344 elseif reason == "No such file or directory" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
345 reason = "Check that the path is correct, and the file exists."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
346 elseif reason == "system lib" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
347 reason = "Previous error (see logs), or other system error."; |
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
348 elseif reason == "no start line" then |
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
349 reason = "Check that the file contains a "..(typ or file); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
350 elseif reason == "(null)" or not reason then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
351 reason = "Check that the file exists and the permissions are correct"; |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
352 else |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
353 reason = "Reason: "..tostring(reason):lower(); |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
354 end |
4925
55f6e0673e33
certmanager: Add quotes around cert file path when logging.
Waqas Hussain <waqas20@gmail.com>
parents:
4900
diff
changeset
|
355 log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
356 else |
4855
a31ea431d906
certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL)
Matthew Wild <mwild1@gmail.com>
parents:
4656
diff
changeset
|
357 log("error", "SSL/TLS: Error initialising for %s: %s", host, err); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
358 end |
3540
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3402
diff
changeset
|
359 end |
6526
873538f0b18c
certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)
Kim Alvefur <zash@zash.se>
parents:
6520
diff
changeset
|
360 return ctx, err, user_ssl_config; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
361 end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
362 |
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
363 local function reload_ssl_config() |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
364 global_ssl_config = configmanager.get("*", "ssl"); |
8159
3850993a9bda
certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929)
Kim Alvefur <zash@zash.se>
parents:
7743
diff
changeset
|
365 global_certificates = configmanager.get("*", "certificates") or "certs"; |
13115
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12972
diff
changeset
|
366 if tls.features.options.no_compression then |
6080
b7d1607df87d
certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents:
6079
diff
changeset
|
367 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; |
b7d1607df87d
certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents:
6079
diff
changeset
|
368 end |
11709
5810166f35d5
core.certmanager: Support 'use_dane' setting to enable DANE support
Kim Alvefur <zash@zash.se>
parents:
11591
diff
changeset
|
369 core_defaults.dane = configmanager.get("*", "use_dane") or false; |
11537
a09685a7b330
core.certmanager: Resolve certs path relative to config dir
Kim Alvefur <zash@zash.se>
parents:
11534
diff
changeset
|
370 cert_index = index_certs(resolve_path(config_path, global_certificates)); |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
371 end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
372 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
373 prosody.events.add_handler("config-reloaded", reload_ssl_config); |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
374 |
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
375 return { |
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
376 create_context = create_context; |
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
377 reload_ssl_config = reload_ssl_config; |
8274
3798955049e3
prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys
Kim Alvefur <zash@zash.se>
parents:
8259
diff
changeset
|
378 find_cert = find_cert; |
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
379 index_certs = index_certs; |
10463
fbeb7a3fc4eb
core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support)
Kim Alvefur <zash@zash.se>
parents:
10237
diff
changeset
|
380 find_host_cert = find_host_cert; |
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
381 find_cert_in_index = find_cert_in_index; |
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
382 }; |