Annotate

core/certmanager.lua @ 3355:9bb2da325d4d

certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
author Matthew Wild <mwild1@gmail.com>
date Tue, 13 Jul 2010 13:56:14 +0100
parent 2739:7339c2720b39
child 3356:cf6be653c619
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 local configmanager = require "core.configmanager";
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
2 local log = require "util.logger".init("certmanager");
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 local ssl = ssl;
2564
6b4fe320a6ea certmanager: Fix traceback with no LuaSec
Matthew Wild <mwild1@gmail.com>
parents: 2563
diff changeset
4 local ssl_newcontext = ssl and ssl.newcontext;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
5
2738
e253dd4714d5 certmanager: Fix nil global access (thanks Marc)
Matthew Wild <mwild1@gmail.com>
parents: 2733
diff changeset
6 local setmetatable, tostring = setmetatable, tostring;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8 local prosody = prosody;
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
9 local resolve_path = prosody.resolve_relative_path;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 module "certmanager"
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13 -- Global SSL options if not overridden per-host
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14 local default_ssl_config = configmanager.get("*", "core", "ssl");
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15
2628
04958fb28c44 certmanager, hostmanager: Rename get_context() to create_context() to be more explicit about what it does
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
16 function create_context(host, mode, config)
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
17 if not ssl then return nil; end
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
18
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
19 local user_ssl_config = config and config.core.ssl or default_ssl_config;
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
20
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
21 local ssl_config = {
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
22 mode = mode;
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
23 protocol = user_ssl_config.protocol or "sslv23";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
24 key = resolve_path(user_ssl_config.key);
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
25 password = user_ssl_config.password;
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
26 certificate = resolve_path(user_ssl_config.certificate);
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
27 capath = resolve_path(user_ssl_config.capath or default_capath);
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
28 cafile = resolve_path(user_ssl_config.cafile);
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
29 verify = user_ssl_config.verify or "none";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
30 options = user_ssl_config.options or "no_sslv2";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
31 ciphers = user_ssl_config.ciphers;
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
32 depth = user_ssl_config.depth;
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
33 };
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
34
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
35 log("warn", "keyfile: %q", ssl_config.key);
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
36
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
37 local ctx, err = ssl_newcontext(ssl_config);
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
38 if not ctx then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
39 err = err or "invalid ssl config"
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
40 local file = err:match("^error loading (.-) %(");
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
41 if file then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
42 if file == "private key" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
43 file = ssl_config.key or "your private key";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
44 elseif file == "certificate" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
45 file = ssl_config.certificate or "your certificate file";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
46 end
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
47 local reason = err:match("%((.+)%)$") or "some reason";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
48 if reason == "Permission denied" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
49 reason = "Check that the permissions allow Prosody to read this file.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
50 elseif reason == "No such file or directory" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
51 reason = "Check that the path is correct, and the file exists.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
52 elseif reason == "system lib" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
53 reason = "Previous error (see logs), or other system error.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
54 elseif reason == "(null)" or not reason then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
55 reason = "Check that the file exists and the permissions are correct";
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
56 else
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
57 reason = "Reason: "..tostring(reason):lower();
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
58 end
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
59 log("error", "SSL/TLS: Failed to load %s: %s", file, reason);
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
60 else
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
61 log("error", "SSL/TLS: Error initialising for host %s: %s", host, err );
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
62 end
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
63 ssl = false
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
64 end
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
65 return ctx, err;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
66 end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
67
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
68 function reload_ssl_config()
2733
65ad0fdb17ba certmanager: Fix global access
Matthew Wild <mwild1@gmail.com>
parents: 2631
diff changeset
69 default_ssl_config = configmanager.get("*", "core", "ssl");
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
70 end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
71
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
72 prosody.events.add_handler("config-reloaded", reload_ssl_config);
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
73
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
74 return _M;