Software /
code /
prosody
Annotate
core/certmanager.lua @ 3355:9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Tue, 13 Jul 2010 13:56:14 +0100 |
parent | 2739:7339c2720b39 |
child | 3356:cf6be653c619 |
rev | line source |
---|---|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 local configmanager = require "core.configmanager"; |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
2 local log = require "util.logger".init("certmanager"); |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 local ssl = ssl; |
2564
6b4fe320a6ea
certmanager: Fix traceback with no LuaSec
Matthew Wild <mwild1@gmail.com>
parents:
2563
diff
changeset
|
4 local ssl_newcontext = ssl and ssl.newcontext; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 |
2738
e253dd4714d5
certmanager: Fix nil global access (thanks Marc)
Matthew Wild <mwild1@gmail.com>
parents:
2733
diff
changeset
|
6 local setmetatable, tostring = setmetatable, tostring; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 local prosody = prosody; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
9 local resolve_path = prosody.resolve_relative_path; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 module "certmanager" |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 -- Global SSL options if not overridden per-host |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 local default_ssl_config = configmanager.get("*", "core", "ssl"); |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 |
2628
04958fb28c44
certmanager, hostmanager: Rename get_context() to create_context() to be more explicit about what it does
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
16 function create_context(host, mode, config) |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
17 if not ssl then return nil; end |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
18 |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
19 local user_ssl_config = config and config.core.ssl or default_ssl_config; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
20 |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
21 local ssl_config = { |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
22 mode = mode; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
23 protocol = user_ssl_config.protocol or "sslv23"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
24 key = resolve_path(user_ssl_config.key); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
25 password = user_ssl_config.password; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
26 certificate = resolve_path(user_ssl_config.certificate); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
27 capath = resolve_path(user_ssl_config.capath or default_capath); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
28 cafile = resolve_path(user_ssl_config.cafile); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
29 verify = user_ssl_config.verify or "none"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
30 options = user_ssl_config.options or "no_sslv2"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
31 ciphers = user_ssl_config.ciphers; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
32 depth = user_ssl_config.depth; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
33 }; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
34 |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
35 log("warn", "keyfile: %q", ssl_config.key); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
36 |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
37 local ctx, err = ssl_newcontext(ssl_config); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
38 if not ctx then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
39 err = err or "invalid ssl config" |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
40 local file = err:match("^error loading (.-) %("); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
41 if file then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
42 if file == "private key" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
43 file = ssl_config.key or "your private key"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
44 elseif file == "certificate" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
45 file = ssl_config.certificate or "your certificate file"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
46 end |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
47 local reason = err:match("%((.+)%)$") or "some reason"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
48 if reason == "Permission denied" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
49 reason = "Check that the permissions allow Prosody to read this file."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
50 elseif reason == "No such file or directory" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
51 reason = "Check that the path is correct, and the file exists."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
52 elseif reason == "system lib" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
53 reason = "Previous error (see logs), or other system error."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
54 elseif reason == "(null)" or not reason then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
55 reason = "Check that the file exists and the permissions are correct"; |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
56 else |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
57 reason = "Reason: "..tostring(reason):lower(); |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
58 end |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
59 log("error", "SSL/TLS: Failed to load %s: %s", file, reason); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
60 else |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
61 log("error", "SSL/TLS: Error initialising for host %s: %s", host, err ); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
62 end |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
63 ssl = false |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
64 end |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
65 return ctx, err; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
66 end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
67 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
68 function reload_ssl_config() |
2733
65ad0fdb17ba
certmanager: Fix global access
Matthew Wild <mwild1@gmail.com>
parents:
2631
diff
changeset
|
69 default_ssl_config = configmanager.get("*", "core", "ssl"); |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
70 end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
71 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
72 prosody.events.add_handler("config-reloaded", reload_ssl_config); |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
73 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
74 return _M; |