Annotate

core/certmanager.lua @ 9652:a58b48268ecd

Merge 0.11->trunk
author Kim Alvefur <zash@zash.se>
date Tue, 27 Nov 2018 21:18:19 +0100
parent 8828:2a0d7fa4c56a
child 9852:6ea3cafb6ac3
child 10709:fcf7f50ccdd0
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3369
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
1 -- Prosody IM
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5746
diff changeset
4 --
3369
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
6 -- COPYING file in the source package for more information.
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
7 --
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
8
6564
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
9 local softreq = require"util.dependencies".softreq;
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
10 local ssl = softreq"ssl";
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
11 if not ssl then
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
12 return {
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
13 create_context = function ()
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
14 return nil, "LuaSec (required for encryption) was not found";
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
15 end;
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
16 reload_ssl_config = function () end;
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
17 }
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
18 end
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
19
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 local configmanager = require "core.configmanager";
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
21 local log = require "util.logger".init("certmanager");
6565
ffc0a57889aa certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents: 6564
diff changeset
22 local ssl_context = ssl.context or softreq"ssl.context";
ffc0a57889aa certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents: 6564
diff changeset
23 local ssl_x509 = ssl.x509 or softreq"ssl.x509";
6564
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
24 local ssl_newcontext = ssl.newcontext;
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
25 local new_config = require"util.sslconfig".new;
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
26 local stat = require "lfs".attributes;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27
7160
5c1ee8c06235 certmanager: Localize tonumber
Matthew Wild <mwild1@gmail.com>
parents: 7145
diff changeset
28 local tonumber, tostring = tonumber, tostring;
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
29 local pairs = pairs;
8404
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
30 local t_remove = table.remove;
5820
6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents: 5816
diff changeset
31 local type = type;
6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents: 5816
diff changeset
32 local io_open = io.open;
6294
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
33 local select = select;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35 local prosody = prosody;
6165
6a184b16b717 core.certmanager, core.moduleapi, mod_storage_sql, mod_storage_sql2: Import from util.paths
Kim Alvefur <zash@zash.se>
parents: 6089
diff changeset
36 local resolve_path = require"util.paths".resolve_relative_path;
7531
2db68d1a6eeb certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed)
Kim Alvefur <zash@zash.se>
parents: 7319
diff changeset
37 local config_path = prosody.paths.config or ".";
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
38
6564
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
39 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)");
7319
afa83f3ccaad certmanager: Explicitly tonumber() version number segments before doing arithmetic and avoid relying on implicit coercion (thanks David Favro)
Matthew Wild <mwild1@gmail.com>
parents: 7160
diff changeset
40 local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor);
8403
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
41 local luasec_has = softreq"ssl.config" or {
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
42 algorithms = {
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
43 ec = luasec_version >= 5;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
44 };
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
45 capabilities = {
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
46 curves_list = luasec_version >= 7;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
47 };
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
48 options = {
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
49 cipher_server_preference = luasec_version >= 2;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
50 no_ticket = luasec_version >= 4;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
51 no_compression = luasec_version >= 5;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
52 single_dh_use = luasec_version >= 2;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
53 single_ecdh_use = luasec_version >= 2;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
54 };
6566
1f396f0fe832 certmanager: Improve "detection" of features that depend on LuaSec version
Kim Alvefur <zash@zash.se>
parents: 6565
diff changeset
55 };
4899
0b8134015635 certmanager: Don't use no_ticket option before LuaSec 0.4
Matthew Wild <mwild1@gmail.com>
parents: 4890
diff changeset
56
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
57 local _ENV = nil;
8555
4f0f5b49bb03 vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents: 8494
diff changeset
58 -- luacheck: std none
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
59
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
60 -- Global SSL options if not overridden per-host
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
61 local global_ssl_config = configmanager.get("*", "ssl");
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
62
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
63 local global_certificates = configmanager.get("*", "certificates") or "certs";
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
64
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
65 local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", };
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
66 local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", };
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
67
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
68 local function find_cert(user_certs, name)
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
69 local certs = resolve_path(config_path, user_certs or global_certificates);
8259
db063671b73e certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents: 8159
diff changeset
70 log("debug", "Searching %s for a key and certificate for %s...", certs, name);
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
71 for i = 1, #crt_try do
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
72 local crt_path = certs .. crt_try[i]:format(name);
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
73 local key_path = certs .. key_try[i]:format(name);
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
74
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
75 if stat(crt_path, "mode") == "file" then
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
76 if key_path:sub(-4) == ".crt" then
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
77 key_path = key_path:sub(1, -4) .. "key";
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
78 if stat(key_path, "mode") == "file" then
8259
db063671b73e certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents: 8159
diff changeset
79 log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name);
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
80 return { certificate = crt_path, key = key_path };
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
81 end
7145
b1a109858502 certmanager: Try filename.key if certificate is set to a full filename ending with .crt
Kim Alvefur <zash@zash.se>
parents: 7144
diff changeset
82 elseif stat(key_path, "mode") == "file" then
8259
db063671b73e certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents: 8159
diff changeset
83 log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name);
7145
b1a109858502 certmanager: Try filename.key if certificate is set to a full filename ending with .crt
Kim Alvefur <zash@zash.se>
parents: 7144
diff changeset
84 return { certificate = crt_path, key = key_path };
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
85 end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
86 end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
87 end
8259
db063671b73e certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents: 8159
diff changeset
88 log("debug", "No certificate/key found for %s", name);
7122
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
89 end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents: 6903
diff changeset
90
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
91 local function find_host_cert(host)
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
92 if not host then return nil; end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
93 return find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$"));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
94 end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
95
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
96 local function find_service_cert(service, port)
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
97 local cert_config = configmanager.get("*", service.."_certificate");
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
98 if type(cert_config) == "table" then
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
99 cert_config = cert_config[port] or cert_config.default;
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
100 end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
101 return find_cert(cert_config, service);
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
102 end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
103
6079
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
104 -- Built-in defaults
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
105 local core_defaults = {
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
106 capath = "/etc/ssl/certs";
6568
b54b33f59c6e certmanager: Limit certificate chain depth to 9
Kim Alvefur <zash@zash.se>
parents: 6567
diff changeset
107 depth = 9;
6078
30ac122acdd3 certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Kim Alvefur <zash@zash.se>
parents: 6077
diff changeset
108 protocol = "tlsv1+";
6565
ffc0a57889aa certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents: 6564
diff changeset
109 verify = (ssl_x509 and { "peer", "client_once", }) or "none";
6079
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
110 options = {
8403
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
111 cipher_server_preference = luasec_has.options.cipher_server_preference;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
112 no_ticket = luasec_has.options.no_ticket;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
113 no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
114 single_dh_use = luasec_has.options.single_dh_use;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
115 single_ecdh_use = luasec_has.options.single_ecdh_use;
6079
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
116 };
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
117 verifyext = { "lsec_continue", "lsec_ignore_purpose" };
8405
a3cf899fd61b certmanager: Set single curve conditioned on LuaSec advertising EC crypto support
Kim Alvefur <zash@zash.se>
parents: 8404
diff changeset
118 curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1";
8279
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
119 curveslist = {
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
120 "X25519",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
121 "P-384",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
122 "P-256",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
123 "P-521",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents: 8274
diff changeset
124 };
7663
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
125 ciphers = { -- Enabled ciphers in order of preference:
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
126 "HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
127 "HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
128 "HIGH", -- Other "High strength" ciphers
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
129 -- Disabled cipher suites:
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
130 "!PSK", -- Pre-Shared Key - not used for XMPP
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
131 "!SRP", -- Secure Remote Password - not used for XMPP
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
132 "!3DES", -- 3DES - slow and of questionable security
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
133 "!aNULL", -- Ciphers that does not authenticate the connection
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents: 7531
diff changeset
134 };
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
135 }
8404
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
136
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
137 if luasec_has.curves then
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
138 for i = #core_defaults.curveslist, 1, -1 do
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
139 if not luasec_has.curves[ core_defaults.curveslist[i] ] then
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
140 t_remove(core_defaults.curveslist, i);
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
141 end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
142 end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
143 else
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
144 core_defaults.curveslist = nil;
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
145 end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents: 8403
diff changeset
146
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
147 local path_options = { -- These we pass through resolve_path()
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
148 key = true, certificate = true, cafile = true, capath = true, dhparam = true
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
149 }
5282
4cd57cb49f99 core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents: 4992
diff changeset
150
6570
70e65ac65219 certmanager: Fix compat for MattJs old LuaSec fork
Kim Alvefur <zash@zash.se>
parents: 6569
diff changeset
151 if luasec_version < 5 and ssl_x509 then
5282
4cd57cb49f99 core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents: 4992
diff changeset
152 -- COMPAT mw/luasec-hg
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
153 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
154 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6);
5282
4cd57cb49f99 core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents: 4992
diff changeset
155 end
4cd57cb49f99 core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents: 4992
diff changeset
156 end
5678
b7ebeae14053 certmanager: Add single_dh_use and single_ecdh_use to default options
Matthew Wild <mwild1@gmail.com>
parents: 5676
diff changeset
157
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
158 local function create_context(host, mode, ...)
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
159 local cfg = new_config();
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
160 cfg:apply(core_defaults);
8827
1a29b56a2d63 core.certmanager: Allow all non-whitespace in service name (fixes #1019)
Kim Alvefur <zash@zash.se>
parents: 8494
diff changeset
161 local service_name, port = host:match("^(%S+) port (%d+)$");
7140
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
162 if service_name then
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
163 cfg:apply(find_service_cert(service_name, tonumber(port)));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
164 else
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
165 cfg:apply(find_host_cert(host));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents: 7122
diff changeset
166 end
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
167 cfg:apply({
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
168 mode = mode,
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
169 -- We can't read the password interactively when daemonized
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
170 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
171 });
7144
f855ba7da30e certmanager: Apply global ssl config later so certificate/key is not overwritten by magic
Kim Alvefur <zash@zash.se>
parents: 7140
diff changeset
172 cfg:apply(global_ssl_config);
6076
e0713386319a certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents: 6075
diff changeset
173
6294
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
174 for i = select('#', ...), 1, -1 do
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
175 cfg:apply(select(i, ...));
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
176 end
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
177 local user_ssl_config = cfg:final();
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
178
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
179 if mode == "server" then
8494
4f75f4da6d4e certmanager: Check for missing certificate before key in configuration (should be marginally less confusing)
Kim Alvefur <zash@zash.se>
parents: 8405
diff changeset
180 if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
181 if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
6077
6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents: 6076
diff changeset
182 end
6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents: 6076
diff changeset
183
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
184 for option in pairs(path_options) do
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
185 if type(user_ssl_config[option]) == "string" then
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
186 user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]);
6903
5ff42d85d4d5 core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default)
Kim Alvefur <zash@zash.se>
parents: 6779
diff changeset
187 else
5ff42d85d4d5 core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default)
Kim Alvefur <zash@zash.se>
parents: 6779
diff changeset
188 user_ssl_config[option] = nil;
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
189 end
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
190 end
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
191
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
192 -- LuaSec expects dhparam to be a callback that takes two arguments.
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
193 -- We ignore those because it is mostly used for having a separate
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
194 -- set of params for EXPORT ciphers, which we don't have by default.
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
195 if type(user_ssl_config.dhparam) == "string" then
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
196 local f, err = io_open(user_ssl_config.dhparam);
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
197 if not f then return nil, "Could not open DH parameters: "..err end
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
198 local dhparam = f:read("*a");
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
199 f:close();
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
200 user_ssl_config.dhparam = function() return dhparam; end
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
201 end
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
202
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
203 local ctx, err = ssl_newcontext(user_ssl_config);
4359
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
204
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
205 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care
4359
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
206 -- of it ourselves (W/A for #x)
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
207 if ctx and user_ssl_config.ciphers then
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
208 local success;
6565
ffc0a57889aa certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents: 6564
diff changeset
209 success, err = ssl_context.setcipher(ctx, user_ssl_config.ciphers);
4359
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
210 if not success then ctx = nil; end
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
211 end
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
212
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
213 if not ctx then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
214 err = err or "invalid ssl config"
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
215 local file = err:match("^error loading (.-) %(");
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
216 if file then
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
217 local typ;
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
218 if file == "private key" then
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
219 typ = file;
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
220 file = user_ssl_config.key or "your private key";
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
221 elseif file == "certificate" then
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
222 typ = file;
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
223 file = user_ssl_config.certificate or "your certificate file";
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
224 end
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
225 local reason = err:match("%((.+)%)$") or "some reason";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
226 if reason == "Permission denied" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
227 reason = "Check that the permissions allow Prosody to read this file.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
228 elseif reason == "No such file or directory" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
229 reason = "Check that the path is correct, and the file exists.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
230 elseif reason == "system lib" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
231 reason = "Previous error (see logs), or other system error.";
7743
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
232 elseif reason == "no start line" then
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents: 7663
diff changeset
233 reason = "Check that the file contains a "..(typ or file);
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
234 elseif reason == "(null)" or not reason then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
235 reason = "Check that the file exists and the permissions are correct";
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
236 else
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
237 reason = "Reason: "..tostring(reason):lower();
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
238 end
4925
55f6e0673e33 certmanager: Add quotes around cert file path when logging.
Waqas Hussain <waqas20@gmail.com>
parents: 4900
diff changeset
239 log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host);
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
240 else
4855
a31ea431d906 certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL)
Matthew Wild <mwild1@gmail.com>
parents: 4656
diff changeset
241 log("error", "SSL/TLS: Error initialising for %s: %s", host, err);
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
242 end
3540
bc139431830b Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents: 3402
diff changeset
243 end
6526
873538f0b18c certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)
Kim Alvefur <zash@zash.se>
parents: 6520
diff changeset
244 return ctx, err, user_ssl_config;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
245 end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
246
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
247 local function reload_ssl_config()
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
248 global_ssl_config = configmanager.get("*", "ssl");
8159
3850993a9bda certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929)
Kim Alvefur <zash@zash.se>
parents: 7743
diff changeset
249 global_certificates = configmanager.get("*", "certificates") or "certs";
8403
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents: 8279
diff changeset
250 if luasec_has.options.no_compression then
6080
b7d1607df87d certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents: 6079
diff changeset
251 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
b7d1607df87d certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents: 6079
diff changeset
252 end
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
253 end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
254
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
255 prosody.events.add_handler("config-reloaded", reload_ssl_config);
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
256
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
257 return {
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
258 create_context = create_context;
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
259 reload_ssl_config = reload_ssl_config;
8274
3798955049e3 prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys
Kim Alvefur <zash@zash.se>
parents: 8259
diff changeset
260 find_cert = find_cert;
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6570
diff changeset
261 };