Software /
code /
prosody
Annotate
core/certmanager.lua @ 12196:b05e0b422ff7
core.certmanager: Apply TLS preset before global settings (thanks Menel)
Allows overriding settings via the global 'ssl' settings as before.
This order was probably accidental. That said, 'ssl' is a giant footgun
we will want to discourage use of.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 18 Jan 2022 08:04:16 +0100 |
parent | 12150:653a48b5a25b |
child | 12197:95d25e620dc2 |
rev | line source |
---|---|
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
1 -- Prosody IM |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5746
diff
changeset
|
4 -- |
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
5 -- This project is MIT/X11 licensed. Please see the |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
6 -- COPYING file in the source package for more information. |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
7 -- |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
8 |
6564
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
9 local softreq = require"util.dependencies".softreq; |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
10 local ssl = softreq"ssl"; |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
11 if not ssl then |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
12 return { |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
13 create_context = function () |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
14 return nil, "LuaSec (required for encryption) was not found"; |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
15 end; |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
16 reload_ssl_config = function () end; |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
17 } |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
18 end |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
19 |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 local configmanager = require "core.configmanager"; |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
21 local log = require "util.logger".init("certmanager"); |
6565
ffc0a57889aa
certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents:
6564
diff
changeset
|
22 local ssl_context = ssl.context or softreq"ssl.context"; |
6564
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
23 local ssl_newcontext = ssl.newcontext; |
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
24 local new_config = require"util.sslconfig".new; |
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
25 local stat = require "lfs".attributes; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
27 local x509 = require "util.x509"; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
28 local lfs = require "lfs"; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
29 |
7160
5c1ee8c06235
certmanager: Localize tonumber
Matthew Wild <mwild1@gmail.com>
parents:
7145
diff
changeset
|
30 local tonumber, tostring = tonumber, tostring; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
31 local pairs = pairs; |
8404
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
32 local t_remove = table.remove; |
5820
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
33 local type = type; |
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
34 local io_open = io.open; |
6294
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
35 local select = select; |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
36 local now = os.time; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
37 local next = next; |
11538
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
38 local pcall = pcall; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 local prosody = prosody; |
11533
f97592336399
core.certmanager: Join paths with OS-aware util.paths function
Kim Alvefur <zash@zash.se>
parents:
11532
diff
changeset
|
41 local pathutil = require"util.paths"; |
f97592336399
core.certmanager: Join paths with OS-aware util.paths function
Kim Alvefur <zash@zash.se>
parents:
11532
diff
changeset
|
42 local resolve_path = pathutil.resolve_relative_path; |
7531
2db68d1a6eeb
certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed)
Kim Alvefur <zash@zash.se>
parents:
7319
diff
changeset
|
43 local config_path = prosody.paths.config or "."; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 |
11549
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
45 local function test_option(option) |
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
46 return not not ssl_newcontext({mode="server",protocol="sslv23",options={ option }}); |
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
47 end |
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
48 |
6564
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
49 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); |
7319
afa83f3ccaad
certmanager: Explicitly tonumber() version number segments before doing arithmetic and avoid relying on implicit coercion (thanks David Favro)
Matthew Wild <mwild1@gmail.com>
parents:
7160
diff
changeset
|
50 local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor); |
11548
55ef50d6cf65
core.certmanager: Attempt to directly access LuaSec config table
Kim Alvefur <zash@zash.se>
parents:
10721
diff
changeset
|
51 local luasec_has = ssl.config or softreq"ssl.config" or { |
8403
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
52 algorithms = { |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
53 ec = luasec_version >= 5; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
54 }; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
55 capabilities = { |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
56 curves_list = luasec_version >= 7; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
57 }; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
58 options = { |
11549
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
59 cipher_server_preference = test_option("cipher_server_preference"); |
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
60 no_ticket = test_option("no_ticket"); |
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
61 no_compression = test_option("no_compression"); |
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
62 single_dh_use = test_option("single_dh_use"); |
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
63 single_ecdh_use = test_option("single_ecdh_use"); |
11551
aaf9c6b6d18d
certmanager: Disable renegotiation by default
Matthew Wild <mwild1@gmail.com>
parents:
11549
diff
changeset
|
64 no_renegotiation = test_option("no_renegotiation"); |
8403
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
65 }; |
6566
1f396f0fe832
certmanager: Improve "detection" of features that depend on LuaSec version
Kim Alvefur <zash@zash.se>
parents:
6565
diff
changeset
|
66 }; |
4899
0b8134015635
certmanager: Don't use no_ticket option before LuaSec 0.4
Matthew Wild <mwild1@gmail.com>
parents:
4890
diff
changeset
|
67 |
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
68 local _ENV = nil; |
8555
4f0f5b49bb03
vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8494
diff
changeset
|
69 -- luacheck: std none |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
70 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
71 -- Global SSL options if not overridden per-host |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
72 local global_ssl_config = configmanager.get("*", "ssl"); |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
73 |
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
74 local global_certificates = configmanager.get("*", "certificates") or "certs"; |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
75 |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
76 local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", }; |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
77 local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", }; |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
78 |
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
79 local function find_cert(user_certs, name) |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
80 local certs = resolve_path(config_path, user_certs or global_certificates); |
8259
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8159
diff
changeset
|
81 log("debug", "Searching %s for a key and certificate for %s...", certs, name); |
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
82 for i = 1, #crt_try do |
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
83 local crt_path = certs .. crt_try[i]:format(name); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
84 local key_path = certs .. key_try[i]:format(name); |
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
85 |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
86 if stat(crt_path, "mode") == "file" then |
10709
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
87 if crt_path == key_path then |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
88 if key_path:sub(-4) == ".crt" then |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
89 key_path = key_path:sub(1, -4) .. "key"; |
11531
2bd91d4a0fcf
core.certmanager: Check for complete filename
Kim Alvefur <zash@zash.se>
parents:
11368
diff
changeset
|
90 elseif key_path:sub(-14) == "/fullchain.pem" then |
10709
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
91 key_path = key_path:sub(1, -14) .. "privkey.pem"; |
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
92 end |
10709
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
93 end |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
94 |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
95 if stat(key_path, "mode") == "file" then |
8259
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8159
diff
changeset
|
96 log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name); |
7145
b1a109858502
certmanager: Try filename.key if certificate is set to a full filename ending with .crt
Kim Alvefur <zash@zash.se>
parents:
7144
diff
changeset
|
97 return { certificate = crt_path, key = key_path }; |
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
98 end |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
99 end |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
100 end |
8259
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8159
diff
changeset
|
101 log("debug", "No certificate/key found for %s", name); |
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
102 end |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
103 |
11534
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
104 local function find_matching_key(cert_path) |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
105 -- FIXME we shouldn't need to guess the key filename |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
106 if cert_path:sub(-4) == ".crt" then |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
107 return cert_path:sub(1, -4) .. "key"; |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
108 elseif cert_path:sub(-14) == "/fullchain.pem" then |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
109 return cert_path:sub(1, -14) .. "privkey.pem"; |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
110 end |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
111 end |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
112 |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
113 local function index_certs(dir, files_by_name, depth_limit) |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
114 files_by_name = files_by_name or {}; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
115 depth_limit = depth_limit or 3; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
116 if depth_limit <= 0 then return files_by_name; end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
117 |
11538
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
118 local ok, iter, v, i = pcall(lfs.dir, dir); |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
119 if not ok then |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
120 log("error", "Error indexing certificate directory %s: %s", dir, iter); |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
121 -- Return an empty index, otherwise this just triggers a nil indexing |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
122 -- error, plus this function would get called again. |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
123 -- Reloading the config after correcting the problem calls this again so |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
124 -- that's what should be done. |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
125 return {}, iter; |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
126 end |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
127 for file in iter, v, i do |
11533
f97592336399
core.certmanager: Join paths with OS-aware util.paths function
Kim Alvefur <zash@zash.se>
parents:
11532
diff
changeset
|
128 local full = pathutil.join(dir, file); |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
129 if lfs.attributes(full, "mode") == "directory" then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
130 if file:sub(1,1) ~= "." then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
131 index_certs(full, files_by_name, depth_limit-1); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
132 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
133 -- TODO support more filename patterns? |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
134 elseif full:match("%.crt$") or full:match("/fullchain%.pem$") then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
135 local f = io_open(full); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
136 if f then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
137 -- TODO look for chained certificates |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
138 local firstline = f:read(); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
139 if firstline == "-----BEGIN CERTIFICATE-----" then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
140 f:seek("set") |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
141 local cert = ssl.loadcertificate(f:read("*a")) |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
142 -- TODO if more than one cert is found for a name, the most recently |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
143 -- issued one should be used. |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
144 -- for now, just filter out expired certs |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
145 -- TODO also check if there's a corresponding key |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
146 if cert:validat(now()) then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
147 local names = x509.get_identities(cert); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
148 log("debug", "Found certificate %s with identities %q", full, names); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
149 for name, services in pairs(names) do |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
150 -- TODO check services |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
151 if files_by_name[name] then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
152 files_by_name[name][full] = services; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
153 else |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
154 files_by_name[name] = { [full] = services; }; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
155 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
156 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
157 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
158 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
159 f:close(); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
160 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
161 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
162 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
163 log("debug", "Certificate index: %q", files_by_name); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
164 -- | hostname | filename | service | |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
165 return files_by_name; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
166 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
167 |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
168 local cert_index; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
169 |
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
170 local function find_cert_in_index(index, host) |
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
171 if not host then return nil; end |
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
172 if not index then return nil; end |
12105
47c9a76cce7d
core.certmanager: Check index for wildcard certs
Kim Alvefur <zash@zash.se>
parents:
12104
diff
changeset
|
173 local wildcard_host = host:gsub("^[^.]+%.", "*."); |
47c9a76cce7d
core.certmanager: Check index for wildcard certs
Kim Alvefur <zash@zash.se>
parents:
12104
diff
changeset
|
174 local certs = index[host] or index[wildcard_host]; |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
175 if certs then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
176 local cert_filename, services = next(certs); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
177 if services["*"] then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
178 log("debug", "Using cert %q from index", cert_filename); |
11534
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
179 return { |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
180 certificate = cert_filename, |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
181 key = find_matching_key(cert_filename), |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
182 } |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
183 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
184 end |
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
185 return nil |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
186 end |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
187 |
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
188 local function find_host_cert(host) |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
189 if not host then return nil; end |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
190 if not cert_index then |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
191 cert_index = index_certs(resolve_path(config_path, global_certificates)); |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
192 end |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
193 |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
194 return find_cert_in_index(cert_index, host) or find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$")); |
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
195 end |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
196 |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
197 local function find_service_cert(service, port) |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
198 if not cert_index then |
11537
a09685a7b330
core.certmanager: Resolve certs path relative to config dir
Kim Alvefur <zash@zash.se>
parents:
11534
diff
changeset
|
199 cert_index = index_certs(resolve_path(config_path, global_certificates)); |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
200 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
201 for _, certs in pairs(cert_index) do |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
202 for cert_filename, services in pairs(certs) do |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
203 if services[service] or services["*"] then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
204 log("debug", "Using cert %q from index", cert_filename); |
11534
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
205 return { |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
206 certificate = cert_filename, |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
207 key = find_matching_key(cert_filename), |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
208 } |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
209 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
210 end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
211 end |
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
212 local cert_config = configmanager.get("*", service.."_certificate"); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
213 if type(cert_config) == "table" then |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
214 cert_config = cert_config[port] or cert_config.default; |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
215 end |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
216 return find_cert(cert_config, service); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
217 end |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
218 |
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
219 -- Built-in defaults |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
220 local core_defaults = { |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
221 capath = "/etc/ssl/certs"; |
6568
b54b33f59c6e
certmanager: Limit certificate chain depth to 9
Kim Alvefur <zash@zash.se>
parents:
6567
diff
changeset
|
222 depth = 9; |
6078
30ac122acdd3
certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Kim Alvefur <zash@zash.se>
parents:
6077
diff
changeset
|
223 protocol = "tlsv1+"; |
9852
6ea3cafb6ac3
core.certmanager: Do not ask for client certificates by default
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
224 verify = "none"; |
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
225 options = { |
8403
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
226 cipher_server_preference = luasec_has.options.cipher_server_preference; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
227 no_ticket = luasec_has.options.no_ticket; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
228 no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
229 single_dh_use = luasec_has.options.single_dh_use; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
230 single_ecdh_use = luasec_has.options.single_ecdh_use; |
11551
aaf9c6b6d18d
certmanager: Disable renegotiation by default
Matthew Wild <mwild1@gmail.com>
parents:
11549
diff
changeset
|
231 no_renegotiation = luasec_has.options.no_renegotiation; |
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
232 }; |
11368
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10919
diff
changeset
|
233 verifyext = { |
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10919
diff
changeset
|
234 "lsec_continue", -- Continue past certificate verification errors |
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10919
diff
changeset
|
235 "lsec_ignore_purpose", -- Validate client certificates as if they were server certificates |
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10919
diff
changeset
|
236 }; |
8405
a3cf899fd61b
certmanager: Set single curve conditioned on LuaSec advertising EC crypto support
Kim Alvefur <zash@zash.se>
parents:
8404
diff
changeset
|
237 curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1"; |
8279
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
238 curveslist = { |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
239 "X25519", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
240 "P-384", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
241 "P-256", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
242 "P-521", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
243 }; |
7663
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
244 ciphers = { -- Enabled ciphers in order of preference: |
10721
3a1b1d3084fb
core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)
Kim Alvefur <zash@zash.se>
parents:
10709
diff
changeset
|
245 "HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange |
7663
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
246 "HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
247 "HIGH", -- Other "High strength" ciphers |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
248 -- Disabled cipher suites: |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
249 "!PSK", -- Pre-Shared Key - not used for XMPP |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
250 "!SRP", -- Secure Remote Password - not used for XMPP |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
251 "!3DES", -- 3DES - slow and of questionable security |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
252 "!aNULL", -- Ciphers that does not authenticate the connection |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
253 }; |
12150
653a48b5a25b
core.certmanager: Disable DANE name checks (not needed for XMPP)
Kim Alvefur <zash@zash.se>
parents:
12120
diff
changeset
|
254 dane = luasec_has.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" }; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
255 } |
8404
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
256 |
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
257 local mozilla_ssl_configs = { |
12097
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
258 -- https://wiki.mozilla.org/Security/Server_Side_TLS |
12120
0fcd80a55f15
core.certmanager: Add curveslist to 'old' Mozilla TLS preset
Kim Alvefur <zash@zash.se>
parents:
12105
diff
changeset
|
259 -- Version 5.6 as of 2021-12-26 |
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
260 modern = { |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
261 protocol = "tlsv1_3"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
262 options = { cipher_server_preference = false }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
263 ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these |
12097
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
264 curveslist = { "X25519"; "prime256v1"; "secp384r1" }; |
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
265 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; |
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
266 }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
267 intermediate = { |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
268 protocol = "tlsv1_2+"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
269 dhparam = nil; -- ffdhe2048.txt |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
270 options = { cipher_server_preference = false }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
271 ciphers = { |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
272 "ECDHE-ECDSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
273 "ECDHE-RSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
274 "ECDHE-ECDSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
275 "ECDHE-RSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
276 "ECDHE-ECDSA-CHACHA20-POLY1305"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
277 "ECDHE-RSA-CHACHA20-POLY1305"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
278 "DHE-RSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
279 "DHE-RSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
280 }; |
12097
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
281 curveslist = { "X25519"; "prime256v1"; "secp384r1" }; |
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
282 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; |
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
283 }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
284 old = { |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
285 protocol = "tlsv1+"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
286 dhparam = nil; -- openssl dhparam 1024 |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
287 options = { cipher_server_preference = true }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
288 ciphers = { |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
289 "ECDHE-ECDSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
290 "ECDHE-RSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
291 "ECDHE-ECDSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
292 "ECDHE-RSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
293 "ECDHE-ECDSA-CHACHA20-POLY1305"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
294 "ECDHE-RSA-CHACHA20-POLY1305"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
295 "DHE-RSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
296 "DHE-RSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
297 "DHE-RSA-CHACHA20-POLY1305"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
298 "ECDHE-ECDSA-AES128-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
299 "ECDHE-RSA-AES128-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
300 "ECDHE-ECDSA-AES128-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
301 "ECDHE-RSA-AES128-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
302 "ECDHE-ECDSA-AES256-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
303 "ECDHE-RSA-AES256-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
304 "ECDHE-ECDSA-AES256-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
305 "ECDHE-RSA-AES256-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
306 "DHE-RSA-AES128-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
307 "DHE-RSA-AES256-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
308 "AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
309 "AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
310 "AES128-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
311 "AES256-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
312 "AES128-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
313 "AES256-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
314 "DES-CBC3-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
315 }; |
12120
0fcd80a55f15
core.certmanager: Add curveslist to 'old' Mozilla TLS preset
Kim Alvefur <zash@zash.se>
parents:
12105
diff
changeset
|
316 curveslist = { "X25519"; "prime256v1"; "secp384r1" }; |
12097
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
317 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; |
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
318 }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
319 }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
320 |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
321 |
8404
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
322 if luasec_has.curves then |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
323 for i = #core_defaults.curveslist, 1, -1 do |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
324 if not luasec_has.curves[ core_defaults.curveslist[i] ] then |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
325 t_remove(core_defaults.curveslist, i); |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
326 end |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
327 end |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
328 else |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
329 core_defaults.curveslist = nil; |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
330 end |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
331 |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
332 local path_options = { -- These we pass through resolve_path() |
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
333 key = true, certificate = true, cafile = true, capath = true, dhparam = true |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
334 } |
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
335 |
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
336 local function create_context(host, mode, ...) |
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
337 local cfg = new_config(); |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
338 cfg:apply(core_defaults); |
8827
1a29b56a2d63
core.certmanager: Allow all non-whitespace in service name (fixes #1019)
Kim Alvefur <zash@zash.se>
parents:
8494
diff
changeset
|
339 local service_name, port = host:match("^(%S+) port (%d+)$"); |
11591
e7a964572f6b
core.certmanager: Skip service certificate lookup for https client
Kim Alvefur <zash@zash.se>
parents:
11560
diff
changeset
|
340 -- port 0 is used with client-only things that normally don't need certificates, e.g. https |
e7a964572f6b
core.certmanager: Skip service certificate lookup for https client
Kim Alvefur <zash@zash.se>
parents:
11560
diff
changeset
|
341 if service_name and port ~= "0" then |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
342 log("debug", "Automatically locating certs for service %s on port %s", service_name, port); |
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
343 cfg:apply(find_service_cert(service_name, tonumber(port))); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
344 else |
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
345 log("debug", "Automatically locating certs for host %s", host); |
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
346 cfg:apply(find_host_cert(host)); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
347 end |
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
348 cfg:apply({ |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
349 mode = mode, |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
350 -- We can't read the password interactively when daemonized |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
351 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
352 }); |
12099
b344edad61d3
core.certmanager: Rename preset option to 'tls_preset'
Kim Alvefur <zash@zash.se>
parents:
12098
diff
changeset
|
353 local preset = configmanager.get("*", "tls_preset") or "intermediate"; |
12098
9591b838e3b0
core.certmanager: Add "legacy" preset for keeping previous default settings
Kim Alvefur <zash@zash.se>
parents:
12097
diff
changeset
|
354 if preset ~= "legacy" then |
9591b838e3b0
core.certmanager: Add "legacy" preset for keeping previous default settings
Kim Alvefur <zash@zash.se>
parents:
12097
diff
changeset
|
355 cfg:apply(mozilla_ssl_configs[preset]); |
9591b838e3b0
core.certmanager: Add "legacy" preset for keeping previous default settings
Kim Alvefur <zash@zash.se>
parents:
12097
diff
changeset
|
356 end |
12196
b05e0b422ff7
core.certmanager: Apply TLS preset before global settings (thanks Menel)
Kim Alvefur <zash@zash.se>
parents:
12150
diff
changeset
|
357 cfg:apply(global_ssl_config); |
6076
e0713386319a
certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents:
6075
diff
changeset
|
358 |
6294
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
359 for i = select('#', ...), 1, -1 do |
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
360 cfg:apply(select(i, ...)); |
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
361 end |
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
362 local user_ssl_config = cfg:final(); |
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
363 |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
364 if mode == "server" then |
10237
a36af4570b39
core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents:
10227
diff
changeset
|
365 if not user_ssl_config.certificate then |
a36af4570b39
core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents:
10227
diff
changeset
|
366 log("info", "No certificate present in SSL/TLS configuration for %s. SNI will be required.", host); |
a36af4570b39
core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents:
10227
diff
changeset
|
367 end |
a36af4570b39
core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents:
10227
diff
changeset
|
368 if user_ssl_config.certificate and not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end |
6077
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
369 end |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
370 |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
371 for option in pairs(path_options) do |
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
372 if type(user_ssl_config[option]) == "string" then |
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
373 user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]); |
6903
5ff42d85d4d5
core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default)
Kim Alvefur <zash@zash.se>
parents:
6779
diff
changeset
|
374 else |
5ff42d85d4d5
core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default)
Kim Alvefur <zash@zash.se>
parents:
6779
diff
changeset
|
375 user_ssl_config[option] = nil; |
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
376 end |
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
377 end |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
378 |
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
379 -- LuaSec expects dhparam to be a callback that takes two arguments. |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
380 -- We ignore those because it is mostly used for having a separate |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
381 -- set of params for EXPORT ciphers, which we don't have by default. |
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
382 if type(user_ssl_config.dhparam) == "string" then |
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
383 local f, err = io_open(user_ssl_config.dhparam); |
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
384 if not f then return nil, "Could not open DH parameters: "..err end |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
385 local dhparam = f:read("*a"); |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
386 f:close(); |
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
387 user_ssl_config.dhparam = function() return dhparam; end |
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
388 end |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
389 |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
390 local ctx, err = ssl_newcontext(user_ssl_config); |
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
391 |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
392 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care |
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
393 -- of it ourselves (W/A for #x) |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
394 if ctx and user_ssl_config.ciphers then |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
395 local success; |
6565
ffc0a57889aa
certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents:
6564
diff
changeset
|
396 success, err = ssl_context.setcipher(ctx, user_ssl_config.ciphers); |
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
397 if not success then ctx = nil; end |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
398 end |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
399 |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
400 if not ctx then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
401 err = err or "invalid ssl config" |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
402 local file = err:match("^error loading (.-) %("); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
403 if file then |
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
404 local typ; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
405 if file == "private key" then |
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
406 typ = file; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
407 file = user_ssl_config.key or "your private key"; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
408 elseif file == "certificate" then |
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
409 typ = file; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
410 file = user_ssl_config.certificate or "your certificate file"; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
411 end |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
412 local reason = err:match("%((.+)%)$") or "some reason"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
413 if reason == "Permission denied" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
414 reason = "Check that the permissions allow Prosody to read this file."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
415 elseif reason == "No such file or directory" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
416 reason = "Check that the path is correct, and the file exists."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
417 elseif reason == "system lib" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
418 reason = "Previous error (see logs), or other system error."; |
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
419 elseif reason == "no start line" then |
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
420 reason = "Check that the file contains a "..(typ or file); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
421 elseif reason == "(null)" or not reason then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
422 reason = "Check that the file exists and the permissions are correct"; |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
423 else |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
424 reason = "Reason: "..tostring(reason):lower(); |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
425 end |
4925
55f6e0673e33
certmanager: Add quotes around cert file path when logging.
Waqas Hussain <waqas20@gmail.com>
parents:
4900
diff
changeset
|
426 log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
427 else |
4855
a31ea431d906
certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL)
Matthew Wild <mwild1@gmail.com>
parents:
4656
diff
changeset
|
428 log("error", "SSL/TLS: Error initialising for %s: %s", host, err); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
429 end |
3540
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3402
diff
changeset
|
430 end |
6526
873538f0b18c
certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)
Kim Alvefur <zash@zash.se>
parents:
6520
diff
changeset
|
431 return ctx, err, user_ssl_config; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
432 end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
433 |
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
434 local function reload_ssl_config() |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
435 global_ssl_config = configmanager.get("*", "ssl"); |
8159
3850993a9bda
certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929)
Kim Alvefur <zash@zash.se>
parents:
7743
diff
changeset
|
436 global_certificates = configmanager.get("*", "certificates") or "certs"; |
8403
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
437 if luasec_has.options.no_compression then |
6080
b7d1607df87d
certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents:
6079
diff
changeset
|
438 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; |
b7d1607df87d
certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents:
6079
diff
changeset
|
439 end |
11709
5810166f35d5
core.certmanager: Support 'use_dane' setting to enable DANE support
Kim Alvefur <zash@zash.se>
parents:
11591
diff
changeset
|
440 core_defaults.dane = configmanager.get("*", "use_dane") or false; |
11537
a09685a7b330
core.certmanager: Resolve certs path relative to config dir
Kim Alvefur <zash@zash.se>
parents:
11534
diff
changeset
|
441 cert_index = index_certs(resolve_path(config_path, global_certificates)); |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
442 end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
443 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
444 prosody.events.add_handler("config-reloaded", reload_ssl_config); |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
445 |
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
446 return { |
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
447 create_context = create_context; |
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
448 reload_ssl_config = reload_ssl_config; |
8274
3798955049e3
prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys
Kim Alvefur <zash@zash.se>
parents:
8259
diff
changeset
|
449 find_cert = find_cert; |
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
450 index_certs = index_certs; |
10463
fbeb7a3fc4eb
core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support)
Kim Alvefur <zash@zash.se>
parents:
10237
diff
changeset
|
451 find_host_cert = find_host_cert; |
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
452 find_cert_in_index = find_cert_in_index; |
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
453 }; |