prosody
bcf32653cab7
core/certmanager.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Annotate

core/certmanager.lua @ 6564:bcf32653cab7

certmanager: Early return from the entire module if LuaSec is unavailable
author Kim Alvefur <zash@zash.se>
date Thu, 05 Feb 2015 15:10:23 +0100
parent 6547:2f65de21ff56
child 6565:ffc0a57889aa
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3369
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
1 -- Prosody IM
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5746
diff changeset
4 --
3369
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
6 -- COPYING file in the source package for more information.
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
7 --
9a96969d4670 certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents: 3368
diff changeset
8
6564
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
9 local softreq = require"util.dependencies".softreq;
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
10 local ssl = softreq"ssl";
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
11 if not ssl then
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
12 return {
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
13 create_context = function ()
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
14 return nil, "LuaSec (required for encryption) was not found";
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
15 end;
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
16 reload_ssl_config = function () end;
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
17 }
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
18 end
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
19
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 local configmanager = require "core.configmanager";
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
21 local log = require "util.logger".init("certmanager");
6564
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
22 local ssl_newcontext = ssl.newcontext;
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
23 local new_config = require"util.sslconfig".new;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24
4992
e79e4d1f75de certmanager: Remove unused import of setmetatable
Matthew Wild <mwild1@gmail.com>
parents: 4991
diff changeset
25 local tostring = tostring;
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
26 local pairs = pairs;
5820
6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents: 5816
diff changeset
27 local type = type;
6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents: 5816
diff changeset
28 local io_open = io.open;
6294
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
29 local select = select;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 local prosody = prosody;
6165
6a184b16b717 core.certmanager, core.moduleapi, mod_storage_sql, mod_storage_sql2: Import from util.paths
Kim Alvefur <zash@zash.se>
parents: 6089
diff changeset
32 local resolve_path = require"util.paths".resolve_relative_path;
3402
dfc369314e53 prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents: 3400
diff changeset
33 local config_path = prosody.paths.config;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34
5621
63cfd59999b6 certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x)
Matthew Wild <mwild1@gmail.com>
parents: 5377
diff changeset
35 local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression;
6564
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
36 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)");
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
37 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4;
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
38 luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5;
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
39 luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5;
4899
0b8134015635 certmanager: Don't use no_ticket option before LuaSec 0.4
Matthew Wild <mwild1@gmail.com>
parents: 4890
diff changeset
40
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
41 module "certmanager"
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
42
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43 -- Global SSL options if not overridden per-host
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
44 local global_ssl_config = configmanager.get("*", "ssl");
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
45
6079
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
46 -- Built-in defaults
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
47 local core_defaults = {
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
48 capath = "/etc/ssl/certs";
6078
30ac122acdd3 certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Kim Alvefur <zash@zash.se>
parents: 6077
diff changeset
49 protocol = "tlsv1+";
6564
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
50 verify = (ssl.x509 and { "peer", "client_once", }) or "none";
6079
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
51 options = {
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
52 cipher_server_preference = true;
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
53 no_ticket = luasec_has_noticket;
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
54 no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true;
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
55 -- Has no_compression? Then it has these too...
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
56 single_dh_use = luasec_has_no_compression;
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
57 single_ecdh_use = luasec_has_no_compression;
5cffee5b2826 certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents: 6078
diff changeset
58 };
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
59 verifyext = { "lsec_continue", "lsec_ignore_purpose" };
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
60 curve = "secp384r1";
5922
dd11480ecd47 Merge 0.9->0.10
Matthew Wild <mwild1@gmail.com>
parents: 5916 5921
diff changeset
61 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL";
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
62 }
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
63 local path_options = { -- These we pass through resolve_path()
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
64 key = true, certificate = true, cafile = true, capath = true, dhparam = true
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
65 }
5282
4cd57cb49f99 core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents: 4992
diff changeset
66
6564
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents: 6547
diff changeset
67 if not luasec_has_verifyext and ssl.x509 then
5282
4cd57cb49f99 core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents: 4992
diff changeset
68 -- COMPAT mw/luasec-hg
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
69 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
70 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6);
5282
4cd57cb49f99 core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents: 4992
diff changeset
71 end
4cd57cb49f99 core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents: 4992
diff changeset
72 end
5678
b7ebeae14053 certmanager: Add single_dh_use and single_ecdh_use to default options
Matthew Wild <mwild1@gmail.com>
parents: 5676
diff changeset
73
6294
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
74 function create_context(host, mode, ...)
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
75 local cfg = new_config();
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
76 cfg:apply(core_defaults);
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
77 cfg:apply(global_ssl_config);
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
78 cfg:apply({
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
79 mode = mode,
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
80 -- We can't read the password interactively when daemonized
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
81 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
82 });
6076
e0713386319a certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents: 6075
diff changeset
83
6294
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
84 for i = select('#', ...), 1, -1 do
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
85 cfg:apply(select(i, ...));
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
86 end
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents: 6293
diff changeset
87 local user_ssl_config = cfg:final();
6293
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
88
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
89 if mode == "server" then
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
90 if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
851fb5e9fa0c core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents: 6165
diff changeset
91 if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end
6077
6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents: 6076
diff changeset
92 end
6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents: 6076
diff changeset
93
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
94 for option in pairs(path_options) do
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
95 if type(user_ssl_config[option]) == "string" then
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
96 user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]);
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
97 end
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
98 end
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
99
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
100 -- LuaSec expects dhparam to be a callback that takes two arguments.
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
101 -- We ignore those because it is mostly used for having a separate
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
102 -- set of params for EXPORT ciphers, which we don't have by default.
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
103 if type(user_ssl_config.dhparam) == "string" then
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
104 local f, err = io_open(user_ssl_config.dhparam);
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
105 if not f then return nil, "Could not open DH parameters: "..err end
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
106 local dhparam = f:read("*a");
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
107 f:close();
5822
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5821
diff changeset
108 user_ssl_config.dhparam = function() return dhparam; end
5816
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
109 end
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents: 5815
diff changeset
110
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
111 local ctx, err = ssl_newcontext(user_ssl_config);
4359
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
112
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
113 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care
4359
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
114 -- of it ourselves (W/A for #x)
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
115 if ctx and user_ssl_config.ciphers then
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
116 local success;
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
117 success, err = ssl.context.setcipher(ctx, user_ssl_config.ciphers);
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
118 if not success then ctx = nil; end
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
119 end
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents: 3670
diff changeset
120
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
121 if not ctx then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
122 err = err or "invalid ssl config"
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
123 local file = err:match("^error loading (.-) %(");
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
124 if file then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
125 if file == "private key" then
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
126 file = user_ssl_config.key or "your private key";
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
127 elseif file == "certificate" then
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
128 file = user_ssl_config.certificate or "your certificate file";
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
129 end
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
130 local reason = err:match("%((.+)%)$") or "some reason";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
131 if reason == "Permission denied" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
132 reason = "Check that the permissions allow Prosody to read this file.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
133 elseif reason == "No such file or directory" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
134 reason = "Check that the path is correct, and the file exists.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
135 elseif reason == "system lib" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
136 reason = "Previous error (see logs), or other system error.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
137 elseif reason == "(null)" or not reason then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
138 reason = "Check that the file exists and the permissions are correct";
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
139 else
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
140 reason = "Reason: "..tostring(reason):lower();
2630
e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents: 2564
diff changeset
141 end
4925
55f6e0673e33 certmanager: Add quotes around cert file path when logging.
Waqas Hussain <waqas20@gmail.com>
parents: 4900
diff changeset
142 log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host);
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
143 else
4855
a31ea431d906 certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL)
Matthew Wild <mwild1@gmail.com>
parents: 4656
diff changeset
144 log("error", "SSL/TLS: Error initialising for %s: %s", host, err);
3355
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents: 2739
diff changeset
145 end
3540
bc139431830b Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents: 3402
diff changeset
146 end
6526
873538f0b18c certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)
Kim Alvefur <zash@zash.se>
parents: 6520
diff changeset
147 return ctx, err, user_ssl_config;
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
148 end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
149
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
150 function reload_ssl_config()
5684
5554029d759b certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents: 5679
diff changeset
151 global_ssl_config = configmanager.get("*", "ssl");
6080
b7d1607df87d certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents: 6079
diff changeset
152 if luasec_has_no_compression then
b7d1607df87d certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents: 6079
diff changeset
153 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
b7d1607df87d certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents: 6079
diff changeset
154 end
2554
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
155 end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
156
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
157 prosody.events.add_handler("config-reloaded", reload_ssl_config);
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
158
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
159 return _M;