Software / code / prosody
Annotate
core/certmanager.lua @ 12763:d26eefe98d09
util.dbuffer: Add efficient shortcuts for discard() in certain cases
If the buffer is already empty, nothing to do. If we're throwing away the
whole buffer, we can just empty it and avoid read_chunk() (which in turn
may collapse()). These shortcuts are much more efficient.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 11 Oct 2022 11:37:55 +0100 |
| parent | 12508:e6cfd0a6f0da |
| child | 12972:ead41e25ebc0 |
| rev | line source |
|---|---|
|
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
1 -- Prosody IM |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5746
diff
changeset
|
4 -- |
|
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
5 -- This project is MIT/X11 licensed. Please see the |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
6 -- COPYING file in the source package for more information. |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
7 -- |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
8 |
|
12331
49739369dcad
core.certmanager: Turn soft dependency on LuaSec into a hard
Kim Alvefur <zash@zash.se>
parents:
12287
diff
changeset
|
9 local ssl = require "ssl"; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 local configmanager = require "core.configmanager"; |
|
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
11 local log = require "util.logger".init("certmanager"); |
|
6564
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
12 local ssl_newcontext = ssl.newcontext; |
|
12481
2ee27587fec7
net: refactor sslconfig to not depend on LuaSec
Jonas Schäfer <jonas@wielicki.name>
parents:
12480
diff
changeset
|
13 local new_config = require"net.server".tls_builder; |
|
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
14 local stat = require "lfs".attributes; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 |
|
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
16 local x509 = require "util.x509"; |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
17 local lfs = require "lfs"; |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
18 |
|
7160
5c1ee8c06235
certmanager: Localize tonumber
Matthew Wild <mwild1@gmail.com>
parents:
7145
diff
changeset
|
19 local tonumber, tostring = tonumber, tostring; |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
20 local pairs = pairs; |
|
8404
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
21 local t_remove = table.remove; |
|
5820
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
22 local type = type; |
|
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
23 local io_open = io.open; |
|
6294
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
24 local select = select; |
|
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
25 local now = os.time; |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
26 local next = next; |
|
11538
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
27 local pcall = pcall; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 local prosody = prosody; |
|
11533
f97592336399
core.certmanager: Join paths with OS-aware util.paths function
Kim Alvefur <zash@zash.se>
parents:
11532
diff
changeset
|
30 local pathutil = require"util.paths"; |
|
f97592336399
core.certmanager: Join paths with OS-aware util.paths function
Kim Alvefur <zash@zash.se>
parents:
11532
diff
changeset
|
31 local resolve_path = pathutil.resolve_relative_path; |
|
7531
2db68d1a6eeb
certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed)
Kim Alvefur <zash@zash.se>
parents:
7319
diff
changeset
|
32 local config_path = prosody.paths.config or "."; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 |
|
11549
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
34 local function test_option(option) |
|
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
35 return not not ssl_newcontext({mode="server",protocol="sslv23",options={ option }}); |
|
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
36 end |
|
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
37 |
|
6564
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6547
diff
changeset
|
38 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); |
|
7319
afa83f3ccaad
certmanager: Explicitly tonumber() version number segments before doing arithmetic and avoid relying on implicit coercion (thanks David Favro)
Matthew Wild <mwild1@gmail.com>
parents:
7160
diff
changeset
|
39 local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor); |
|
12331
49739369dcad
core.certmanager: Turn soft dependency on LuaSec into a hard
Kim Alvefur <zash@zash.se>
parents:
12287
diff
changeset
|
40 local luasec_has = ssl.config or { |
|
8403
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
41 algorithms = { |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
42 ec = luasec_version >= 5; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
43 }; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
44 capabilities = { |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
45 curves_list = luasec_version >= 7; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
46 }; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
47 options = { |
|
11549
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
48 cipher_server_preference = test_option("cipher_server_preference"); |
|
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
49 no_ticket = test_option("no_ticket"); |
|
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
50 no_compression = test_option("no_compression"); |
|
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
51 single_dh_use = test_option("single_dh_use"); |
|
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11548
diff
changeset
|
52 single_ecdh_use = test_option("single_ecdh_use"); |
|
11551
aaf9c6b6d18d
certmanager: Disable renegotiation by default
Matthew Wild <mwild1@gmail.com>
parents:
11549
diff
changeset
|
53 no_renegotiation = test_option("no_renegotiation"); |
|
8403
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
54 }; |
|
6566
1f396f0fe832
certmanager: Improve "detection" of features that depend on LuaSec version
Kim Alvefur <zash@zash.se>
parents:
6565
diff
changeset
|
55 }; |
|
4899
0b8134015635
certmanager: Don't use no_ticket option before LuaSec 0.4
Matthew Wild <mwild1@gmail.com>
parents:
4890
diff
changeset
|
56 |
|
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
57 local _ENV = nil; |
|
8555
4f0f5b49bb03
vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8494
diff
changeset
|
58 -- luacheck: std none |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 -- Global SSL options if not overridden per-host |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
61 local global_ssl_config = configmanager.get("*", "ssl"); |
|
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
62 |
|
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
63 local global_certificates = configmanager.get("*", "certificates") or "certs"; |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
64 |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
65 local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", }; |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
66 local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", }; |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
67 |
|
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
68 local function find_cert(user_certs, name) |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
69 local certs = resolve_path(config_path, user_certs or global_certificates); |
|
8259
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8159
diff
changeset
|
70 log("debug", "Searching %s for a key and certificate for %s...", certs, name); |
|
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
71 for i = 1, #crt_try do |
|
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
72 local crt_path = certs .. crt_try[i]:format(name); |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
73 local key_path = certs .. key_try[i]:format(name); |
|
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
74 |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
75 if stat(crt_path, "mode") == "file" then |
|
10709
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
76 if crt_path == key_path then |
|
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
77 if key_path:sub(-4) == ".crt" then |
|
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
78 key_path = key_path:sub(1, -4) .. "key"; |
|
11531
2bd91d4a0fcf
core.certmanager: Check for complete filename
Kim Alvefur <zash@zash.se>
parents:
11368
diff
changeset
|
79 elseif key_path:sub(-14) == "/fullchain.pem" then |
|
10709
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
80 key_path = key_path:sub(1, -14) .. "privkey.pem"; |
|
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
81 end |
|
10709
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
82 end |
|
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
83 |
|
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
84 if stat(key_path, "mode") == "file" then |
|
8259
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8159
diff
changeset
|
85 log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name); |
|
7145
b1a109858502
certmanager: Try filename.key if certificate is set to a full filename ending with .crt
Kim Alvefur <zash@zash.se>
parents:
7144
diff
changeset
|
86 return { certificate = crt_path, key = key_path }; |
|
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
87 end |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
88 end |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
89 end |
|
8259
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8159
diff
changeset
|
90 log("debug", "No certificate/key found for %s", name); |
|
7122
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
91 end |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6903
diff
changeset
|
92 |
|
11534
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
93 local function find_matching_key(cert_path) |
|
12287
5cd075ed4fd3
core.certmanager: Relax certificate filename check #1713
Kim Alvefur <zash@zash.se>
parents:
12197
diff
changeset
|
94 return (cert_path:gsub("%.crt$", ".key"):gsub("fullchain", "privkey")); |
|
11534
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
95 end |
|
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
96 |
|
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
97 local function index_certs(dir, files_by_name, depth_limit) |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
98 files_by_name = files_by_name or {}; |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
99 depth_limit = depth_limit or 3; |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
100 if depth_limit <= 0 then return files_by_name; end |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
101 |
|
11538
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
102 local ok, iter, v, i = pcall(lfs.dir, dir); |
|
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
103 if not ok then |
|
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
104 log("error", "Error indexing certificate directory %s: %s", dir, iter); |
|
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
105 -- Return an empty index, otherwise this just triggers a nil indexing |
|
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
106 -- error, plus this function would get called again. |
|
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
107 -- Reloading the config after correcting the problem calls this again so |
|
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
108 -- that's what should be done. |
|
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
109 return {}, iter; |
|
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
110 end |
|
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
111 for file in iter, v, i do |
|
11533
f97592336399
core.certmanager: Join paths with OS-aware util.paths function
Kim Alvefur <zash@zash.se>
parents:
11532
diff
changeset
|
112 local full = pathutil.join(dir, file); |
|
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
113 if lfs.attributes(full, "mode") == "directory" then |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
114 if file:sub(1,1) ~= "." then |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
115 index_certs(full, files_by_name, depth_limit-1); |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
116 end |
|
12287
5cd075ed4fd3
core.certmanager: Relax certificate filename check #1713
Kim Alvefur <zash@zash.se>
parents:
12197
diff
changeset
|
117 elseif file:find("%.crt$") or file:find("fullchain") then -- This should catch most fullchain files |
|
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
118 local f = io_open(full); |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
119 if f then |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
120 -- TODO look for chained certificates |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
121 local firstline = f:read(); |
|
12305
f8b8061461e3
core.certmanager: Ensure key exists for fullchain
Kim Alvefur <zash@zash.se>
parents:
12287
diff
changeset
|
122 if firstline == "-----BEGIN CERTIFICATE-----" and lfs.attributes(find_matching_key(full), "mode") == "file" then |
|
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
123 f:seek("set") |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
124 local cert = ssl.loadcertificate(f:read("*a")) |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
125 -- TODO if more than one cert is found for a name, the most recently |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
126 -- issued one should be used. |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
127 -- for now, just filter out expired certs |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
128 -- TODO also check if there's a corresponding key |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
129 if cert:validat(now()) then |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
130 local names = x509.get_identities(cert); |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
131 log("debug", "Found certificate %s with identities %q", full, names); |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
132 for name, services in pairs(names) do |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
133 -- TODO check services |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
134 if files_by_name[name] then |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
135 files_by_name[name][full] = services; |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
136 else |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
137 files_by_name[name] = { [full] = services; }; |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
138 end |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
139 end |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
140 end |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
141 end |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
142 f:close(); |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
143 end |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
144 end |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
145 end |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
146 log("debug", "Certificate index: %q", files_by_name); |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
147 -- | hostname | filename | service | |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
148 return files_by_name; |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
149 end |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
150 |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
151 local cert_index; |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
152 |
|
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
153 local function find_cert_in_index(index, host) |
|
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
154 if not host then return nil; end |
|
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
155 if not index then return nil; end |
|
12105
47c9a76cce7d
core.certmanager: Check index for wildcard certs
Kim Alvefur <zash@zash.se>
parents:
12104
diff
changeset
|
156 local wildcard_host = host:gsub("^[^.]+%.", "*."); |
|
47c9a76cce7d
core.certmanager: Check index for wildcard certs
Kim Alvefur <zash@zash.se>
parents:
12104
diff
changeset
|
157 local certs = index[host] or index[wildcard_host]; |
|
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
158 if certs then |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
159 local cert_filename, services = next(certs); |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
160 if services["*"] then |
|
12507
e242a6e74424
core.certmanager: Expand debug messages about cert lookups in index
Kim Alvefur <zash@zash.se>
parents:
12362
diff
changeset
|
161 log("debug", "Using cert %q from index for host %q", cert_filename, host); |
|
11534
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
162 return { |
|
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
163 certificate = cert_filename, |
|
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
164 key = find_matching_key(cert_filename), |
|
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
165 } |
|
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
166 end |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
167 end |
|
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
168 return nil |
|
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
169 end |
|
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
170 |
|
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
171 local function find_host_cert(host) |
|
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
172 if not host then return nil; end |
|
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
173 if not cert_index then |
|
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
174 cert_index = index_certs(resolve_path(config_path, global_certificates)); |
|
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
175 end |
|
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
176 |
|
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
177 return find_cert_in_index(cert_index, host) or find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$")); |
|
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
178 end |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
179 |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
180 local function find_service_cert(service, port) |
|
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
181 if not cert_index then |
|
11537
a09685a7b330
core.certmanager: Resolve certs path relative to config dir
Kim Alvefur <zash@zash.se>
parents:
11534
diff
changeset
|
182 cert_index = index_certs(resolve_path(config_path, global_certificates)); |
|
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
183 end |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
184 for _, certs in pairs(cert_index) do |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
185 for cert_filename, services in pairs(certs) do |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
186 if services[service] or services["*"] then |
|
12507
e242a6e74424
core.certmanager: Expand debug messages about cert lookups in index
Kim Alvefur <zash@zash.se>
parents:
12362
diff
changeset
|
187 log("debug", "Using cert %q from index for service %s port %d", cert_filename, service, port); |
|
11534
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
188 return { |
|
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
189 certificate = cert_filename, |
|
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
190 key = find_matching_key(cert_filename), |
|
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11533
diff
changeset
|
191 } |
|
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
192 end |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
193 end |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
194 end |
|
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
195 local cert_config = configmanager.get("*", service.."_certificate"); |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
196 if type(cert_config) == "table" then |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
197 cert_config = cert_config[port] or cert_config.default; |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
198 end |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
199 return find_cert(cert_config, service); |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
200 end |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
201 |
|
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
202 -- Built-in defaults |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
203 local core_defaults = { |
|
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
204 capath = "/etc/ssl/certs"; |
|
6568
b54b33f59c6e
certmanager: Limit certificate chain depth to 9
Kim Alvefur <zash@zash.se>
parents:
6567
diff
changeset
|
205 depth = 9; |
|
6078
30ac122acdd3
certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Kim Alvefur <zash@zash.se>
parents:
6077
diff
changeset
|
206 protocol = "tlsv1+"; |
|
9852
6ea3cafb6ac3
core.certmanager: Do not ask for client certificates by default
Kim Alvefur <zash@zash.se>
parents:
8828
diff
changeset
|
207 verify = "none"; |
|
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
208 options = { |
|
8403
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
209 cipher_server_preference = luasec_has.options.cipher_server_preference; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
210 no_ticket = luasec_has.options.no_ticket; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
211 no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
212 single_dh_use = luasec_has.options.single_dh_use; |
|
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
213 single_ecdh_use = luasec_has.options.single_ecdh_use; |
|
11551
aaf9c6b6d18d
certmanager: Disable renegotiation by default
Matthew Wild <mwild1@gmail.com>
parents:
11549
diff
changeset
|
214 no_renegotiation = luasec_has.options.no_renegotiation; |
|
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
215 }; |
|
11368
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10919
diff
changeset
|
216 verifyext = { |
|
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10919
diff
changeset
|
217 "lsec_continue", -- Continue past certificate verification errors |
|
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10919
diff
changeset
|
218 "lsec_ignore_purpose", -- Validate client certificates as if they were server certificates |
|
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10919
diff
changeset
|
219 }; |
|
8405
a3cf899fd61b
certmanager: Set single curve conditioned on LuaSec advertising EC crypto support
Kim Alvefur <zash@zash.se>
parents:
8404
diff
changeset
|
220 curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1"; |
|
8279
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
221 curveslist = { |
|
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
222 "X25519", |
|
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
223 "P-384", |
|
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
224 "P-256", |
|
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
225 "P-521", |
|
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8274
diff
changeset
|
226 }; |
|
7663
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
227 ciphers = { -- Enabled ciphers in order of preference: |
|
10721
3a1b1d3084fb
core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)
Kim Alvefur <zash@zash.se>
parents:
10709
diff
changeset
|
228 "HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange |
|
7663
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
229 "HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set |
|
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
230 "HIGH", -- Other "High strength" ciphers |
|
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
231 -- Disabled cipher suites: |
|
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
232 "!PSK", -- Pre-Shared Key - not used for XMPP |
|
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
233 "!SRP", -- Secure Remote Password - not used for XMPP |
|
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
234 "!3DES", -- 3DES - slow and of questionable security |
|
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
235 "!aNULL", -- Ciphers that does not authenticate the connection |
|
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7531
diff
changeset
|
236 }; |
|
12150
653a48b5a25b
core.certmanager: Disable DANE name checks (not needed for XMPP)
Kim Alvefur <zash@zash.se>
parents:
12120
diff
changeset
|
237 dane = luasec_has.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" }; |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
238 } |
|
8404
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
239 |
|
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
240 local mozilla_ssl_configs = { |
|
12097
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
241 -- https://wiki.mozilla.org/Security/Server_Side_TLS |
|
12120
0fcd80a55f15
core.certmanager: Add curveslist to 'old' Mozilla TLS preset
Kim Alvefur <zash@zash.se>
parents:
12105
diff
changeset
|
242 -- Version 5.6 as of 2021-12-26 |
|
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
243 modern = { |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
244 protocol = "tlsv1_3"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
245 options = { cipher_server_preference = false }; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
246 ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these |
|
12097
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
247 curveslist = { "X25519"; "prime256v1"; "secp384r1" }; |
|
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
248 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; |
|
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
249 }; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
250 intermediate = { |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
251 protocol = "tlsv1_2+"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
252 dhparam = nil; -- ffdhe2048.txt |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
253 options = { cipher_server_preference = false }; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
254 ciphers = { |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
255 "ECDHE-ECDSA-AES128-GCM-SHA256"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
256 "ECDHE-RSA-AES128-GCM-SHA256"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
257 "ECDHE-ECDSA-AES256-GCM-SHA384"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
258 "ECDHE-RSA-AES256-GCM-SHA384"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
259 "ECDHE-ECDSA-CHACHA20-POLY1305"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
260 "ECDHE-RSA-CHACHA20-POLY1305"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
261 "DHE-RSA-AES128-GCM-SHA256"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
262 "DHE-RSA-AES256-GCM-SHA384"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
263 }; |
|
12097
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
264 curveslist = { "X25519"; "prime256v1"; "secp384r1" }; |
|
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
265 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; |
|
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
266 }; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
267 old = { |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
268 protocol = "tlsv1+"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
269 dhparam = nil; -- openssl dhparam 1024 |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
270 options = { cipher_server_preference = true }; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
271 ciphers = { |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
272 "ECDHE-ECDSA-AES128-GCM-SHA256"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
273 "ECDHE-RSA-AES128-GCM-SHA256"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
274 "ECDHE-ECDSA-AES256-GCM-SHA384"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
275 "ECDHE-RSA-AES256-GCM-SHA384"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
276 "ECDHE-ECDSA-CHACHA20-POLY1305"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
277 "ECDHE-RSA-CHACHA20-POLY1305"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
278 "DHE-RSA-AES128-GCM-SHA256"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
279 "DHE-RSA-AES256-GCM-SHA384"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
280 "DHE-RSA-CHACHA20-POLY1305"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
281 "ECDHE-ECDSA-AES128-SHA256"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
282 "ECDHE-RSA-AES128-SHA256"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
283 "ECDHE-ECDSA-AES128-SHA"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
284 "ECDHE-RSA-AES128-SHA"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
285 "ECDHE-ECDSA-AES256-SHA384"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
286 "ECDHE-RSA-AES256-SHA384"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
287 "ECDHE-ECDSA-AES256-SHA"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
288 "ECDHE-RSA-AES256-SHA"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
289 "DHE-RSA-AES128-SHA256"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
290 "DHE-RSA-AES256-SHA256"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
291 "AES128-GCM-SHA256"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
292 "AES256-GCM-SHA384"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
293 "AES128-SHA256"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
294 "AES256-SHA256"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
295 "AES128-SHA"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
296 "AES256-SHA"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
297 "DES-CBC3-SHA"; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
298 }; |
|
12120
0fcd80a55f15
core.certmanager: Add curveslist to 'old' Mozilla TLS preset
Kim Alvefur <zash@zash.se>
parents:
12105
diff
changeset
|
299 curveslist = { "X25519"; "prime256v1"; "secp384r1" }; |
|
12097
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12096
diff
changeset
|
300 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; |
|
12096
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
301 }; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
302 }; |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
303 |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11709
diff
changeset
|
304 |
|
8404
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
305 if luasec_has.curves then |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
306 for i = #core_defaults.curveslist, 1, -1 do |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
307 if not luasec_has.curves[ core_defaults.curveslist[i] ] then |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
308 t_remove(core_defaults.curveslist, i); |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
309 end |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
310 end |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
311 else |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
312 core_defaults.curveslist = nil; |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
313 end |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8403
diff
changeset
|
314 |
|
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
315 local function create_context(host, mode, ...) |
|
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
316 local cfg = new_config(); |
|
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
317 cfg:apply(core_defaults); |
|
8827
1a29b56a2d63
core.certmanager: Allow all non-whitespace in service name (fixes #1019)
Kim Alvefur <zash@zash.se>
parents:
8494
diff
changeset
|
318 local service_name, port = host:match("^(%S+) port (%d+)$"); |
|
11591
e7a964572f6b
core.certmanager: Skip service certificate lookup for https client
Kim Alvefur <zash@zash.se>
parents:
11560
diff
changeset
|
319 -- port 0 is used with client-only things that normally don't need certificates, e.g. https |
|
e7a964572f6b
core.certmanager: Skip service certificate lookup for https client
Kim Alvefur <zash@zash.se>
parents:
11560
diff
changeset
|
320 if service_name and port ~= "0" then |
|
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
321 log("debug", "Automatically locating certs for service %s on port %s", service_name, port); |
|
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
322 cfg:apply(find_service_cert(service_name, tonumber(port))); |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
323 else |
|
11532
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11531
diff
changeset
|
324 log("debug", "Automatically locating certs for host %s", host); |
|
7140
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
325 cfg:apply(find_host_cert(host)); |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7122
diff
changeset
|
326 end |
|
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
327 cfg:apply({ |
|
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
328 mode = mode, |
|
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
329 -- We can't read the password interactively when daemonized |
|
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
330 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; |
|
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
331 }); |
|
12197
95d25e620dc2
core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation
Kim Alvefur <zash@zash.se>
parents:
12196
diff
changeset
|
332 local profile = configmanager.get("*", "tls_profile") or "intermediate"; |
|
95d25e620dc2
core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation
Kim Alvefur <zash@zash.se>
parents:
12196
diff
changeset
|
333 if profile ~= "legacy" then |
|
95d25e620dc2
core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation
Kim Alvefur <zash@zash.se>
parents:
12196
diff
changeset
|
334 cfg:apply(mozilla_ssl_configs[profile]); |
|
12098
9591b838e3b0
core.certmanager: Add "legacy" preset for keeping previous default settings
Kim Alvefur <zash@zash.se>
parents:
12097
diff
changeset
|
335 end |
|
12196
b05e0b422ff7
core.certmanager: Apply TLS preset before global settings (thanks Menel)
Kim Alvefur <zash@zash.se>
parents:
12150
diff
changeset
|
336 cfg:apply(global_ssl_config); |
|
6076
e0713386319a
certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents:
6075
diff
changeset
|
337 |
|
6294
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
338 for i = select('#', ...), 1, -1 do |
|
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
339 cfg:apply(select(i, ...)); |
|
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
340 end |
|
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
341 local user_ssl_config = cfg:final(); |
|
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
342 |
|
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
343 if mode == "server" then |
|
10237
a36af4570b39
core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents:
10227
diff
changeset
|
344 if not user_ssl_config.certificate then |
|
a36af4570b39
core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents:
10227
diff
changeset
|
345 log("info", "No certificate present in SSL/TLS configuration for %s. SNI will be required.", host); |
|
a36af4570b39
core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents:
10227
diff
changeset
|
346 end |
|
a36af4570b39
core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents:
10227
diff
changeset
|
347 if user_ssl_config.certificate and not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end |
|
6077
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
348 end |
|
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
349 |
|
12480
7e9ebdc75ce4
net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents:
12362
diff
changeset
|
350 local ctx, err = cfg:build(); |
|
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
351 |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
352 if not ctx then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
353 err = err or "invalid ssl config" |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
354 local file = err:match("^error loading (.-) %("); |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
355 if file then |
|
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
356 local typ; |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
357 if file == "private key" then |
|
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
358 typ = file; |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
359 file = user_ssl_config.key or "your private key"; |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
360 elseif file == "certificate" then |
|
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
361 typ = file; |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
362 file = user_ssl_config.certificate or "your certificate file"; |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
363 end |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
364 local reason = err:match("%((.+)%)$") or "some reason"; |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
365 if reason == "Permission denied" then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
366 reason = "Check that the permissions allow Prosody to read this file."; |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
367 elseif reason == "No such file or directory" then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
368 reason = "Check that the path is correct, and the file exists."; |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
369 elseif reason == "system lib" then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
370 reason = "Previous error (see logs), or other system error."; |
|
7743
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
371 elseif reason == "no start line" then |
|
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7663
diff
changeset
|
372 reason = "Check that the file contains a "..(typ or file); |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
373 elseif reason == "(null)" or not reason then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
374 reason = "Check that the file exists and the permissions are correct"; |
|
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
375 else |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
376 reason = "Reason: "..tostring(reason):lower(); |
|
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
377 end |
|
4925
55f6e0673e33
certmanager: Add quotes around cert file path when logging.
Waqas Hussain <waqas20@gmail.com>
parents:
4900
diff
changeset
|
378 log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host); |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
379 else |
|
4855
a31ea431d906
certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL)
Matthew Wild <mwild1@gmail.com>
parents:
4656
diff
changeset
|
380 log("error", "SSL/TLS: Error initialising for %s: %s", host, err); |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
381 end |
|
3540
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3402
diff
changeset
|
382 end |
|
6526
873538f0b18c
certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)
Kim Alvefur <zash@zash.se>
parents:
6520
diff
changeset
|
383 return ctx, err, user_ssl_config; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
384 end |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
385 |
|
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
386 local function reload_ssl_config() |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
387 global_ssl_config = configmanager.get("*", "ssl"); |
|
8159
3850993a9bda
certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929)
Kim Alvefur <zash@zash.se>
parents:
7743
diff
changeset
|
388 global_certificates = configmanager.get("*", "certificates") or "certs"; |
|
8403
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8279
diff
changeset
|
389 if luasec_has.options.no_compression then |
|
6080
b7d1607df87d
certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents:
6079
diff
changeset
|
390 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; |
|
b7d1607df87d
certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents:
6079
diff
changeset
|
391 end |
|
11709
5810166f35d5
core.certmanager: Support 'use_dane' setting to enable DANE support
Kim Alvefur <zash@zash.se>
parents:
11591
diff
changeset
|
392 core_defaults.dane = configmanager.get("*", "use_dane") or false; |
|
11537
a09685a7b330
core.certmanager: Resolve certs path relative to config dir
Kim Alvefur <zash@zash.se>
parents:
11534
diff
changeset
|
393 cert_index = index_certs(resolve_path(config_path, global_certificates)); |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
394 end |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
395 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
396 prosody.events.add_handler("config-reloaded", reload_ssl_config); |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
397 |
|
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
398 return { |
|
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
399 create_context = create_context; |
|
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
400 reload_ssl_config = reload_ssl_config; |
|
8274
3798955049e3
prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys
Kim Alvefur <zash@zash.se>
parents:
8259
diff
changeset
|
401 find_cert = find_cert; |
|
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
402 index_certs = index_certs; |
|
10463
fbeb7a3fc4eb
core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support)
Kim Alvefur <zash@zash.se>
parents:
10237
diff
changeset
|
403 find_host_cert = find_host_cert; |
|
12104
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12099
diff
changeset
|
404 find_cert_in_index = find_cert_in_index; |
|
6779
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
405 }; |
