Software /
code /
prosody
Annotate
core/certmanager.lua @ 3670:d6ba317cbc97
certmanager: Add required verify flags for cert verification if LuaSec (probably) supports them
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Sun, 28 Nov 2010 21:09:55 +0000 |
parent | 3609:954b1159f2f3 |
child | 4359:c69cbac4178f |
rev | line source |
---|---|
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
1 -- Prosody IM |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
4 -- |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
5 -- This project is MIT/X11 licensed. Please see the |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
6 -- COPYING file in the source package for more information. |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
7 -- |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
8 |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 local configmanager = require "core.configmanager"; |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
10 local log = require "util.logger".init("certmanager"); |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 local ssl = ssl; |
2564
6b4fe320a6ea
certmanager: Fix traceback with no LuaSec
Matthew Wild <mwild1@gmail.com>
parents:
2563
diff
changeset
|
12 local ssl_newcontext = ssl and ssl.newcontext; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 |
2738
e253dd4714d5
certmanager: Fix nil global access (thanks Marc)
Matthew Wild <mwild1@gmail.com>
parents:
2733
diff
changeset
|
14 local setmetatable, tostring = setmetatable, tostring; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 local prosody = prosody; |
3609
954b1159f2f3
prosody, configmanager, certmanager: Relocate prosody.resolve_relative_path() to configmanager, and update certmanager (the only user of this function)
Matthew Wild <mwild1@gmail.com>
parents:
3571
diff
changeset
|
17 local resolve_path = configmanager.resolve_relative_path; |
3402
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
18 local config_path = prosody.paths.config; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 module "certmanager" |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 -- Global SSL options if not overridden per-host |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 local default_ssl_config = configmanager.get("*", "core", "ssl"); |
3368
1748a49da906
certmanager: Defined default_capath to prevent a global nil access.
Waqas Hussain <waqas20@gmail.com>
parents:
3367
diff
changeset
|
24 local default_capath = "/etc/ssl/certs"; |
3670
d6ba317cbc97
certmanager: Add required verify flags for cert verification if LuaSec (probably) supports them
Matthew Wild <mwild1@gmail.com>
parents:
3609
diff
changeset
|
25 local default_verify = (ssl and ssl.x509 and { "peer", "client_once", "continue", "ignore_purpose" }) or "none"; |
d6ba317cbc97
certmanager: Add required verify flags for cert verification if LuaSec (probably) supports them
Matthew Wild <mwild1@gmail.com>
parents:
3609
diff
changeset
|
26 local default_options = { "no_sslv2" }; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
3571
675d65036f31
certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls
Matthew Wild <mwild1@gmail.com>
parents:
3540
diff
changeset
|
28 function create_context(host, mode, user_ssl_config) |
675d65036f31
certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls
Matthew Wild <mwild1@gmail.com>
parents:
3540
diff
changeset
|
29 user_ssl_config = user_ssl_config or default_ssl_config; |
3370
7c87af1c9a68
certmanager: Fix to handle the case of no SSL configuration at all
Matthew Wild <mwild1@gmail.com>
parents:
3369
diff
changeset
|
30 |
3400 | 31 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end |
32 if not user_ssl_config then return nil, "No SSL/TLS configuration present for "..host; end | |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
33 |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
34 local ssl_config = { |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
35 mode = mode; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
36 protocol = user_ssl_config.protocol or "sslv23"; |
3402
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
37 key = resolve_path(config_path, user_ssl_config.key); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
38 password = user_ssl_config.password; |
3402
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
39 certificate = resolve_path(config_path, user_ssl_config.certificate); |
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
40 capath = resolve_path(config_path, user_ssl_config.capath or default_capath); |
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
41 cafile = resolve_path(config_path, user_ssl_config.cafile); |
3670
d6ba317cbc97
certmanager: Add required verify flags for cert verification if LuaSec (probably) supports them
Matthew Wild <mwild1@gmail.com>
parents:
3609
diff
changeset
|
42 verify = user_ssl_config.verify or default_verify; |
d6ba317cbc97
certmanager: Add required verify flags for cert verification if LuaSec (probably) supports them
Matthew Wild <mwild1@gmail.com>
parents:
3609
diff
changeset
|
43 options = user_ssl_config.options or default_options; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
44 ciphers = user_ssl_config.ciphers; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
45 depth = user_ssl_config.depth; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
46 }; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
47 |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
48 local ctx, err = ssl_newcontext(ssl_config); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
49 if not ctx then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
50 err = err or "invalid ssl config" |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
51 local file = err:match("^error loading (.-) %("); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
52 if file then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
53 if file == "private key" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
54 file = ssl_config.key or "your private key"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
55 elseif file == "certificate" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
56 file = ssl_config.certificate or "your certificate file"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
57 end |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
58 local reason = err:match("%((.+)%)$") or "some reason"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
59 if reason == "Permission denied" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
60 reason = "Check that the permissions allow Prosody to read this file."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
61 elseif reason == "No such file or directory" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
62 reason = "Check that the path is correct, and the file exists."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
63 elseif reason == "system lib" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
64 reason = "Previous error (see logs), or other system error."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
65 elseif reason == "(null)" or not reason then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
66 reason = "Check that the file exists and the permissions are correct"; |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
67 else |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
68 reason = "Reason: "..tostring(reason):lower(); |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
69 end |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
70 log("error", "SSL/TLS: Failed to load %s: %s", file, reason); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
71 else |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
72 log("error", "SSL/TLS: Error initialising for host %s: %s", host, err ); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
73 end |
3540
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3402
diff
changeset
|
74 end |
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3402
diff
changeset
|
75 return ctx, err; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
76 end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
77 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
78 function reload_ssl_config() |
2733
65ad0fdb17ba
certmanager: Fix global access
Matthew Wild <mwild1@gmail.com>
parents:
2631
diff
changeset
|
79 default_ssl_config = configmanager.get("*", "core", "ssl"); |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
80 end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
81 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
82 prosody.events.add_handler("config-reloaded", reload_ssl_config); |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
83 |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
84 return _M; |