Software / code / prosody
Annotate
core/certmanager.lua @ 5915:e6fed1d80116
Back out 1b0ac7950129, as SSLv3 appears to still be in moderate use on the network. Also, although obsolete, SSLv3 isn't documented to have any weaknesses that TLS 1.0 (the most common version used today) doesn't also have. Get your act together clients!
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 12 Nov 2013 02:13:01 +0000 |
| parent | 5907:9586979058b8 |
| child | 5916:1c4405f33561 |
| child | 5921:f7601ce30cfc |
| rev | line source |
|---|---|
|
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
1 -- Prosody IM |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
4 -- |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
5 -- This project is MIT/X11 licensed. Please see the |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
6 -- COPYING file in the source package for more information. |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
7 -- |
|
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
8 |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 local configmanager = require "core.configmanager"; |
|
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
10 local log = require "util.logger".init("certmanager"); |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 local ssl = ssl; |
|
2564
6b4fe320a6ea
certmanager: Fix traceback with no LuaSec
Matthew Wild <mwild1@gmail.com>
parents:
2563
diff
changeset
|
12 local ssl_newcontext = ssl and ssl.newcontext; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 |
|
4992
e79e4d1f75de
certmanager: Remove unused import of setmetatable
Matthew Wild <mwild1@gmail.com>
parents:
4991
diff
changeset
|
14 local tostring = tostring; |
|
5820
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
15 local type = type; |
|
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
16 local io_open = io.open; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 local prosody = prosody; |
|
3609
954b1159f2f3
prosody, configmanager, certmanager: Relocate prosody.resolve_relative_path() to configmanager, and update certmanager (the only user of this function)
Matthew Wild <mwild1@gmail.com>
parents:
3571
diff
changeset
|
19 local resolve_path = configmanager.resolve_relative_path; |
|
3402
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
20 local config_path = prosody.paths.config; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 |
|
5621
63cfd59999b6
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x)
Matthew Wild <mwild1@gmail.com>
parents:
5377
diff
changeset
|
22 local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression; |
|
4991
bcbfcec620ac
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON)
Matthew Wild <mwild1@gmail.com>
parents:
4990
diff
changeset
|
23 if ssl then |
|
bcbfcec620ac
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON)
Matthew Wild <mwild1@gmail.com>
parents:
4990
diff
changeset
|
24 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); |
|
bcbfcec620ac
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON)
Matthew Wild <mwild1@gmail.com>
parents:
4990
diff
changeset
|
25 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; |
|
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
26 luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; |
|
5621
63cfd59999b6
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x)
Matthew Wild <mwild1@gmail.com>
parents:
5377
diff
changeset
|
27 luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; |
|
4991
bcbfcec620ac
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON)
Matthew Wild <mwild1@gmail.com>
parents:
4990
diff
changeset
|
28 end |
|
4899
0b8134015635
certmanager: Don't use no_ticket option before LuaSec 0.4
Matthew Wild <mwild1@gmail.com>
parents:
4890
diff
changeset
|
29 |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 module "certmanager" |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 -- Global SSL options if not overridden per-host |
|
5377
898454038524
core.*: Complete removal of all traces of the "core" section and section-related code.
Kim Alvefur <zash@zash.se>
parents:
5287
diff
changeset
|
33 local default_ssl_config = configmanager.get("*", "ssl"); |
|
3368
1748a49da906
certmanager: Defined default_capath to prevent a global nil access.
Waqas Hussain <waqas20@gmail.com>
parents:
3367
diff
changeset
|
34 local default_capath = "/etc/ssl/certs"; |
|
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
35 local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; |
|
5915
e6fed1d80116
Back out 1b0ac7950129, as SSLv3 appears to still be in moderate use on the network. Also, although obsolete, SSLv3 isn't documented to have any weaknesses that TLS 1.0 (the most common version used today) doesn't also have. Get your act together clients!
Matthew Wild <mwild1@gmail.com>
parents:
5907
diff
changeset
|
36 local default_options = { "no_sslv2", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; |
|
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
37 local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" }; |
|
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
38 |
|
5287
676a1a032d2f
certmanager: Fix nil index if no LuaSec available
Kim Alvefur <zash@zash.se>
parents:
5282
diff
changeset
|
39 if ssl and not luasec_has_verifyext and ssl.x509 then |
|
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
40 -- COMPAT mw/luasec-hg |
|
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
41 for i=1,#default_verifyext do -- Remove lsec_ prefix |
|
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
42 default_verify[#default_verify+1] = default_verifyext[i]:sub(6); |
|
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
43 end |
|
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
44 end |
|
5621
63cfd59999b6
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x)
Matthew Wild <mwild1@gmail.com>
parents:
5377
diff
changeset
|
45 if luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true then |
|
63cfd59999b6
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x)
Matthew Wild <mwild1@gmail.com>
parents:
5377
diff
changeset
|
46 default_options[#default_options+1] = "no_compression"; |
|
63cfd59999b6
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x)
Matthew Wild <mwild1@gmail.com>
parents:
5377
diff
changeset
|
47 end |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 |
|
5678
b7ebeae14053
certmanager: Add single_dh_use and single_ecdh_use to default options
Matthew Wild <mwild1@gmail.com>
parents:
5676
diff
changeset
|
49 if luasec_has_no_compression then -- Has no_compression? Then it has these too... |
|
b7ebeae14053
certmanager: Add single_dh_use and single_ecdh_use to default options
Matthew Wild <mwild1@gmail.com>
parents:
5676
diff
changeset
|
50 default_options[#default_options+1] = "single_dh_use"; |
|
b7ebeae14053
certmanager: Add single_dh_use and single_ecdh_use to default options
Matthew Wild <mwild1@gmail.com>
parents:
5676
diff
changeset
|
51 default_options[#default_options+1] = "single_ecdh_use"; |
|
b7ebeae14053
certmanager: Add single_dh_use and single_ecdh_use to default options
Matthew Wild <mwild1@gmail.com>
parents:
5676
diff
changeset
|
52 end |
|
b7ebeae14053
certmanager: Add single_dh_use and single_ecdh_use to default options
Matthew Wild <mwild1@gmail.com>
parents:
5676
diff
changeset
|
53 |
|
3571
675d65036f31
certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls
Matthew Wild <mwild1@gmail.com>
parents:
3540
diff
changeset
|
54 function create_context(host, mode, user_ssl_config) |
|
675d65036f31
certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls
Matthew Wild <mwild1@gmail.com>
parents:
3540
diff
changeset
|
55 user_ssl_config = user_ssl_config or default_ssl_config; |
|
3370
7c87af1c9a68
certmanager: Fix to handle the case of no SSL configuration at all
Matthew Wild <mwild1@gmail.com>
parents:
3369
diff
changeset
|
56 |
| 3400 | 57 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end |
| 58 if not user_ssl_config then return nil, "No SSL/TLS configuration present for "..host; end | |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
59 |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
60 local ssl_config = { |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
61 mode = mode; |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
62 protocol = user_ssl_config.protocol or "sslv23"; |
|
3402
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
63 key = resolve_path(config_path, user_ssl_config.key); |
|
4656
43469a2d124d
core.certmanager: Log a message when a password is required but not supplied. fixes #214
Kim Alvefur <zash@zash.se>
parents:
4408
diff
changeset
|
64 password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; |
|
3402
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
65 certificate = resolve_path(config_path, user_ssl_config.certificate); |
|
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
66 capath = resolve_path(config_path, user_ssl_config.capath or default_capath); |
|
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
67 cafile = resolve_path(config_path, user_ssl_config.cafile); |
|
3670
d6ba317cbc97
certmanager: Add required verify flags for cert verification if LuaSec (probably) supports them
Matthew Wild <mwild1@gmail.com>
parents:
3609
diff
changeset
|
68 verify = user_ssl_config.verify or default_verify; |
|
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
69 verifyext = user_ssl_config.verifyext or default_verifyext; |
|
3670
d6ba317cbc97
certmanager: Add required verify flags for cert verification if LuaSec (probably) supports them
Matthew Wild <mwild1@gmail.com>
parents:
3609
diff
changeset
|
70 options = user_ssl_config.options or default_options; |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
71 depth = user_ssl_config.depth; |
|
5676
c1021a2e7071
certmanager: Set ssl.curve to 'secp384r1' by default, to enable ECC ciphers
Matthew Wild <mwild1@gmail.com>
parents:
5673
diff
changeset
|
72 curve = user_ssl_config.curve or "secp384r1"; |
|
5907
9586979058b8
certmanager: Update default cipher string to prefer forward-secrecy over cipher strength and to disable triple-DES (weaker and much slower than AES)
Matthew Wild <mwild1@gmail.com>
parents:
5902
diff
changeset
|
73 ciphers = user_ssl_config.ciphers or "HIGH+kEDH:HIGH+kEECDH:HIGH+kRSA:!DSS:!3DES:!aNULL"; |
|
5673
9ca4d1ada906
certmanager: Use 'curve' and 'dhparam' options from ssl config if present
Matthew Wild <mwild1@gmail.com>
parents:
5621
diff
changeset
|
74 dhparam = user_ssl_config.dhparam; |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
75 }; |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
76 |
|
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
77 -- LuaSec expects dhparam to be a callback that takes two arguments. |
|
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
78 -- We ignore those because it is mostly used for having a separate |
|
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
79 -- set of params for EXPORT ciphers, which we don't have by default. |
|
5820
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
80 if type(ssl_config.dhparam) == "string" then |
|
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
81 local f, err = io_open(resolve_path(config_path, ssl_config.dhparam)); |
|
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
82 if not f then return nil, "Could not open DH parameters: "..err end |
|
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
83 local dhparam = f:read("*a"); |
|
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
84 f:close(); |
|
5820
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
85 ssl_config.dhparam = function() return dhparam; end |
|
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
86 end |
|
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
87 |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
88 local ctx, err = ssl_newcontext(ssl_config); |
|
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
89 |
|
5815
b93d096607b4
certmanager: Fix for working around a bug with LuaSec 0.4.1 that causes it to not honour the 'ciphers' option. This change will apply 0.9's default cipher string for LuaSec 0.4.1 users.
Matthew Wild <mwild1@gmail.com>
parents:
5745
diff
changeset
|
90 -- COMPAT: LuaSec 0.4.1 ignores the cipher list from the config, so we have to take |
|
b93d096607b4
certmanager: Fix for working around a bug with LuaSec 0.4.1 that causes it to not honour the 'ciphers' option. This change will apply 0.9's default cipher string for LuaSec 0.4.1 users.
Matthew Wild <mwild1@gmail.com>
parents:
5745
diff
changeset
|
91 -- care of it ourselves... |
|
b93d096607b4
certmanager: Fix for working around a bug with LuaSec 0.4.1 that causes it to not honour the 'ciphers' option. This change will apply 0.9's default cipher string for LuaSec 0.4.1 users.
Matthew Wild <mwild1@gmail.com>
parents:
5745
diff
changeset
|
92 if ctx and ssl_config.ciphers then |
|
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
93 local success; |
|
5815
b93d096607b4
certmanager: Fix for working around a bug with LuaSec 0.4.1 that causes it to not honour the 'ciphers' option. This change will apply 0.9's default cipher string for LuaSec 0.4.1 users.
Matthew Wild <mwild1@gmail.com>
parents:
5745
diff
changeset
|
94 success, err = ssl.context.setcipher(ctx, ssl_config.ciphers); |
|
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
95 if not success then ctx = nil; end |
|
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
96 end |
|
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
97 |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
98 if not ctx then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
99 err = err or "invalid ssl config" |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
100 local file = err:match("^error loading (.-) %("); |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
101 if file then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
102 if file == "private key" then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
103 file = ssl_config.key or "your private key"; |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
104 elseif file == "certificate" then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
105 file = ssl_config.certificate or "your certificate file"; |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
106 end |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
107 local reason = err:match("%((.+)%)$") or "some reason"; |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
108 if reason == "Permission denied" then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
109 reason = "Check that the permissions allow Prosody to read this file."; |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
110 elseif reason == "No such file or directory" then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
111 reason = "Check that the path is correct, and the file exists."; |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
112 elseif reason == "system lib" then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
113 reason = "Previous error (see logs), or other system error."; |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
114 elseif reason == "(null)" or not reason then |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
115 reason = "Check that the file exists and the permissions are correct"; |
|
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
116 else |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
117 reason = "Reason: "..tostring(reason):lower(); |
|
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
118 end |
|
4925
55f6e0673e33
certmanager: Add quotes around cert file path when logging.
Waqas Hussain <waqas20@gmail.com>
parents:
4900
diff
changeset
|
119 log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host); |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
120 else |
|
4855
a31ea431d906
certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL)
Matthew Wild <mwild1@gmail.com>
parents:
4656
diff
changeset
|
121 log("error", "SSL/TLS: Error initialising for %s: %s", host, err); |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
122 end |
|
3540
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3402
diff
changeset
|
123 end |
|
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3402
diff
changeset
|
124 return ctx, err; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
125 end |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
126 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
127 function reload_ssl_config() |
|
5377
898454038524
core.*: Complete removal of all traces of the "core" section and section-related code.
Kim Alvefur <zash@zash.se>
parents:
5287
diff
changeset
|
128 default_ssl_config = configmanager.get("*", "ssl"); |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
129 end |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
130 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
131 prosody.events.add_handler("config-reloaded", reload_ssl_config); |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
132 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
133 return _M; |
