Comparison

core/certmanager.lua @ 5901:1d13f73af58e

certmanager: Default to using the server's cipher preference order by default, as clients have been shown to commonly select weak and insecure ciphers even when they support stronger ones
author Matthew Wild <mwild1@gmail.com>
date Sat, 09 Nov 2013 17:50:19 +0000
parent 5895:1b0ac7950129
child 5902:c11c0761a682
comparison
equal deleted inserted replaced
5895:1b0ac7950129 5901:1d13f73af58e
31 31
32 -- Global SSL options if not overridden per-host 32 -- Global SSL options if not overridden per-host
33 local default_ssl_config = configmanager.get("*", "ssl"); 33 local default_ssl_config = configmanager.get("*", "ssl");
34 local default_capath = "/etc/ssl/certs"; 34 local default_capath = "/etc/ssl/certs";
35 local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; 35 local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none";
36 local default_options = { "no_sslv2", "no_sslv3", luasec_has_noticket and "no_ticket" or nil }; 36 local default_options = { "no_sslv2", "no_sslv3", luasec_has_noticket and "no_ticket" or nil, "cipher_server_preference" };
37 local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" }; 37 local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" };
38 38
39 if ssl and not luasec_has_verifyext and ssl.x509 then 39 if ssl and not luasec_has_verifyext and ssl.x509 then
40 -- COMPAT mw/luasec-hg 40 -- COMPAT mw/luasec-hg
41 for i=1,#default_verifyext do -- Remove lsec_ prefix 41 for i=1,#default_verifyext do -- Remove lsec_ prefix