prosody
1f396f0fe832
core/certmanager.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

core/certmanager.lua @ 6566:1f396f0fe832

certmanager: Improve "detection" of features that depend on LuaSec version
author Kim Alvefur <zash@zash.se>
date Thu, 05 Feb 2015 16:20:50 +0100
parent 6565:ffc0a57889aa
child 6567:d4a68d93ad04
comparison
equal deleted inserted replaced
6565:ffc0a57889aa 6566:1f396f0fe832
32 32
33 local prosody = prosody; 33 local prosody = prosody;
34 local resolve_path = require"util.paths".resolve_relative_path; 34 local resolve_path = require"util.paths".resolve_relative_path;
35 local config_path = prosody.paths.config; 35 local config_path = prosody.paths.config;
36 36
37 local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression;
38 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); 37 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)");
39 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; 38 local luasec_version = luasec_major * 100 + luasec_minor;
40 luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; 39 local luasec_has = {
41 luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; 40 -- TODO If LuaSec ever starts exposing these things itself, use that instead
41 cipher_server_preference = true;
42 no_ticket = luasec_version >= 4;
43 no_compression = luasec_version >= 5;
44 single_dh_use = luasec_version >= 5;
45 single_ecdh_use = luasec_version >= 5;
46 };
42 47
43 module "certmanager" 48 module "certmanager"
44 49
45 -- Global SSL options if not overridden per-host 50 -- Global SSL options if not overridden per-host
46 local global_ssl_config = configmanager.get("*", "ssl"); 51 local global_ssl_config = configmanager.get("*", "ssl");
49 local core_defaults = { 54 local core_defaults = {
50 capath = "/etc/ssl/certs"; 55 capath = "/etc/ssl/certs";
51 protocol = "tlsv1+"; 56 protocol = "tlsv1+";
52 verify = (ssl_x509 and { "peer", "client_once", }) or "none"; 57 verify = (ssl_x509 and { "peer", "client_once", }) or "none";
53 options = { 58 options = {
54 cipher_server_preference = true; 59 cipher_server_preference = luasec_has.cipher_server_preference;
55 no_ticket = luasec_has_noticket; 60 no_ticket = luasec_has.no_ticket;
56 no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true; 61 no_compression = luasec_has.no_compression and configmanager.get("*", "ssl_compression") ~= true;
57 -- Has no_compression? Then it has these too... 62 single_dh_use = luasec_has.single_dh_use;
58 single_dh_use = luasec_has_no_compression; 63 single_ecdh_use = luasec_has.single_ecdh_use;
59 single_ecdh_use = luasec_has_no_compression;
60 }; 64 };
61 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; 65 verifyext = { "lsec_continue", "lsec_ignore_purpose" };
62 curve = "secp384r1"; 66 curve = "secp384r1";
63 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; 67 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL";
64 } 68 }
149 return ctx, err, user_ssl_config; 153 return ctx, err, user_ssl_config;
150 end 154 end
151 155
152 function reload_ssl_config() 156 function reload_ssl_config()
153 global_ssl_config = configmanager.get("*", "ssl"); 157 global_ssl_config = configmanager.get("*", "ssl");
154 if luasec_has_no_compression then 158 if luasec_has.no_compression then
155 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; 159 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
156 end 160 end
157 end 161 end
158 162
159 prosody.events.add_handler("config-reloaded", reload_ssl_config); 163 prosody.events.add_handler("config-reloaded", reload_ssl_config);