prosody
30ac122acdd3
core/certmanager.lua
Software / code / prosody
Comparison
core/certmanager.lua @ 6078:30ac122acdd3
certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 15 Apr 2014 00:45:07 +0200 |
| parent | 6077:6999d4415a58 |
| child | 6079:5cffee5b2826 |
comparison
equal
deleted
inserted
replaced
| 6077:6999d4415a58 | 6078:30ac122acdd3 |
|---|---|
| 34 -- Global SSL options if not overridden per-host | 34 -- Global SSL options if not overridden per-host |
| 35 local global_ssl_config = configmanager.get("*", "ssl"); | 35 local global_ssl_config = configmanager.get("*", "ssl"); |
| 36 | 36 |
| 37 local core_defaults = { | 37 local core_defaults = { |
| 38 capath = "/etc/ssl/certs"; | 38 capath = "/etc/ssl/certs"; |
| 39 protocol = "sslv23"; | 39 protocol = "tlsv1+"; |
| 40 verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; | 40 verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; |
| 41 options = { "no_sslv2", "no_sslv3", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; | 41 options = { "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; |
| 42 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; | 42 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; |
| 43 curve = "secp384r1"; | 43 curve = "secp384r1"; |
| 44 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; | 44 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; |
| 45 } | 45 } |
| 46 local path_options = { -- These we pass through resolve_path() | 46 local path_options = { -- These we pass through resolve_path() |
| 75 end | 75 end |
| 76 end | 76 end |
| 77 return o; | 77 return o; |
| 78 end | 78 end |
| 79 | 79 |
| 80 local protocols = { "sslv2", "sslv3", "tlsv1", "tlsv1_1", "tlsv1_2" }; | |
| 81 for i = 1, #protocols do protocols[protocols[i] .. "+"] = i - 1; end | |
| 82 | |
| 80 function create_context(host, mode, user_ssl_config) | 83 function create_context(host, mode, user_ssl_config) |
| 81 user_ssl_config = user_ssl_config or {} | 84 user_ssl_config = user_ssl_config or {} |
| 82 user_ssl_config.mode = mode; | 85 user_ssl_config.mode = mode; |
| 83 | 86 |
| 84 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end | 87 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end |
| 92 end | 95 end |
| 93 | 96 |
| 94 for option,default_value in pairs(core_defaults) do | 97 for option,default_value in pairs(core_defaults) do |
| 95 if user_ssl_config[option] == nil then | 98 if user_ssl_config[option] == nil then |
| 96 user_ssl_config[option] = default_value; | 99 user_ssl_config[option] = default_value; |
| 100 end | |
| 101 end | |
| 102 | |
| 103 local min_protocol = protocols[user_ssl_config.protocol]; | |
| 104 if min_protocol then | |
| 105 user_ssl_config.protocol = "sslv23"; | |
| 106 for i = min_protocol, 1, -1 do | |
| 107 user_ssl_config.options["no_"..protocols[i]] = true; | |
| 97 end | 108 end |
| 98 end | 109 end |
| 99 | 110 |
| 100 for option in pairs(set_options) do | 111 for option in pairs(set_options) do |
| 101 local merged = {}; | 112 local merged = {}; |
