prosody
4a864b6e8963
core/certmanager.lua
Software / code / prosody
Comparison
core/certmanager.lua @ 6571:4a864b6e8963
Merge 0.10->trunk
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 09 Feb 2015 00:48:08 +0100 |
| parent | 6570:70e65ac65219 |
| child | 6779:6236668da30a |
comparison
equal
deleted
inserted
replaced
| 6560:6f39c58bdcc4 | 6571:4a864b6e8963 |
|---|---|
| 4 -- | 4 -- |
| 5 -- This project is MIT/X11 licensed. Please see the | 5 -- This project is MIT/X11 licensed. Please see the |
| 6 -- COPYING file in the source package for more information. | 6 -- COPYING file in the source package for more information. |
| 7 -- | 7 -- |
| 8 | 8 |
| 9 local softreq = require"util.dependencies".softreq; | |
| 10 local ssl = softreq"ssl"; | |
| 11 if not ssl then | |
| 12 return { | |
| 13 create_context = function () | |
| 14 return nil, "LuaSec (required for encryption) was not found"; | |
| 15 end; | |
| 16 reload_ssl_config = function () end; | |
| 17 } | |
| 18 end | |
| 19 | |
| 9 local configmanager = require "core.configmanager"; | 20 local configmanager = require "core.configmanager"; |
| 10 local log = require "util.logger".init("certmanager"); | 21 local log = require "util.logger".init("certmanager"); |
| 11 local ssl = _G.ssl; | 22 local ssl_context = ssl.context or softreq"ssl.context"; |
| 12 local ssl_newcontext = ssl and ssl.newcontext; | 23 local ssl_x509 = ssl.x509 or softreq"ssl.x509"; |
| 24 local ssl_newcontext = ssl.newcontext; | |
| 13 local new_config = require"util.sslconfig".new; | 25 local new_config = require"util.sslconfig".new; |
| 14 | 26 |
| 15 local tostring = tostring; | 27 local tostring = tostring; |
| 16 local pairs = pairs; | 28 local pairs = pairs; |
| 17 local type = type; | 29 local type = type; |
| 20 | 32 |
| 21 local prosody = prosody; | 33 local prosody = prosody; |
| 22 local resolve_path = require"util.paths".resolve_relative_path; | 34 local resolve_path = require"util.paths".resolve_relative_path; |
| 23 local config_path = prosody.paths.config; | 35 local config_path = prosody.paths.config; |
| 24 | 36 |
| 25 local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression; | 37 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); |
| 26 if ssl then | 38 local luasec_version = luasec_major * 100 + luasec_minor; |
| 27 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); | 39 local luasec_has = { |
| 28 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; | 40 -- TODO If LuaSec ever starts exposing these things itself, use that instead |
| 29 luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; | 41 cipher_server_preference = luasec_version >= 2; |
| 30 luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; | 42 no_ticket = luasec_version >= 4; |
| 31 end | 43 no_compression = luasec_version >= 5; |
| 44 single_dh_use = luasec_version >= 2; | |
| 45 single_ecdh_use = luasec_version >= 2; | |
| 46 }; | |
| 32 | 47 |
| 33 module "certmanager" | 48 module "certmanager" |
| 34 | 49 |
| 35 -- Global SSL options if not overridden per-host | 50 -- Global SSL options if not overridden per-host |
| 36 local global_ssl_config = configmanager.get("*", "ssl"); | 51 local global_ssl_config = configmanager.get("*", "ssl"); |
| 37 | 52 |
| 38 -- Built-in defaults | 53 -- Built-in defaults |
| 39 local core_defaults = { | 54 local core_defaults = { |
| 40 capath = "/etc/ssl/certs"; | 55 capath = "/etc/ssl/certs"; |
| 56 depth = 9; | |
| 41 protocol = "tlsv1+"; | 57 protocol = "tlsv1+"; |
| 42 verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; | 58 verify = (ssl_x509 and { "peer", "client_once", }) or "none"; |
| 43 options = { | 59 options = { |
| 44 cipher_server_preference = true; | 60 cipher_server_preference = luasec_has.cipher_server_preference; |
| 45 no_ticket = luasec_has_noticket; | 61 no_ticket = luasec_has.no_ticket; |
| 46 no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true; | 62 no_compression = luasec_has.no_compression and configmanager.get("*", "ssl_compression") ~= true; |
| 47 -- Has no_compression? Then it has these too... | 63 single_dh_use = luasec_has.single_dh_use; |
| 48 single_dh_use = luasec_has_no_compression; | 64 single_ecdh_use = luasec_has.single_ecdh_use; |
| 49 single_ecdh_use = luasec_has_no_compression; | |
| 50 }; | 65 }; |
| 51 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; | 66 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; |
| 52 curve = "secp384r1"; | 67 curve = "secp384r1"; |
| 53 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; | 68 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; |
| 54 } | 69 } |
| 55 local path_options = { -- These we pass through resolve_path() | 70 local path_options = { -- These we pass through resolve_path() |
| 56 key = true, certificate = true, cafile = true, capath = true, dhparam = true | 71 key = true, certificate = true, cafile = true, capath = true, dhparam = true |
| 57 } | 72 } |
| 58 | 73 |
| 59 if ssl and not luasec_has_verifyext and ssl.x509 then | 74 if luasec_version < 5 and ssl_x509 then |
| 60 -- COMPAT mw/luasec-hg | 75 -- COMPAT mw/luasec-hg |
| 61 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix | 76 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix |
| 62 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); | 77 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); |
| 63 end | 78 end |
| 64 end | 79 end |
| 65 | 80 |
| 66 function create_context(host, mode, ...) | 81 function create_context(host, mode, ...) |
| 67 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end | |
| 68 | |
| 69 local cfg = new_config(); | 82 local cfg = new_config(); |
| 70 cfg:apply(core_defaults); | 83 cfg:apply(core_defaults); |
| 71 cfg:apply(global_ssl_config); | 84 cfg:apply(global_ssl_config); |
| 72 cfg:apply({ | 85 cfg:apply({ |
| 73 mode = mode, | 86 mode = mode, |
| 106 | 119 |
| 107 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care | 120 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care |
| 108 -- of it ourselves (W/A for #x) | 121 -- of it ourselves (W/A for #x) |
| 109 if ctx and user_ssl_config.ciphers then | 122 if ctx and user_ssl_config.ciphers then |
| 110 local success; | 123 local success; |
| 111 success, err = ssl.context.setcipher(ctx, user_ssl_config.ciphers); | 124 success, err = ssl_context.setcipher(ctx, user_ssl_config.ciphers); |
| 112 if not success then ctx = nil; end | 125 if not success then ctx = nil; end |
| 113 end | 126 end |
| 114 | 127 |
| 115 if not ctx then | 128 if not ctx then |
| 116 err = err or "invalid ssl config" | 129 err = err or "invalid ssl config" |
| 141 return ctx, err, user_ssl_config; | 154 return ctx, err, user_ssl_config; |
| 142 end | 155 end |
| 143 | 156 |
| 144 function reload_ssl_config() | 157 function reload_ssl_config() |
| 145 global_ssl_config = configmanager.get("*", "ssl"); | 158 global_ssl_config = configmanager.get("*", "ssl"); |
| 146 if luasec_has_no_compression then | 159 if luasec_has.no_compression then |
| 147 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; | 160 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; |
| 148 end | 161 end |
| 149 end | 162 end |
| 150 | 163 |
| 151 prosody.events.add_handler("config-reloaded", reload_ssl_config); | 164 prosody.events.add_handler("config-reloaded", reload_ssl_config); |
