Comparison

core/certmanager.lua @ 11709:5810166f35d5

core.certmanager: Support 'use_dane' setting to enable DANE support Removes the need to enable DANE with two separate settings. Previously you had to also set `ssl = { dane = true }` to activate DANE support in LuaSec and OpenSSL.
author Kim Alvefur <zash@zash.se>
date Sun, 18 Jul 2021 22:46:57 +0200
parent 11591:e7a964572f6b
child 12096:dfb29b5b0a57
comparison
equal deleted inserted replaced
11708:5ef729c355f3 11709:5810166f35d5
242 "!PSK", -- Pre-Shared Key - not used for XMPP 242 "!PSK", -- Pre-Shared Key - not used for XMPP
243 "!SRP", -- Secure Remote Password - not used for XMPP 243 "!SRP", -- Secure Remote Password - not used for XMPP
244 "!3DES", -- 3DES - slow and of questionable security 244 "!3DES", -- 3DES - slow and of questionable security
245 "!aNULL", -- Ciphers that does not authenticate the connection 245 "!aNULL", -- Ciphers that does not authenticate the connection
246 }; 246 };
247 dane = configmanager.get("*", "use_dane");
247 } 248 }
248 249
249 if luasec_has.curves then 250 if luasec_has.curves then
250 for i = #core_defaults.curveslist, 1, -1 do 251 for i = #core_defaults.curveslist, 1, -1 do
251 if not luasec_has.curves[ core_defaults.curveslist[i] ] then 252 if not luasec_has.curves[ core_defaults.curveslist[i] ] then
358 global_ssl_config = configmanager.get("*", "ssl"); 359 global_ssl_config = configmanager.get("*", "ssl");
359 global_certificates = configmanager.get("*", "certificates") or "certs"; 360 global_certificates = configmanager.get("*", "certificates") or "certs";
360 if luasec_has.options.no_compression then 361 if luasec_has.options.no_compression then
361 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; 362 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
362 end 363 end
364 core_defaults.dane = configmanager.get("*", "use_dane") or false;
363 cert_index = index_certs(resolve_path(config_path, global_certificates)); 365 cert_index = index_certs(resolve_path(config_path, global_certificates));
364 end 366 end
365 367
366 prosody.events.add_handler("config-reloaded", reload_ssl_config); 368 prosody.events.add_handler("config-reloaded", reload_ssl_config);
367 369