prosody
5cffee5b2826
core/certmanager.lua
Software / code / prosody
Comparison
core/certmanager.lua @ 6079:5cffee5b2826
certmanager: Reformat core ssl defaults
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 15 Apr 2014 00:49:17 +0200 |
| parent | 6078:30ac122acdd3 |
| child | 6080:b7d1607df87d |
comparison
equal
deleted
inserted
replaced
| 6078:30ac122acdd3 | 6079:5cffee5b2826 |
|---|---|
| 32 module "certmanager" | 32 module "certmanager" |
| 33 | 33 |
| 34 -- Global SSL options if not overridden per-host | 34 -- Global SSL options if not overridden per-host |
| 35 local global_ssl_config = configmanager.get("*", "ssl"); | 35 local global_ssl_config = configmanager.get("*", "ssl"); |
| 36 | 36 |
| 37 -- Built-in defaults | |
| 37 local core_defaults = { | 38 local core_defaults = { |
| 38 capath = "/etc/ssl/certs"; | 39 capath = "/etc/ssl/certs"; |
| 39 protocol = "tlsv1+"; | 40 protocol = "tlsv1+"; |
| 40 verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; | 41 verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; |
| 41 options = { "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; | 42 options = { |
| 43 cipher_server_preference = true; | |
| 44 no_ticket = luasec_has_noticket; | |
| 45 no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true; | |
| 46 -- Has no_compression? Then it has these too... | |
| 47 single_dh_use = luasec_has_no_compression; | |
| 48 single_ecdh_use = luasec_has_no_compression; | |
| 49 }; | |
| 42 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; | 50 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; |
| 43 curve = "secp384r1"; | 51 curve = "secp384r1"; |
| 44 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; | 52 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; |
| 45 } | 53 } |
| 46 local path_options = { -- These we pass through resolve_path() | 54 local path_options = { -- These we pass through resolve_path() |
| 52 | 60 |
| 53 if ssl and not luasec_has_verifyext and ssl.x509 then | 61 if ssl and not luasec_has_verifyext and ssl.x509 then |
| 54 -- COMPAT mw/luasec-hg | 62 -- COMPAT mw/luasec-hg |
| 55 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix | 63 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix |
| 56 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); | 64 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); |
| 57 end | |
| 58 end | |
| 59 | |
| 60 if luasec_has_no_compression then -- Has no_compression? Then it has these too... | |
| 61 core_defaults.options[#core_defaults.options+1] = "single_dh_use"; | |
| 62 core_defaults.options[#core_defaults.options+1] = "single_ecdh_use"; | |
| 63 if configmanager.get("*", "ssl_compression") ~= true then | |
| 64 core_defaults.options[#core_defaults.options+1] = "no_compression"; | |
| 65 end | 65 end |
| 66 end | 66 end |
| 67 | 67 |
| 68 local function merge_set(t, o) | 68 local function merge_set(t, o) |
| 69 if type(t) ~= "table" then t = { t } end | 69 if type(t) ~= "table" then t = { t } end |
