prosody
6999d4415a58
core/certmanager.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

core/certmanager.lua @ 6077:6999d4415a58

certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
author Kim Alvefur <zash@zash.se>
date Tue, 15 Apr 2014 00:32:11 +0200
parent 6076:e0713386319a
child 6078:30ac122acdd3
comparison
equal deleted inserted replaced
6076:e0713386319a 6077:6999d4415a58
44 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; 44 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL";
45 } 45 }
46 local path_options = { -- These we pass through resolve_path() 46 local path_options = { -- These we pass through resolve_path()
47 key = true, certificate = true, cafile = true, capath = true, dhparam = true 47 key = true, certificate = true, cafile = true, capath = true, dhparam = true
48 } 48 }
49 local set_options = {
50 options = true, verify = true, verifyext = true
51 }
49 52
50 if ssl and not luasec_has_verifyext and ssl.x509 then 53 if ssl and not luasec_has_verifyext and ssl.x509 then
51 -- COMPAT mw/luasec-hg 54 -- COMPAT mw/luasec-hg
52 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix 55 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix
53 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); 56 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6);
58 core_defaults.options[#core_defaults.options+1] = "single_dh_use"; 61 core_defaults.options[#core_defaults.options+1] = "single_dh_use";
59 core_defaults.options[#core_defaults.options+1] = "single_ecdh_use"; 62 core_defaults.options[#core_defaults.options+1] = "single_ecdh_use";
60 if configmanager.get("*", "ssl_compression") ~= true then 63 if configmanager.get("*", "ssl_compression") ~= true then
61 core_defaults.options[#core_defaults.options+1] = "no_compression"; 64 core_defaults.options[#core_defaults.options+1] = "no_compression";
62 end 65 end
66 end
67
68 local function merge_set(t, o)
69 if type(t) ~= "table" then t = { t } end
70 for k,v in pairs(t) do
71 if v == true or v == false then
72 o[k] = v;
73 else
74 o[v] = true;
75 end
76 end
77 return o;
63 end 78 end
64 79
65 function create_context(host, mode, user_ssl_config) 80 function create_context(host, mode, user_ssl_config)
66 user_ssl_config = user_ssl_config or {} 81 user_ssl_config = user_ssl_config or {}
67 user_ssl_config.mode = mode; 82 user_ssl_config.mode = mode;
78 93
79 for option,default_value in pairs(core_defaults) do 94 for option,default_value in pairs(core_defaults) do
80 if user_ssl_config[option] == nil then 95 if user_ssl_config[option] == nil then
81 user_ssl_config[option] = default_value; 96 user_ssl_config[option] = default_value;
82 end 97 end
98 end
99
100 for option in pairs(set_options) do
101 local merged = {};
102 merge_set(core_defaults[option], merged);
103 merge_set(global_ssl_config[option], merged);
104 merge_set(user_ssl_config[option], merged);
105 local final_array = {};
106 for opt, enable in pairs(merged) do
107 if enable then
108 final_array[#final_array+1] = opt;
109 end
110 end
111 user_ssl_config[option] = final_array;
83 end 112 end
84 113
85 -- We can't read the password interactively when daemonized 114 -- We can't read the password interactively when daemonized
86 user_ssl_config.password = user_ssl_config.password or 115 user_ssl_config.password = user_ssl_config.password or
87 function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; 116 function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;