prosody
749376d75b40
core/certmanager.lua
Software / code / prosody
Comparison
core/certmanager.lua @ 13115:749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Further isolates LuaSec from Prosody core, with the ultimate goal of
allowing LuaSec to be replaced more easily.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 27 May 2023 15:39:26 +0200 |
| parent | 12972:ead41e25ebc0 |
| child | 13116:58e793288d9c |
comparison
equal
deleted
inserted
replaced
| 13114:025c38ee885d | 13115:749376d75b40 |
|---|---|
| 7 -- | 7 -- |
| 8 | 8 |
| 9 local ssl = require "ssl"; | 9 local ssl = require "ssl"; |
| 10 local configmanager = require "prosody.core.configmanager"; | 10 local configmanager = require "prosody.core.configmanager"; |
| 11 local log = require "prosody.util.logger".init("certmanager"); | 11 local log = require "prosody.util.logger".init("certmanager"); |
| 12 local ssl_newcontext = ssl.newcontext; | |
| 13 local new_config = require"prosody.net.server".tls_builder; | 12 local new_config = require"prosody.net.server".tls_builder; |
| 13 local tls = require "prosody.net.tls_luasec"; | |
| 14 local stat = require "lfs".attributes; | 14 local stat = require "lfs".attributes; |
| 15 | 15 |
| 16 local x509 = require "prosody.util.x509"; | 16 local x509 = require "prosody.util.x509"; |
| 17 local lfs = require "lfs"; | 17 local lfs = require "lfs"; |
| 18 | 18 |
| 28 | 28 |
| 29 local prosody = prosody; | 29 local prosody = prosody; |
| 30 local pathutil = require"prosody.util.paths"; | 30 local pathutil = require"prosody.util.paths"; |
| 31 local resolve_path = pathutil.resolve_relative_path; | 31 local resolve_path = pathutil.resolve_relative_path; |
| 32 local config_path = prosody.paths.config or "."; | 32 local config_path = prosody.paths.config or "."; |
| 33 | |
| 34 local function test_option(option) | |
| 35 return not not ssl_newcontext({mode="server",protocol="sslv23",options={ option }}); | |
| 36 end | |
| 37 | |
| 38 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); | |
| 39 local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor); | |
| 40 local luasec_has = ssl.config or { | |
| 41 algorithms = { | |
| 42 ec = luasec_version >= 5; | |
| 43 }; | |
| 44 capabilities = { | |
| 45 curves_list = luasec_version >= 7; | |
| 46 }; | |
| 47 options = { | |
| 48 cipher_server_preference = test_option("cipher_server_preference"); | |
| 49 no_ticket = test_option("no_ticket"); | |
| 50 no_compression = test_option("no_compression"); | |
| 51 single_dh_use = test_option("single_dh_use"); | |
| 52 single_ecdh_use = test_option("single_ecdh_use"); | |
| 53 no_renegotiation = test_option("no_renegotiation"); | |
| 54 }; | |
| 55 }; | |
| 56 | 33 |
| 57 local _ENV = nil; | 34 local _ENV = nil; |
| 58 -- luacheck: std none | 35 -- luacheck: std none |
| 59 | 36 |
| 60 -- Global SSL options if not overridden per-host | 37 -- Global SSL options if not overridden per-host |
| 204 capath = "/etc/ssl/certs"; | 181 capath = "/etc/ssl/certs"; |
| 205 depth = 9; | 182 depth = 9; |
| 206 protocol = "tlsv1+"; | 183 protocol = "tlsv1+"; |
| 207 verify = "none"; | 184 verify = "none"; |
| 208 options = { | 185 options = { |
| 209 cipher_server_preference = luasec_has.options.cipher_server_preference; | 186 cipher_server_preference = tls.features.options.cipher_server_preference; |
| 210 no_ticket = luasec_has.options.no_ticket; | 187 no_ticket = tls.features.options.no_ticket; |
| 211 no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true; | 188 no_compression = tls.features.options.no_compression and configmanager.get("*", "ssl_compression") ~= true; |
| 212 single_dh_use = luasec_has.options.single_dh_use; | 189 single_dh_use = tls.features.options.single_dh_use; |
| 213 single_ecdh_use = luasec_has.options.single_ecdh_use; | 190 single_ecdh_use = tls.features.options.single_ecdh_use; |
| 214 no_renegotiation = luasec_has.options.no_renegotiation; | 191 no_renegotiation = tls.features.options.no_renegotiation; |
| 215 }; | 192 }; |
| 216 verifyext = { | 193 verifyext = { |
| 217 "lsec_continue", -- Continue past certificate verification errors | 194 "lsec_continue", -- Continue past certificate verification errors |
| 218 "lsec_ignore_purpose", -- Validate client certificates as if they were server certificates | 195 "lsec_ignore_purpose", -- Validate client certificates as if they were server certificates |
| 219 }; | 196 }; |
| 220 curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1"; | 197 curve = tls.features.algorithms.ec and not tls.features.capabilities.curves_list and "secp384r1"; |
| 221 curveslist = { | 198 curveslist = { |
| 222 "X25519", | 199 "X25519", |
| 223 "P-384", | 200 "P-384", |
| 224 "P-256", | 201 "P-256", |
| 225 "P-521", | 202 "P-521", |
| 232 "!PSK", -- Pre-Shared Key - not used for XMPP | 209 "!PSK", -- Pre-Shared Key - not used for XMPP |
| 233 "!SRP", -- Secure Remote Password - not used for XMPP | 210 "!SRP", -- Secure Remote Password - not used for XMPP |
| 234 "!3DES", -- 3DES - slow and of questionable security | 211 "!3DES", -- 3DES - slow and of questionable security |
| 235 "!aNULL", -- Ciphers that does not authenticate the connection | 212 "!aNULL", -- Ciphers that does not authenticate the connection |
| 236 }; | 213 }; |
| 237 dane = luasec_has.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" }; | 214 dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" }; |
| 238 } | 215 } |
| 239 | 216 |
| 240 local mozilla_ssl_configs = { | 217 local mozilla_ssl_configs = { |
| 241 -- https://wiki.mozilla.org/Security/Server_Side_TLS | 218 -- https://wiki.mozilla.org/Security/Server_Side_TLS |
| 242 -- Version 5.6 as of 2021-12-26 | 219 -- Version 5.6 as of 2021-12-26 |
| 300 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; | 277 ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; |
| 301 }; | 278 }; |
| 302 }; | 279 }; |
| 303 | 280 |
| 304 | 281 |
| 305 if luasec_has.curves then | 282 if tls.features.curves then |
| 306 for i = #core_defaults.curveslist, 1, -1 do | 283 for i = #core_defaults.curveslist, 1, -1 do |
| 307 if not luasec_has.curves[ core_defaults.curveslist[i] ] then | 284 if not tls.features.curves[ core_defaults.curveslist[i] ] then |
| 308 t_remove(core_defaults.curveslist, i); | 285 t_remove(core_defaults.curveslist, i); |
| 309 end | 286 end |
| 310 end | 287 end |
| 311 else | 288 else |
| 312 core_defaults.curveslist = nil; | 289 core_defaults.curveslist = nil; |
| 384 end | 361 end |
| 385 | 362 |
| 386 local function reload_ssl_config() | 363 local function reload_ssl_config() |
| 387 global_ssl_config = configmanager.get("*", "ssl"); | 364 global_ssl_config = configmanager.get("*", "ssl"); |
| 388 global_certificates = configmanager.get("*", "certificates") or "certs"; | 365 global_certificates = configmanager.get("*", "certificates") or "certs"; |
| 389 if luasec_has.options.no_compression then | 366 if tls.features.options.no_compression then |
| 390 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; | 367 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; |
| 391 end | 368 end |
| 392 core_defaults.dane = configmanager.get("*", "use_dane") or false; | 369 core_defaults.dane = configmanager.get("*", "use_dane") or false; |
| 393 cert_index = index_certs(resolve_path(config_path, global_certificates)); | 370 cert_index = index_certs(resolve_path(config_path, global_certificates)); |
| 394 end | 371 end |
