prosody
83d6d6a70edf
net/http.lua
Software / code / prosody
Comparison
net/http.lua @ 11749:83d6d6a70edf
net.http: fail open if surrounding code does not configure TLS
Previously, if surrounding code was not configuring the TLS context
used default in net.http, it would not validate certificates at all.
This is not a security issue with prosody, because prosody updates the
context with `verify = "peer"` as well as paths to CA certificates in
util.startup.init_http_client.
Nevertheless... Let's not leave this pitfall out there in the open.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Sun, 29 Aug 2021 15:04:47 +0200 |
| parent | 11661:735b8f4a6d7e |
| child | 12273:c0f49a4026f8 |
comparison
equal
deleted
inserted
replaced
| 11747:9f723b54e111 | 11749:83d6d6a70edf |
|---|---|
| 330 }; | 330 }; |
| 331 return http; | 331 return http; |
| 332 end | 332 end |
| 333 | 333 |
| 334 local default_http = new({ | 334 local default_http = new({ |
| 335 sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" }, alpn = "http/1.1" }; | 335 sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" }, alpn = "http/1.1", verify = "peer" }; |
| 336 suppress_errors = true; | 336 suppress_errors = true; |
| 337 }); | 337 }); |
| 338 | 338 |
| 339 return { | 339 return { |
| 340 request = function (u, ex, callback) | 340 request = function (u, ex, callback) |
