prosody
851fb5e9fa0c
core/certmanager.lua
Software / code / prosody
Comparison
core/certmanager.lua @ 6293:851fb5e9fa0c
core.certmanager: Use util.sslconfig
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 03 Jul 2014 15:31:12 +0200 |
| parent | 6165:6a184b16b717 |
| child | 6294:0033b021038f |
comparison
equal
deleted
inserted
replaced
| 6292:751618071e89 | 6293:851fb5e9fa0c |
|---|---|
| 8 | 8 |
| 9 local configmanager = require "core.configmanager"; | 9 local configmanager = require "core.configmanager"; |
| 10 local log = require "util.logger".init("certmanager"); | 10 local log = require "util.logger".init("certmanager"); |
| 11 local ssl = ssl; | 11 local ssl = ssl; |
| 12 local ssl_newcontext = ssl and ssl.newcontext; | 12 local ssl_newcontext = ssl and ssl.newcontext; |
| 13 local new_config = require"util.sslconfig".new; | |
| 13 | 14 |
| 14 local tostring = tostring; | 15 local tostring = tostring; |
| 15 local pairs = pairs; | 16 local pairs = pairs; |
| 16 local type = type; | 17 local type = type; |
| 17 local io_open = io.open; | 18 local io_open = io.open; |
| 18 local t_concat = table.concat; | |
| 19 local t_insert = table.insert; | |
| 20 | 19 |
| 21 local prosody = prosody; | 20 local prosody = prosody; |
| 22 local resolve_path = require"util.paths".resolve_relative_path; | 21 local resolve_path = require"util.paths".resolve_relative_path; |
| 23 local config_path = prosody.paths.config; | 22 local config_path = prosody.paths.config; |
| 24 | 23 |
| 53 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; | 52 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; |
| 54 } | 53 } |
| 55 local path_options = { -- These we pass through resolve_path() | 54 local path_options = { -- These we pass through resolve_path() |
| 56 key = true, certificate = true, cafile = true, capath = true, dhparam = true | 55 key = true, certificate = true, cafile = true, capath = true, dhparam = true |
| 57 } | 56 } |
| 58 local set_options = { | |
| 59 options = true, verify = true, verifyext = true | |
| 60 } | |
| 61 | 57 |
| 62 if ssl and not luasec_has_verifyext and ssl.x509 then | 58 if ssl and not luasec_has_verifyext and ssl.x509 then |
| 63 -- COMPAT mw/luasec-hg | 59 -- COMPAT mw/luasec-hg |
| 64 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix | 60 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix |
| 65 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); | 61 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); |
| 66 end | 62 end |
| 67 end | 63 end |
| 68 | 64 |
| 69 local function merge_set(t, o) | |
| 70 if type(t) ~= "table" then t = { t } end | |
| 71 for k,v in pairs(t) do | |
| 72 if v == true or v == false then | |
| 73 o[k] = v; | |
| 74 else | |
| 75 o[v] = true; | |
| 76 end | |
| 77 end | |
| 78 return o; | |
| 79 end | |
| 80 | |
| 81 local protocols = { "sslv2", "sslv3", "tlsv1", "tlsv1_1", "tlsv1_2" }; | |
| 82 for i = 1, #protocols do protocols[protocols[i] .. "+"] = i - 1; end | |
| 83 | |
| 84 function create_context(host, mode, user_ssl_config) | 65 function create_context(host, mode, user_ssl_config) |
| 85 user_ssl_config = user_ssl_config or {} | |
| 86 user_ssl_config.mode = mode; | |
| 87 | |
| 88 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end | 66 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end |
| 89 | 67 |
| 90 if global_ssl_config then | 68 local cfg = new_config(); |
| 91 for option,default_value in pairs(global_ssl_config) do | 69 cfg:apply(core_defaults); |
| 92 if user_ssl_config[option] == nil then | 70 cfg:apply(global_ssl_config); |
| 93 user_ssl_config[option] = default_value; | 71 cfg:apply({ |
| 94 end | 72 mode = mode, |
| 95 end | 73 -- We can't read the password interactively when daemonized |
| 74 password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; | |
| 75 }); | |
| 76 cfg:apply(user_ssl_config); | |
| 77 | |
| 78 user_ssl_config = cfg:final(); | |
| 79 | |
| 80 if mode == "server" then | |
| 81 if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end | |
| 82 if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end | |
| 96 end | 83 end |
| 97 | |
| 98 for option,default_value in pairs(core_defaults) do | |
| 99 if user_ssl_config[option] == nil then | |
| 100 user_ssl_config[option] = default_value; | |
| 101 end | |
| 102 end | |
| 103 | |
| 104 for option in pairs(set_options) do | |
| 105 local merged = {}; | |
| 106 merge_set(core_defaults[option], merged); | |
| 107 if global_ssl_config then | |
| 108 merge_set(global_ssl_config[option], merged); | |
| 109 end | |
| 110 merge_set(user_ssl_config[option], merged); | |
| 111 local final_array = {}; | |
| 112 for opt, enable in pairs(merged) do | |
| 113 if enable then | |
| 114 final_array[#final_array+1] = opt; | |
| 115 end | |
| 116 end | |
| 117 user_ssl_config[option] = final_array; | |
| 118 end | |
| 119 | |
| 120 local min_protocol = protocols[user_ssl_config.protocol]; | |
| 121 if min_protocol then | |
| 122 user_ssl_config.protocol = "sslv23"; | |
| 123 for i = 1, min_protocol do | |
| 124 t_insert(user_ssl_config.options, "no_"..protocols[i]); | |
| 125 end | |
| 126 end | |
| 127 | |
| 128 -- We can't read the password interactively when daemonized | |
| 129 user_ssl_config.password = user_ssl_config.password or | |
| 130 function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; | |
| 131 | 84 |
| 132 for option in pairs(path_options) do | 85 for option in pairs(path_options) do |
| 133 if type(user_ssl_config[option]) == "string" then | 86 if type(user_ssl_config[option]) == "string" then |
| 134 user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]); | 87 user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]); |
| 135 end | 88 end |
| 136 end | |
| 137 | |
| 138 -- Allow the cipher list to be a table | |
| 139 if type(user_ssl_config.ciphers) == "table" then | |
| 140 user_ssl_config.ciphers = t_concat(user_ssl_config.ciphers, ":") | |
| 141 end | |
| 142 | |
| 143 if mode == "server" then | |
| 144 if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end | |
| 145 if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end | |
| 146 end | 89 end |
| 147 | 90 |
| 148 -- LuaSec expects dhparam to be a callback that takes two arguments. | 91 -- LuaSec expects dhparam to be a callback that takes two arguments. |
| 149 -- We ignore those because it is mostly used for having a separate | 92 -- We ignore those because it is mostly used for having a separate |
| 150 -- set of params for EXPORT ciphers, which we don't have by default. | 93 -- set of params for EXPORT ciphers, which we don't have by default. |
