prosody
970c666c5586
core/certmanager.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

core/certmanager.lua @ 5822:970c666c5586

certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
author Kim Alvefur <zash@zash.se>
date Tue, 03 Sep 2013 15:43:59 +0200
parent 5821:7974683a9bb7
child 5872:1c3ebd3009fe
comparison
equal deleted inserted replaced
5821:7974683a9bb7 5822:970c666c5586
11 local ssl = ssl; 11 local ssl = ssl;
12 local ssl_newcontext = ssl and ssl.newcontext; 12 local ssl_newcontext = ssl and ssl.newcontext;
13 13
14 local tostring = tostring; 14 local tostring = tostring;
15 local pairs = pairs; 15 local pairs = pairs;
16 local type = type;
17 local io_open = io.open;
16 18
17 local prosody = prosody; 19 local prosody = prosody;
18 local resolve_path = configmanager.resolve_relative_path; 20 local resolve_path = configmanager.resolve_relative_path;
19 local config_path = prosody.paths.config; 21 local config_path = prosody.paths.config;
20 22
39 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; 41 verifyext = { "lsec_continue", "lsec_ignore_purpose" };
40 curve = "secp384r1"; 42 curve = "secp384r1";
41 ciphers = "HIGH:!DSS:!aNULL@STRENGTH"; 43 ciphers = "HIGH:!DSS:!aNULL@STRENGTH";
42 } 44 }
43 local path_options = { -- These we pass through resolve_path() 45 local path_options = { -- These we pass through resolve_path()
44 key = true, certificate = true, cafile = true, capath = true 46 key = true, certificate = true, cafile = true, capath = true, dhparam = true
45 } 47 }
46 48
47 if ssl and not luasec_has_verifyext and ssl.x509 then 49 if ssl and not luasec_has_verifyext and ssl.x509 then
48 -- COMPAT mw/luasec-hg 50 -- COMPAT mw/luasec-hg
49 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix 51 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix
73 user_ssl_config[option] = default_value; 75 user_ssl_config[option] = default_value;
74 end 76 end
75 end 77 end
76 user_ssl_config.password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; 78 user_ssl_config.password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
77 for option in pairs(path_options) do 79 for option in pairs(path_options) do
78 user_ssl_config[option] = user_ssl_config[option] and resolve_path(config_path, user_ssl_config[option]); 80 if type(user_ssl_config[option]) == "string" then
81 user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]);
82 end
79 end 83 end
80 84
81 if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end 85 if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
82 if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end 86 if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end
87
88 -- LuaSec expects dhparam to be a callback that takes two arguments.
89 -- We ignore those because it is mostly used for having a separate
90 -- set of params for EXPORT ciphers, which we don't have by default.
91 if type(user_ssl_config.dhparam) == "string" then
92 local f, err = io_open(user_ssl_config.dhparam);
93 if not f then return nil, "Could not open DH parameters: "..err end
94 local dhparam = f:read("*a");
95 f:close();
96 user_ssl_config.dhparam = function() return dhparam; end
97 end
83 98
84 local ctx, err = ssl_newcontext(user_ssl_config); 99 local ctx, err = ssl_newcontext(user_ssl_config);
85 100
86 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care 101 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care
87 -- of it ourselves (W/A for #x) 102 -- of it ourselves (W/A for #x)