Software /
code /
prosody
Comparison
core/certmanager.lua @ 5283:a3a4de5104ee
Merge 0.9->trunk
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 28 Dec 2012 15:14:11 +0100 |
parent | 5282:4cd57cb49f99 |
child | 5287:676a1a032d2f |
comparison
equal
deleted
inserted
replaced
5275:03dc0ae27499 | 5283:a3a4de5104ee |
---|---|
15 | 15 |
16 local prosody = prosody; | 16 local prosody = prosody; |
17 local resolve_path = configmanager.resolve_relative_path; | 17 local resolve_path = configmanager.resolve_relative_path; |
18 local config_path = prosody.paths.config; | 18 local config_path = prosody.paths.config; |
19 | 19 |
20 local luasec_has_noticket; | 20 local luasec_has_noticket, luasec_has_verifyext; |
21 if ssl then | 21 if ssl then |
22 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); | 22 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); |
23 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; | 23 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; |
24 luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; | |
24 end | 25 end |
25 | 26 |
26 module "certmanager" | 27 module "certmanager" |
27 | 28 |
28 -- Global SSL options if not overridden per-host | 29 -- Global SSL options if not overridden per-host |
29 local default_ssl_config = configmanager.get("*", "core", "ssl"); | 30 local default_ssl_config = configmanager.get("*", "core", "ssl"); |
30 local default_capath = "/etc/ssl/certs"; | 31 local default_capath = "/etc/ssl/certs"; |
31 local default_verify = (ssl and ssl.x509 and { "peer", "client_once", "continue", "ignore_purpose" }) or "none"; | 32 local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; |
32 local default_options = { "no_sslv2", luasec_has_noticket and "no_ticket" or nil }; | 33 local default_options = { "no_sslv2", luasec_has_noticket and "no_ticket" or nil }; |
34 local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" }; | |
35 | |
36 if not luasec_has_verifyext and ssl.x509 then | |
37 -- COMPAT mw/luasec-hg | |
38 for i=1,#default_verifyext do -- Remove lsec_ prefix | |
39 default_verify[#default_verify+1] = default_verifyext[i]:sub(6); | |
40 end | |
41 end | |
33 | 42 |
34 function create_context(host, mode, user_ssl_config) | 43 function create_context(host, mode, user_ssl_config) |
35 user_ssl_config = user_ssl_config or default_ssl_config; | 44 user_ssl_config = user_ssl_config or default_ssl_config; |
36 | 45 |
37 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end | 46 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end |
44 password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; | 53 password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; |
45 certificate = resolve_path(config_path, user_ssl_config.certificate); | 54 certificate = resolve_path(config_path, user_ssl_config.certificate); |
46 capath = resolve_path(config_path, user_ssl_config.capath or default_capath); | 55 capath = resolve_path(config_path, user_ssl_config.capath or default_capath); |
47 cafile = resolve_path(config_path, user_ssl_config.cafile); | 56 cafile = resolve_path(config_path, user_ssl_config.cafile); |
48 verify = user_ssl_config.verify or default_verify; | 57 verify = user_ssl_config.verify or default_verify; |
58 verifyext = user_ssl_config.verifyext or default_verifyext; | |
49 options = user_ssl_config.options or default_options; | 59 options = user_ssl_config.options or default_options; |
50 depth = user_ssl_config.depth; | 60 depth = user_ssl_config.depth; |
51 }; | 61 }; |
52 | 62 |
53 local ctx, err = ssl_newcontext(ssl_config); | 63 local ctx, err = ssl_newcontext(ssl_config); |