Comparison

core/certmanager.lua @ 5283:a3a4de5104ee

Merge 0.9->trunk
author Kim Alvefur <zash@zash.se>
date Fri, 28 Dec 2012 15:14:11 +0100
parent 5282:4cd57cb49f99
child 5287:676a1a032d2f
comparison
equal deleted inserted replaced
5275:03dc0ae27499 5283:a3a4de5104ee
15 15
16 local prosody = prosody; 16 local prosody = prosody;
17 local resolve_path = configmanager.resolve_relative_path; 17 local resolve_path = configmanager.resolve_relative_path;
18 local config_path = prosody.paths.config; 18 local config_path = prosody.paths.config;
19 19
20 local luasec_has_noticket; 20 local luasec_has_noticket, luasec_has_verifyext;
21 if ssl then 21 if ssl then
22 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); 22 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)");
23 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; 23 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4;
24 luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5;
24 end 25 end
25 26
26 module "certmanager" 27 module "certmanager"
27 28
28 -- Global SSL options if not overridden per-host 29 -- Global SSL options if not overridden per-host
29 local default_ssl_config = configmanager.get("*", "core", "ssl"); 30 local default_ssl_config = configmanager.get("*", "core", "ssl");
30 local default_capath = "/etc/ssl/certs"; 31 local default_capath = "/etc/ssl/certs";
31 local default_verify = (ssl and ssl.x509 and { "peer", "client_once", "continue", "ignore_purpose" }) or "none"; 32 local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none";
32 local default_options = { "no_sslv2", luasec_has_noticket and "no_ticket" or nil }; 33 local default_options = { "no_sslv2", luasec_has_noticket and "no_ticket" or nil };
34 local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" };
35
36 if not luasec_has_verifyext and ssl.x509 then
37 -- COMPAT mw/luasec-hg
38 for i=1,#default_verifyext do -- Remove lsec_ prefix
39 default_verify[#default_verify+1] = default_verifyext[i]:sub(6);
40 end
41 end
33 42
34 function create_context(host, mode, user_ssl_config) 43 function create_context(host, mode, user_ssl_config)
35 user_ssl_config = user_ssl_config or default_ssl_config; 44 user_ssl_config = user_ssl_config or default_ssl_config;
36 45
37 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end 46 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end
44 password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; 53 password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
45 certificate = resolve_path(config_path, user_ssl_config.certificate); 54 certificate = resolve_path(config_path, user_ssl_config.certificate);
46 capath = resolve_path(config_path, user_ssl_config.capath or default_capath); 55 capath = resolve_path(config_path, user_ssl_config.capath or default_capath);
47 cafile = resolve_path(config_path, user_ssl_config.cafile); 56 cafile = resolve_path(config_path, user_ssl_config.cafile);
48 verify = user_ssl_config.verify or default_verify; 57 verify = user_ssl_config.verify or default_verify;
58 verifyext = user_ssl_config.verifyext or default_verifyext;
49 options = user_ssl_config.options or default_options; 59 options = user_ssl_config.options or default_options;
50 depth = user_ssl_config.depth; 60 depth = user_ssl_config.depth;
51 }; 61 };
52 62
53 local ctx, err = ssl_newcontext(ssl_config); 63 local ctx, err = ssl_newcontext(ssl_config);