Software /
code /
prosody
Comparison
core/certmanager.lua @ 6564:bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 05 Feb 2015 15:10:23 +0100 |
parent | 6547:2f65de21ff56 |
child | 6565:ffc0a57889aa |
comparison
equal
deleted
inserted
replaced
6563:f0a2bdfd0cea | 6564:bcf32653cab7 |
---|---|
4 -- | 4 -- |
5 -- This project is MIT/X11 licensed. Please see the | 5 -- This project is MIT/X11 licensed. Please see the |
6 -- COPYING file in the source package for more information. | 6 -- COPYING file in the source package for more information. |
7 -- | 7 -- |
8 | 8 |
9 local softreq = require"util.dependencies".softreq; | |
10 local ssl = softreq"ssl"; | |
11 if not ssl then | |
12 return { | |
13 create_context = function () | |
14 return nil, "LuaSec (required for encryption) was not found"; | |
15 end; | |
16 reload_ssl_config = function () end; | |
17 } | |
18 end | |
19 | |
9 local configmanager = require "core.configmanager"; | 20 local configmanager = require "core.configmanager"; |
10 local log = require "util.logger".init("certmanager"); | 21 local log = require "util.logger".init("certmanager"); |
11 local ssl = _G.ssl; | 22 local ssl_newcontext = ssl.newcontext; |
12 local ssl_newcontext = ssl and ssl.newcontext; | |
13 local new_config = require"util.sslconfig".new; | 23 local new_config = require"util.sslconfig".new; |
14 | 24 |
15 local tostring = tostring; | 25 local tostring = tostring; |
16 local pairs = pairs; | 26 local pairs = pairs; |
17 local type = type; | 27 local type = type; |
21 local prosody = prosody; | 31 local prosody = prosody; |
22 local resolve_path = require"util.paths".resolve_relative_path; | 32 local resolve_path = require"util.paths".resolve_relative_path; |
23 local config_path = prosody.paths.config; | 33 local config_path = prosody.paths.config; |
24 | 34 |
25 local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression; | 35 local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression; |
26 if ssl then | 36 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); |
27 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); | 37 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; |
28 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; | 38 luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; |
29 luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; | 39 luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; |
30 luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; | |
31 end | |
32 | 40 |
33 module "certmanager" | 41 module "certmanager" |
34 | 42 |
35 -- Global SSL options if not overridden per-host | 43 -- Global SSL options if not overridden per-host |
36 local global_ssl_config = configmanager.get("*", "ssl"); | 44 local global_ssl_config = configmanager.get("*", "ssl"); |
37 | 45 |
38 -- Built-in defaults | 46 -- Built-in defaults |
39 local core_defaults = { | 47 local core_defaults = { |
40 capath = "/etc/ssl/certs"; | 48 capath = "/etc/ssl/certs"; |
41 protocol = "tlsv1+"; | 49 protocol = "tlsv1+"; |
42 verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; | 50 verify = (ssl.x509 and { "peer", "client_once", }) or "none"; |
43 options = { | 51 options = { |
44 cipher_server_preference = true; | 52 cipher_server_preference = true; |
45 no_ticket = luasec_has_noticket; | 53 no_ticket = luasec_has_noticket; |
46 no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true; | 54 no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true; |
47 -- Has no_compression? Then it has these too... | 55 -- Has no_compression? Then it has these too... |
54 } | 62 } |
55 local path_options = { -- These we pass through resolve_path() | 63 local path_options = { -- These we pass through resolve_path() |
56 key = true, certificate = true, cafile = true, capath = true, dhparam = true | 64 key = true, certificate = true, cafile = true, capath = true, dhparam = true |
57 } | 65 } |
58 | 66 |
59 if ssl and not luasec_has_verifyext and ssl.x509 then | 67 if not luasec_has_verifyext and ssl.x509 then |
60 -- COMPAT mw/luasec-hg | 68 -- COMPAT mw/luasec-hg |
61 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix | 69 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix |
62 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); | 70 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); |
63 end | 71 end |
64 end | 72 end |
65 | 73 |
66 function create_context(host, mode, ...) | 74 function create_context(host, mode, ...) |
67 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end | |
68 | |
69 local cfg = new_config(); | 75 local cfg = new_config(); |
70 cfg:apply(core_defaults); | 76 cfg:apply(core_defaults); |
71 cfg:apply(global_ssl_config); | 77 cfg:apply(global_ssl_config); |
72 cfg:apply({ | 78 cfg:apply({ |
73 mode = mode, | 79 mode = mode, |