prosody
e39edc6d1523
core/certmanager.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

core/certmanager.lua @ 8406:e39edc6d1523

Merge 0.10->trunk
author Kim Alvefur <zash@zash.se>
date Mon, 20 Nov 2017 02:22:09 +0100
parent 8405:a3cf899fd61b
child 8494:4f75f4da6d4e
comparison
equal deleted inserted replaced
8402:469afa02947b 8406:e39edc6d1523
25 local new_config = require"util.sslconfig".new; 25 local new_config = require"util.sslconfig".new;
26 local stat = require "lfs".attributes; 26 local stat = require "lfs".attributes;
27 27
28 local tonumber, tostring = tonumber, tostring; 28 local tonumber, tostring = tonumber, tostring;
29 local pairs = pairs; 29 local pairs = pairs;
30 local t_remove = table.remove;
30 local type = type; 31 local type = type;
31 local io_open = io.open; 32 local io_open = io.open;
32 local select = select; 33 local select = select;
33 34
34 local prosody = prosody; 35 local prosody = prosody;
35 local resolve_path = require"util.paths".resolve_relative_path; 36 local resolve_path = require"util.paths".resolve_relative_path;
36 local config_path = prosody.paths.config or "."; 37 local config_path = prosody.paths.config or ".";
37 38
38 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); 39 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)");
39 local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor); 40 local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor);
40 local luasec_has = { 41 local luasec_has = softreq"ssl.config" or {
41 -- TODO If LuaSec ever starts exposing these things itself, use that instead 42 algorithms = {
42 cipher_server_preference = luasec_version >= 2; 43 ec = luasec_version >= 5;
43 no_ticket = luasec_version >= 4; 44 };
44 no_compression = luasec_version >= 5; 45 capabilities = {
45 single_dh_use = luasec_version >= 2; 46 curves_list = luasec_version >= 7;
46 single_ecdh_use = luasec_version >= 2; 47 };
48 options = {
49 cipher_server_preference = luasec_version >= 2;
50 no_ticket = luasec_version >= 4;
51 no_compression = luasec_version >= 5;
52 single_dh_use = luasec_version >= 2;
53 single_ecdh_use = luasec_version >= 2;
54 };
47 }; 55 };
48 56
49 local _ENV = nil; 57 local _ENV = nil;
50 58
51 -- Global SSL options if not overridden per-host 59 -- Global SSL options if not overridden per-host
97 capath = "/etc/ssl/certs"; 105 capath = "/etc/ssl/certs";
98 depth = 9; 106 depth = 9;
99 protocol = "tlsv1+"; 107 protocol = "tlsv1+";
100 verify = (ssl_x509 and { "peer", "client_once", }) or "none"; 108 verify = (ssl_x509 and { "peer", "client_once", }) or "none";
101 options = { 109 options = {
102 cipher_server_preference = luasec_has.cipher_server_preference; 110 cipher_server_preference = luasec_has.options.cipher_server_preference;
103 no_ticket = luasec_has.no_ticket; 111 no_ticket = luasec_has.options.no_ticket;
104 no_compression = luasec_has.no_compression and configmanager.get("*", "ssl_compression") ~= true; 112 no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true;
105 single_dh_use = luasec_has.single_dh_use; 113 single_dh_use = luasec_has.options.single_dh_use;
106 single_ecdh_use = luasec_has.single_ecdh_use; 114 single_ecdh_use = luasec_has.options.single_ecdh_use;
107 }; 115 };
108 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; 116 verifyext = { "lsec_continue", "lsec_ignore_purpose" };
109 curve = "secp384r1"; 117 curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1";
110 curveslist = { 118 curveslist = {
111 "X25519", 119 "X25519",
112 "P-384", 120 "P-384",
113 "P-256", 121 "P-256",
114 "P-521", 122 "P-521",
122 "!SRP", -- Secure Remote Password - not used for XMPP 130 "!SRP", -- Secure Remote Password - not used for XMPP
123 "!3DES", -- 3DES - slow and of questionable security 131 "!3DES", -- 3DES - slow and of questionable security
124 "!aNULL", -- Ciphers that does not authenticate the connection 132 "!aNULL", -- Ciphers that does not authenticate the connection
125 }; 133 };
126 } 134 }
135
136 if luasec_has.curves then
137 for i = #core_defaults.curveslist, 1, -1 do
138 if not luasec_has.curves[ core_defaults.curveslist[i] ] then
139 t_remove(core_defaults.curveslist, i);
140 end
141 end
142 else
143 core_defaults.curveslist = nil;
144 end
145
127 local path_options = { -- These we pass through resolve_path() 146 local path_options = { -- These we pass through resolve_path()
128 key = true, certificate = true, cafile = true, capath = true, dhparam = true 147 key = true, certificate = true, cafile = true, capath = true, dhparam = true
129 } 148 }
130 149
131 if luasec_version < 5 and ssl_x509 then 150 if luasec_version < 5 and ssl_x509 then
225 end 244 end
226 245
227 local function reload_ssl_config() 246 local function reload_ssl_config()
228 global_ssl_config = configmanager.get("*", "ssl"); 247 global_ssl_config = configmanager.get("*", "ssl");
229 global_certificates = configmanager.get("*", "certificates") or "certs"; 248 global_certificates = configmanager.get("*", "certificates") or "certs";
230 if luasec_has.no_compression then 249 if luasec_has.options.no_compression then
231 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; 250 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
232 end 251 end
233 end 252 end
234 253
235 prosody.events.add_handler("config-reloaded", reload_ssl_config); 254 prosody.events.add_handler("config-reloaded", reload_ssl_config);