prosody
e6fed1d80116
core/certmanager.lua
Software / code / prosody
Comparison
core/certmanager.lua @ 5915:e6fed1d80116
Back out 1b0ac7950129, as SSLv3 appears to still be in moderate use on the network. Also, although obsolete, SSLv3 isn't documented to have any weaknesses that TLS 1.0 (the most common version used today) doesn't also have. Get your act together clients!
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 12 Nov 2013 02:13:01 +0000 |
| parent | 5907:9586979058b8 |
| child | 5916:1c4405f33561 |
| child | 5921:f7601ce30cfc |
comparison
equal
deleted
inserted
replaced
| 5907:9586979058b8 | 5915:e6fed1d80116 |
|---|---|
| 31 | 31 |
| 32 -- Global SSL options if not overridden per-host | 32 -- Global SSL options if not overridden per-host |
| 33 local default_ssl_config = configmanager.get("*", "ssl"); | 33 local default_ssl_config = configmanager.get("*", "ssl"); |
| 34 local default_capath = "/etc/ssl/certs"; | 34 local default_capath = "/etc/ssl/certs"; |
| 35 local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; | 35 local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; |
| 36 local default_options = { "no_sslv2", "no_sslv3", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; | 36 local default_options = { "no_sslv2", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; |
| 37 local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" }; | 37 local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" }; |
| 38 | 38 |
| 39 if ssl and not luasec_has_verifyext and ssl.x509 then | 39 if ssl and not luasec_has_verifyext and ssl.x509 then |
| 40 -- COMPAT mw/luasec-hg | 40 -- COMPAT mw/luasec-hg |
| 41 for i=1,#default_verifyext do -- Remove lsec_ prefix | 41 for i=1,#default_verifyext do -- Remove lsec_ prefix |
