prosody
ffc0a57889aa
core/certmanager.lua
Software / code / prosody
Comparison
core/certmanager.lua @ 6565:ffc0a57889aa
certmanager: Add locals for ssl.context and ssl.x509
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 05 Feb 2015 15:14:35 +0100 |
| parent | 6564:bcf32653cab7 |
| child | 6566:1f396f0fe832 |
comparison
equal
deleted
inserted
replaced
| 6564:bcf32653cab7 | 6565:ffc0a57889aa |
|---|---|
| 17 } | 17 } |
| 18 end | 18 end |
| 19 | 19 |
| 20 local configmanager = require "core.configmanager"; | 20 local configmanager = require "core.configmanager"; |
| 21 local log = require "util.logger".init("certmanager"); | 21 local log = require "util.logger".init("certmanager"); |
| 22 local ssl_context = ssl.context or softreq"ssl.context"; | |
| 23 local ssl_x509 = ssl.x509 or softreq"ssl.x509"; | |
| 22 local ssl_newcontext = ssl.newcontext; | 24 local ssl_newcontext = ssl.newcontext; |
| 23 local new_config = require"util.sslconfig".new; | 25 local new_config = require"util.sslconfig".new; |
| 24 | 26 |
| 25 local tostring = tostring; | 27 local tostring = tostring; |
| 26 local pairs = pairs; | 28 local pairs = pairs; |
| 45 | 47 |
| 46 -- Built-in defaults | 48 -- Built-in defaults |
| 47 local core_defaults = { | 49 local core_defaults = { |
| 48 capath = "/etc/ssl/certs"; | 50 capath = "/etc/ssl/certs"; |
| 49 protocol = "tlsv1+"; | 51 protocol = "tlsv1+"; |
| 50 verify = (ssl.x509 and { "peer", "client_once", }) or "none"; | 52 verify = (ssl_x509 and { "peer", "client_once", }) or "none"; |
| 51 options = { | 53 options = { |
| 52 cipher_server_preference = true; | 54 cipher_server_preference = true; |
| 53 no_ticket = luasec_has_noticket; | 55 no_ticket = luasec_has_noticket; |
| 54 no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true; | 56 no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true; |
| 55 -- Has no_compression? Then it has these too... | 57 -- Has no_compression? Then it has these too... |
| 62 } | 64 } |
| 63 local path_options = { -- These we pass through resolve_path() | 65 local path_options = { -- These we pass through resolve_path() |
| 64 key = true, certificate = true, cafile = true, capath = true, dhparam = true | 66 key = true, certificate = true, cafile = true, capath = true, dhparam = true |
| 65 } | 67 } |
| 66 | 68 |
| 67 if not luasec_has_verifyext and ssl.x509 then | 69 if not luasec_has_verifyext and ssl_x509 then |
| 68 -- COMPAT mw/luasec-hg | 70 -- COMPAT mw/luasec-hg |
| 69 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix | 71 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix |
| 70 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); | 72 core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); |
| 71 end | 73 end |
| 72 end | 74 end |
| 112 | 114 |
| 113 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care | 115 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care |
| 114 -- of it ourselves (W/A for #x) | 116 -- of it ourselves (W/A for #x) |
| 115 if ctx and user_ssl_config.ciphers then | 117 if ctx and user_ssl_config.ciphers then |
| 116 local success; | 118 local success; |
| 117 success, err = ssl.context.setcipher(ctx, user_ssl_config.ciphers); | 119 success, err = ssl_context.setcipher(ctx, user_ssl_config.ciphers); |
| 118 if not success then ctx = nil; end | 120 if not success then ctx = nil; end |
| 119 end | 121 end |
| 120 | 122 |
| 121 if not ctx then | 123 if not ctx then |
| 122 err = err or "invalid ssl config" | 124 err = err or "invalid ssl config" |
