prosody
4ea7bd7325be
core/portmanager.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Diff

core/portmanager.lua @ 13792:4ea7bd7325be 13.0

core.portmanager: Restore use of per-host 'ssl' for SNI hosts. Fixes #1915. This was an unintentional regression, as per-host 'ssl' options became valid in 0.12 when SNI support was added for direct TLS ports. While we encourage most people to use the simpler automatic certificate selection (and it seems most do, given the overlooking of this bug), there are likely always going to be use cases for manually-configured certificates. The issue was introduced in commit 7e9ebdc75ce4 which inadvertently removed the per-host option checking for SNI.
author Kim Alvefur <zash@zash.se>
date Sat, 29 Mar 2025 22:25:19 +0100
parent 13279:140f7926946b
child 13807:21c58b1d5b47
line wrap: on
line diff
--- a/core/portmanager.lua	Sun Mar 23 19:59:45 2025 +0100
+++ b/core/portmanager.lua	Sat Mar 29 22:25:19 2025 +0100
@@ -245,22 +245,26 @@
 	for name, interface, port, n, active_service --luacheck: ignore 213
 		in active_services:iter(service, nil, nil, nil) do
 		if active_service.server and active_service.tls_cfg then
+			local config_prefix = (active_service.config_prefix or name).."_";
+			if config_prefix == "_" then config_prefix = ""; end
+			local prefix_ssl_config = config.get(host, config_prefix.."ssl");
 			local alternate_host = name and config.get(host, name.."_host");
 			if not alternate_host and name == "https" then
 				-- TODO should this be some generic thing? e.g. in the service definition
 				alternate_host = config.get(host, "http_host");
 			end
-			local autocert = certmanager.find_host_cert(alternate_host or host);
-			local manualcert = active_service.tls_cfg;
-			local certificate = (autocert and autocert.certificate) or manualcert.certificate;
-			local key = (autocert and autocert.key) or manualcert.key;
-			local ok, err = active_service.server:sslctx():set_sni_host(
-				host,
-				certificate,
-				key
-			);
-			if not ok then
+			local ssl, err, cfg = certmanager.create_context(alternate_host or host, "server", prefix_ssl_config, active_service.tls_cfg);
+			if not ssl then
 				log("error", "Error creating TLS context for SNI host %s: %s", host, err);
+			else
+				local ok, err = active_service.server:sslctx():set_sni_host(
+					host,
+					cfg.certificate,
+					cfg.key
+					);
+				if not ok then
+					log("error", "Error creating TLS context for SNI host %s: %s", host, err);
+				end
 			end
 		end
 	end