net.http: fail open if surrounding code does not configure TLS Previously, if surrounding code was not configuring the TLS context used default in net.http, it would not validate certificates at all. This is not a security issue with prosody, because prosody updates the context with `verify = "peer"` as well as paths to CA certificates in util.startup.init_http_client. Nevertheless... Let's not leave this pitfall out there in the open.

author: Jonas Schäfer <jonas@wielicki.name>
date: Sun, 29 Aug 2021 15:04:47 +0200
parent: 11661:735b8f4a6d7e
child: 12273:c0f49a4026f8
--- a/net/http.lua	Thu Aug 26 16:42:42 2021 +0100
+++ b/net/http.lua	Sun Aug 29 15:04:47 2021 +0200
@@ -332,7 +332,7 @@
 end
 
 local default_http = new({
-	sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" }, alpn = "http/1.1" };
+	sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" }, alpn = "http/1.1", verify = "peer" };
 	suppress_errors = true;
 });
author	Jonas Schäfer <jonas@wielicki.name>
date	Sun, 29 Aug 2021 15:04:47 +0200
parent	11661:735b8f4a6d7e
child	12273:c0f49a4026f8