prosody
94253e02d47d
certs/openssl.cnf

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

File

certs/openssl.cnf @ 12187:94253e02d47d

mod_http: Limit unencrypted http port (5280) to loopback by default Since accessing this port directly over the wider Internet is unlikely to intentional anymore. Most uses will likely be by reverse proxies, by mistake or because of trouble configuring HTTPS. Blocking mistaken uses is just a good thing, letting users send potentially private things unencrypted tends to be Strongly Discouraged these days. Many reverse proxy setups operate over loopback, so listening there instead of all interfaces is a net improvement. Improved automatic certificate location and SNI support has mostly eliminated the need for manual certificate configuration so HTTPS should Just Work once certificates have been provided. For local testing during development, connecting over loopback is likely fine as well. When really needed, `http_interfaces` can still be set. Suggested by Link Mauve
author Kim Alvefur <zash@zash.se>
date Sat, 15 Jan 2022 15:13:41 +0100
parent 6922:e0672860d208
child 12604:bd9e006a7a74
line wrap: on
line source

oid_section = new_oids

[ new_oids ]

# RFC 6120 section 13.7.1.4. defines this OID
xmppAddr = 1.3.6.1.5.5.7.8.5

# RFC 4985 defines this OID
SRVName  = 1.3.6.1.5.5.7.8.7

[ req ]

default_bits       = 4096
default_keyfile    = example.com.key
distinguished_name = distinguished_name
req_extensions     = certrequest
x509_extensions    = selfsigned

# ask about the DN?
prompt = no

[ distinguished_name ]

commonName             = example.com
countryName            = GB
localityName           = The Internet
organizationName       = Your Organisation
organizationalUnitName = XMPP Department
emailAddress           = xmpp@example.com

[ certrequest ]

# for certificate requests (req_extensions)

basicConstraints = CA:FALSE
keyUsage         = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectAltName   = @subject_alternative_name

[ selfsigned ]

# and self-signed certificates (x509_extensions)

basicConstraints = CA:TRUE
subjectAltName = @subject_alternative_name

[ subject_alternative_name ]

# See http://tools.ietf.org/html/rfc6120#section-13.7.1.2 for more info.

DNS.0       =                                           example.com
otherName.0 =                 xmppAddr;FORMAT:UTF8,UTF8:example.com
otherName.1 =            SRVName;IA5STRING:_xmpp-client.example.com
otherName.2 =            SRVName;IA5STRING:_xmpp-server.example.com

DNS.1       =                                conference.example.com
otherName.3 =      xmppAddr;FORMAT:UTF8,UTF8:conference.example.com
otherName.4 = SRVName;IA5STRING:_xmpp-server.conference.example.com