Log

core/certmanager.lua @ 11828:024ac556e907

description author age
core.certmanager: Support 'use_dane' setting to enable DANE support Kim Alvefur Sun, 18 Jul 2021 22:46:57 +0200
core.certmanager: Skip service certificate lookup for https client Kim Alvefur Thu, 27 May 2021 09:22:07 +0200
Merge 0.11->trunk Matthew Wild Thu, 13 May 2021 11:17:13 +0100
certmanager: Disable renegotiation by default 0.11 Matthew Wild Tue, 11 May 2021 14:14:15 +0100
core.certmanager: Test for SSL options in absence of LuaSec config 0.11 Kim Alvefur Mon, 26 Apr 2021 15:32:05 +0200
core.certmanager: Attempt to directly access LuaSec config table 0.11 Kim Alvefur Mon, 26 Apr 2021 15:30:13 +0200
core.certmanager: Catch error from lfs Kim Alvefur Fri, 07 May 2021 16:47:58 +0200
core.certmanager: Resolve certs path relative to config dir Kim Alvefur Fri, 07 May 2021 16:35:37 +0200
core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur Wed, 05 May 2021 15:56:39 +0200
core.certmanager: Join paths with OS-aware util.paths function Kim Alvefur Wed, 05 May 2021 15:54:05 +0200
core.certmanager: Build an index over certificates Kim Alvefur Sat, 10 Apr 2021 14:45:40 +0200
core.certmanager: Check for complete filename Kim Alvefur Sat, 10 Apr 2021 14:45:03 +0200
core.certmanager: Add comments explaining the 'verifyext' TLS settings Kim Alvefur Sat, 06 Feb 2021 22:12:38 +0100
core.certmanager: Add TODO about LuaSec issue Kim Alvefur Sun, 07 Jun 2020 02:12:50 +0200
Merge 0.11->trunk Kim Alvefur Mon, 13 Apr 2020 16:14:39 +0200
core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513) 0.11 Kim Alvefur Sun, 25 Aug 2019 20:22:35 +0200
Merge 0.11->trunk Kim Alvefur Fri, 10 Apr 2020 19:03:36 +0200
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) 0.11 Kim Alvefur Fri, 10 Apr 2020 16:11:09 +0200
core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support) Kim Alvefur Fri, 29 Nov 2019 23:24:14 +0100
core.certmanager: Lower severity for tls config not having cert Kim Alvefur Sat, 07 Sep 2019 00:00:40 +0200
core.certmanager: Remove unused import [luacheck] Kim Alvefur Sun, 25 Aug 2019 23:25:42 +0200
Remove COMPAT with temporary luasec fork Kim Alvefur Sun, 25 Aug 2019 23:12:55 +0200
core.certmanager: Move EECDH ciphers before EDH in default cipherstring Kim Alvefur Sun, 25 Aug 2019 20:22:35 +0200
core.certmanager: Do not ask for client certificates by default Kim Alvefur Sun, 10 Mar 2019 19:58:28 +0100
Merge 0.10->trunk Kim Alvefur Fri, 25 May 2018 03:33:13 +0200
core.certmanager: Allow all non-whitespace in service name (fixes #1019) Kim Alvefur Fri, 25 May 2018 03:30:16 +0200
vairious: Add annotation when an empty environment is set [luacheck] Kim Alvefur Wed, 28 Feb 2018 20:06:26 +0100
certmanager: Check for missing certificate before key in configuration (should be marginally less confusing) Kim Alvefur Thu, 28 Dec 2017 17:32:56 +0100
certmanager: Set single curve conditioned on LuaSec advertising EC crypto support Kim Alvefur Mon, 20 Nov 2017 00:27:26 +0100
certmanager: Filter out curves not supported by LuaSec Kim Alvefur Mon, 20 Nov 2017 00:26:41 +0100
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur Mon, 20 Nov 2017 00:25:18 +0100
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur Wed, 27 Sep 2017 15:45:07 +0200
prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys Kim Alvefur Wed, 27 Sep 2017 15:21:20 +0200
certmanager: Add debug logging (thanks av6) Matthew Wild Sat, 23 Sep 2017 17:13:29 +0100
certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929) Kim Alvefur Thu, 01 Jun 2017 14:03:50 +0200
core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur Sat, 26 Nov 2016 20:08:48 +0100
core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur Mon, 12 Sep 2016 15:49:24 +0200
certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed) Kim Alvefur Fri, 29 Jul 2016 11:24:28 +0200
certmanager: Explicitly tonumber() version number segments before doing arithmetic and avoid relying on implicit coercion (thanks David Favro) Matthew Wild Sat, 26 Mar 2016 19:55:08 +0000
certmanager: Localize tonumber Matthew Wild Thu, 18 Feb 2016 13:48:45 +0000
certmanager: Try filename.key if certificate is set to a full filename ending with .crt Kim Alvefur Fri, 05 Feb 2016 16:12:01 +0100
certmanager: Apply global ssl config later so certificate/key is not overwritten by magic Kim Alvefur Fri, 05 Feb 2016 15:03:39 +0100
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild Fri, 05 Feb 2016 00:03:41 +0000
core.certmanager: Look for certificate and key in a few different places Kim Alvefur Wed, 03 Feb 2016 22:44:29 +0100
core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default) Kim Alvefur Sun, 11 Oct 2015 19:44:15 +0200
core.*: Remove use of module() function Kim Alvefur Sat, 21 Feb 2015 10:42:19 +0100
certmanager: Fix compat for MattJs old LuaSec fork Kim Alvefur Thu, 05 Feb 2015 17:23:53 +0100
certmanager: Fix previous commit Kim Alvefur Thu, 05 Feb 2015 17:21:05 +0100
certmanager: Limit certificate chain depth to 9 Kim Alvefur Thu, 05 Feb 2015 16:59:34 +0100
certmanager: Options that appear to be available since LuaSec 0.2 Kim Alvefur Thu, 05 Feb 2015 16:56:28 +0100
certmanager: Improve "detection" of features that depend on LuaSec version Kim Alvefur Thu, 05 Feb 2015 16:20:50 +0100
certmanager: Add locals for ssl.context and ssl.x509 Kim Alvefur Thu, 05 Feb 2015 15:14:35 +0100
certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur Thu, 05 Feb 2015 15:10:23 +0100
certmanager: Make global variable access explicit Matthew Wild Tue, 20 Jan 2015 11:29:38 +0000
certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren) Kim Alvefur Sat, 22 Nov 2014 11:51:54 +0100
certmanager: Return final ssl config along with ssl context on success Kim Alvefur Wed, 19 Nov 2014 14:47:03 +0100
Merge 0.9->0.10 Kim Alvefur Sun, 26 Oct 2014 20:57:06 +0100
certmanager, net.http: Disable SSLv3 by default 0.9.6 Matthew Wild Tue, 14 Oct 2014 18:55:08 +0100
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur Thu, 03 Jul 2014 15:32:26 +0200
core.certmanager: Use util.sslconfig Kim Alvefur Thu, 03 Jul 2014 15:31:12 +0200
core.certmanager, core.moduleapi, mod_storage_sql, mod_storage_sql2: Import from util.paths Kim Alvefur Fri, 09 May 2014 19:35:29 +0200
certmanager: Move ssl.protocol handling to after ssl.options is a table (thanks Ralph) Kim Alvefur Mon, 21 Apr 2014 02:43:09 +0200
certmanager: Fix traceback if no global 'ssl' section set (thanks albert) Kim Alvefur Sun, 20 Apr 2014 21:25:26 +0200
certmanager: Update ssl_compression when config is reloaded Kim Alvefur Tue, 15 Apr 2014 01:02:56 +0200
certmanager: Reformat core ssl defaults Kim Alvefur Tue, 15 Apr 2014 00:49:17 +0200
certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols Kim Alvefur Tue, 15 Apr 2014 00:45:07 +0200
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost Kim Alvefur Tue, 15 Apr 2014 00:32:11 +0200
certmanager: Wrap long line and add comment Kim Alvefur Mon, 14 Apr 2014 23:41:26 +0200
certmanager: Concatenate cipher list if given as a table Kim Alvefur Mon, 14 Apr 2014 23:34:35 +0200
certmanager: Allow non-server contexts to be without certificate and key Kim Alvefur Mon, 14 Apr 2014 23:09:28 +0200
certmanager: Check for non-nil values instead of true-ish values, allows removing defaults Kim Alvefur Mon, 14 Apr 2014 23:00:44 +0200
Merge 0.9->0.10 Matthew Wild Thu, 21 Nov 2013 02:14:23 +0000
certmanager: Further cipher string tweaking. Re-enable ciphers required for DSA and ECDH certs/keys. Matthew Wild Thu, 21 Nov 2013 02:11:09 +0000
Merge 0.9->0.10 Matthew Wild Tue, 12 Nov 2013 02:23:02 +0000
Back out 1b0ac7950129, as SSLv3 appears to still be in moderate use on the network. Also, although obsolete, SSLv3 isn't documented to have any weaknesses that TLS 1.0 (the most common version used today) doesn't also have. Get your act together clients! Matthew Wild Tue, 12 Nov 2013 02:13:01 +0000
Merge 0.9->0.10 Matthew Wild Sun, 10 Nov 2013 18:49:34 +0000
certmanager: Update default cipher string to prefer forward-secrecy over cipher strength and to disable triple-DES (weaker and much slower than AES) Matthew Wild Sun, 10 Nov 2013 18:46:48 +0000
Merge 0.9->0.10 Matthew Wild Sat, 09 Nov 2013 18:36:32 +0000
certmanager: Fix order of options, so that the dynamic option is at the end of the array Matthew Wild Sat, 09 Nov 2013 17:54:21 +0000
certmanager: Default to using the server's cipher preference order by default, as clients have been shown to commonly select weak and insecure ciphers even when they support stronger ones Matthew Wild Sat, 09 Nov 2013 17:50:19 +0000
Merge 0.9 -> 0.10 Kim Alvefur Thu, 31 Oct 2013 20:47:57 +0100
certmanager: Disable SSLv3 by default Kim Alvefur Thu, 31 Oct 2013 19:00:36 +0100
certmanager: Fix. Again. Kim Alvefur Tue, 15 Oct 2013 10:47:34 +0200
certmanager: Add back single_dh_use and single_ecdh_use to default options (Zash breaks, Zash unbreaks) Kim Alvefur Tue, 15 Oct 2013 01:37:16 +0200
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur Tue, 03 Sep 2013 15:43:59 +0200
Merge 0.9->trunk Kim Alvefur Tue, 03 Sep 2013 13:43:39 +0200
certmanager: Fix dhparam callback, missing imports (Testing, pfft) 0.9.1 Kim Alvefur Tue, 03 Sep 2013 13:40:29 +0200
Merge 0.9->trunk Matthew Wild Tue, 03 Sep 2013 12:32:18 +0100
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur Tue, 03 Sep 2013 13:13:31 +0200
certmanager: Fix for working around a bug with LuaSec 0.4.1 that causes it to not honour the 'ciphers' option. This change will apply 0.9's default cipher string for LuaSec 0.4.1 users. Matthew Wild Tue, 03 Sep 2013 12:11:11 +0100
Remove all trailing whitespace Florian Zeitz Fri, 09 Aug 2013 17:48:21 +0200
Merge 0.9->trunk Matthew Wild Sat, 13 Jul 2013 13:17:53 +0100
certmanager: Set our own default cipher string, which includes only ciphers regarded as 'HIGH' strength (by OpenSSL). In particular this disables RC4. Matthew Wild Sat, 13 Jul 2013 13:15:24 +0100
certmanager: Overhaul of how ssl configs are built. Kim Alvefur Thu, 13 Jun 2013 17:44:42 +0200
Merge 0.9->trunk Matthew Wild Thu, 13 Jun 2013 00:46:29 +0100
certmanager: Add single_dh_use and single_ecdh_use to default options Matthew Wild Thu, 13 Jun 2013 00:45:41 +0100
Merge 0.9->trunk Matthew Wild Thu, 13 Jun 2013 00:09:56 +0100
certmanager: Set ssl.curve to 'secp384r1' by default, to enable ECC ciphers Matthew Wild Thu, 13 Jun 2013 00:04:04 +0100
Merge 0.9->trunk Matthew Wild Tue, 11 Jun 2013 21:50:41 +0100
certmanager: Use 'curve' and 'dhparam' options from ssl config if present Matthew Wild Tue, 11 Jun 2013 21:44:53 +0100
certmanager: Complain if key or certificate is missing from SSL config. Kim Alvefur Fri, 07 Jun 2013 20:55:02 +0200
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x) Matthew Wild Wed, 22 May 2013 14:32:02 +0100
core.*: Complete removal of all traces of the "core" section and section-related code. Kim Alvefur Sat, 23 Mar 2013 02:33:15 +0100
certmanager: Fix nil index if no LuaSec available Kim Alvefur Mon, 07 Jan 2013 02:17:07 +0100
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg Kim Alvefur Fri, 28 Dec 2012 15:00:43 +0100
certmanager: Remove unused import of setmetatable Matthew Wild Mon, 23 Jul 2012 16:42:26 +0100
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON) Matthew Wild Mon, 23 Jul 2012 16:39:49 +0100
certmanager: Fix traceback for missing LuaSec (thanks Link Mauve) Matthew Wild Mon, 23 Jul 2012 14:17:42 +0100
certmanager: Add quotes around cert file path when logging. Waqas Hussain Tue, 12 Jun 2012 17:02:35 +0500
certmanager: tonumber() (fix for 0b8134015635) Matthew Wild Sat, 19 May 2012 21:57:40 +0100
certmanager: Don't use no_ticket option before LuaSec 0.4 Matthew Wild Sat, 19 May 2012 21:53:43 +0100
certmanager: no_ticket is not a verification option (thanks Zash) Matthew Wild Fri, 18 May 2012 01:50:51 +0100
certmanager: Add no_ticket option for OpenSSL (we don't support resumption yet) Matthew Wild Fri, 18 May 2012 00:31:23 +0100
certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL) Matthew Wild Fri, 11 May 2012 20:24:15 +0100
core.certmanager: Log a message when a password is required but not supplied. fixes #214 Kim Alvefur Sat, 21 Apr 2012 23:11:59 +0200
certmanager: More informative logging. Waqas Hussain Tue, 01 Nov 2011 23:57:42 +0500
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain Thu, 25 Aug 2011 12:09:16 +0500
certmanager: Add required verify flags for cert verification if LuaSec (probably) supports them Matthew Wild Sun, 28 Nov 2010 21:09:55 +0000
prosody, configmanager, certmanager: Relocate prosody.resolve_relative_path() to configmanager, and update certmanager (the only user of this function) Matthew Wild Wed, 10 Nov 2010 19:46:53 +0000
certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls Matthew Wild Sat, 06 Nov 2010 18:28:15 +0000