certmanager: Further cipher string tweaking. Re-enable ciphers required for DSA and ECDH certs/keys.
|
Matthew Wild |
Thu, 21 Nov 2013 02:11:09 +0000 |
Merge 0.9->0.10
|
Matthew Wild |
Tue, 12 Nov 2013 02:23:02 +0000 |
Back out 1b0ac7950129, as SSLv3 appears to still be in moderate use on the network. Also, although obsolete, SSLv3 isn't documented to have any weaknesses that TLS 1.0 (the most common version used today) doesn't also have. Get your act together clients!
|
Matthew Wild |
Tue, 12 Nov 2013 02:13:01 +0000 |
Merge 0.9->0.10
|
Matthew Wild |
Sun, 10 Nov 2013 18:49:34 +0000 |
certmanager: Update default cipher string to prefer forward-secrecy over cipher strength and to disable triple-DES (weaker and much slower than AES)
|
Matthew Wild |
Sun, 10 Nov 2013 18:46:48 +0000 |
Merge 0.9->0.10
|
Matthew Wild |
Sat, 09 Nov 2013 18:36:32 +0000 |
certmanager: Fix order of options, so that the dynamic option is at the end of the array
|
Matthew Wild |
Sat, 09 Nov 2013 17:54:21 +0000 |
certmanager: Default to using the server's cipher preference order by default, as clients have been shown to commonly select weak and insecure ciphers even when they support stronger ones
|
Matthew Wild |
Sat, 09 Nov 2013 17:50:19 +0000 |
Merge 0.9 -> 0.10
|
Kim Alvefur |
Thu, 31 Oct 2013 20:47:57 +0100 |
certmanager: Disable SSLv3 by default
|
Kim Alvefur |
Thu, 31 Oct 2013 19:00:36 +0100 |
certmanager: Fix. Again.
|
Kim Alvefur |
Tue, 15 Oct 2013 10:47:34 +0200 |
certmanager: Add back single_dh_use and single_ecdh_use to default options (Zash breaks, Zash unbreaks)
|
Kim Alvefur |
Tue, 15 Oct 2013 01:37:16 +0200 |
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
|
Kim Alvefur |
Tue, 03 Sep 2013 15:43:59 +0200 |
Merge 0.9->trunk
|
Kim Alvefur |
Tue, 03 Sep 2013 13:43:39 +0200 |
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
0.9.1
|
Kim Alvefur |
Tue, 03 Sep 2013 13:40:29 +0200 |
Merge 0.9->trunk
|
Matthew Wild |
Tue, 03 Sep 2013 12:32:18 +0100 |
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
|
Kim Alvefur |
Tue, 03 Sep 2013 13:13:31 +0200 |
certmanager: Fix for working around a bug with LuaSec 0.4.1 that causes it to not honour the 'ciphers' option. This change will apply 0.9's default cipher string for LuaSec 0.4.1 users.
|
Matthew Wild |
Tue, 03 Sep 2013 12:11:11 +0100 |
Remove all trailing whitespace
|
Florian Zeitz |
Fri, 09 Aug 2013 17:48:21 +0200 |
Merge 0.9->trunk
|
Matthew Wild |
Sat, 13 Jul 2013 13:17:53 +0100 |
certmanager: Set our own default cipher string, which includes only ciphers regarded as 'HIGH' strength (by OpenSSL). In particular this disables RC4.
|
Matthew Wild |
Sat, 13 Jul 2013 13:15:24 +0100 |
certmanager: Overhaul of how ssl configs are built.
|
Kim Alvefur |
Thu, 13 Jun 2013 17:44:42 +0200 |
Merge 0.9->trunk
|
Matthew Wild |
Thu, 13 Jun 2013 00:46:29 +0100 |
certmanager: Add single_dh_use and single_ecdh_use to default options
|
Matthew Wild |
Thu, 13 Jun 2013 00:45:41 +0100 |
Merge 0.9->trunk
|
Matthew Wild |
Thu, 13 Jun 2013 00:09:56 +0100 |
certmanager: Set ssl.curve to 'secp384r1' by default, to enable ECC ciphers
|
Matthew Wild |
Thu, 13 Jun 2013 00:04:04 +0100 |
Merge 0.9->trunk
|
Matthew Wild |
Tue, 11 Jun 2013 21:50:41 +0100 |
certmanager: Use 'curve' and 'dhparam' options from ssl config if present
|
Matthew Wild |
Tue, 11 Jun 2013 21:44:53 +0100 |
certmanager: Complain if key or certificate is missing from SSL config.
|
Kim Alvefur |
Fri, 07 Jun 2013 20:55:02 +0200 |
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x)
|
Matthew Wild |
Wed, 22 May 2013 14:32:02 +0100 |
core.*: Complete removal of all traces of the "core" section and section-related code.
|
Kim Alvefur |
Sat, 23 Mar 2013 02:33:15 +0100 |
certmanager: Fix nil index if no LuaSec available
|
Kim Alvefur |
Mon, 07 Jan 2013 02:17:07 +0100 |
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
|
Kim Alvefur |
Fri, 28 Dec 2012 15:00:43 +0100 |
certmanager: Remove unused import of setmetatable
|
Matthew Wild |
Mon, 23 Jul 2012 16:42:26 +0100 |
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON)
|
Matthew Wild |
Mon, 23 Jul 2012 16:39:49 +0100 |
certmanager: Fix traceback for missing LuaSec (thanks Link Mauve)
|
Matthew Wild |
Mon, 23 Jul 2012 14:17:42 +0100 |
certmanager: Add quotes around cert file path when logging.
|
Waqas Hussain |
Tue, 12 Jun 2012 17:02:35 +0500 |
certmanager: tonumber() (fix for 0b8134015635)
|
Matthew Wild |
Sat, 19 May 2012 21:57:40 +0100 |
certmanager: Don't use no_ticket option before LuaSec 0.4
|
Matthew Wild |
Sat, 19 May 2012 21:53:43 +0100 |
certmanager: no_ticket is not a verification option (thanks Zash)
|
Matthew Wild |
Fri, 18 May 2012 01:50:51 +0100 |
certmanager: Add no_ticket option for OpenSSL (we don't support resumption yet)
|
Matthew Wild |
Fri, 18 May 2012 00:31:23 +0100 |
certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL)
|
Matthew Wild |
Fri, 11 May 2012 20:24:15 +0100 |
core.certmanager: Log a message when a password is required but not supplied. fixes #214
|
Kim Alvefur |
Sat, 21 Apr 2012 23:11:59 +0200 |
certmanager: More informative logging.
|
Waqas Hussain |
Tue, 01 Nov 2011 23:57:42 +0500 |
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
|
Waqas Hussain |
Thu, 25 Aug 2011 12:09:16 +0500 |
certmanager: Add required verify flags for cert verification if LuaSec (probably) supports them
|
Matthew Wild |
Sun, 28 Nov 2010 21:09:55 +0000 |
prosody, configmanager, certmanager: Relocate prosody.resolve_relative_path() to configmanager, and update certmanager (the only user of this function)
|
Matthew Wild |
Wed, 10 Nov 2010 19:46:53 +0000 |
certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls
|
Matthew Wild |
Sat, 06 Nov 2010 18:28:15 +0000 |
Monster whitespace commit (beware the whitespace monster).
|
Waqas Hussain |
Sat, 16 Oct 2010 23:00:42 +0500 |
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
|
Waqas Hussain |
Fri, 23 Jul 2010 23:14:50 +0500 |
Merge 0.7->trunk
|
Matthew Wild |
Fri, 23 Jul 2010 09:22:27 +0100 |
certmanager: Don't disable LuaSec and future cert loading on failure, and add error messages to the no LuaSec/config cases (thanks Jakob)
|
Matthew Wild |
Fri, 23 Jul 2010 09:17:11 +0100 |
Merge with backout
|
Matthew Wild |
Thu, 15 Jul 2010 08:27:56 +0100 |
Backed out changeset 598c33a99a31 (already fixed a better way)
|
Matthew Wild |
Thu, 15 Jul 2010 08:25:50 +0100 |
certmanager: Fix to handle the case of no SSL configuration at all
|
Matthew Wild |
Wed, 14 Jul 2010 16:24:15 +0100 |
certmanager: Added copyright header.
|
Waqas Hussain |
Thu, 15 Jul 2010 11:28:31 +0500 |
certmanager: Defined default_capath to prevent a global nil access.
|
Waqas Hussain |
Thu, 15 Jul 2010 11:28:14 +0500 |
certmanager: Use an empty table as the default ssl config when a global 'ssl' config option isn't specified (fixes a top-level traceback on startup).
|
Waqas Hussain |
Thu, 15 Jul 2010 11:25:41 +0500 |
certmanager: Remove debug logging accidentally committed
|
Matthew Wild |
Tue, 13 Jul 2010 15:28:52 +0100 |
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
|
Matthew Wild |
Tue, 13 Jul 2010 13:56:14 +0100 |