Log

core/certmanager.lua @ 5915:e6fed1d80116

description author age
Back out 1b0ac7950129, as SSLv3 appears to still be in moderate use on the network. Also, although obsolete, SSLv3 isn't documented to have any weaknesses that TLS 1.0 (the most common version used today) doesn't also have. Get your act together clients! Matthew Wild Tue, 12 Nov 2013 02:13:01 +0000
Merge 0.9->0.10 Matthew Wild Sun, 10 Nov 2013 18:49:34 +0000
certmanager: Update default cipher string to prefer forward-secrecy over cipher strength and to disable triple-DES (weaker and much slower than AES) Matthew Wild Sun, 10 Nov 2013 18:46:48 +0000
Merge 0.9->0.10 Matthew Wild Sat, 09 Nov 2013 18:36:32 +0000
certmanager: Fix order of options, so that the dynamic option is at the end of the array Matthew Wild Sat, 09 Nov 2013 17:54:21 +0000
certmanager: Default to using the server's cipher preference order by default, as clients have been shown to commonly select weak and insecure ciphers even when they support stronger ones Matthew Wild Sat, 09 Nov 2013 17:50:19 +0000
Merge 0.9 -> 0.10 Kim Alvefur Thu, 31 Oct 2013 20:47:57 +0100
certmanager: Disable SSLv3 by default Kim Alvefur Thu, 31 Oct 2013 19:00:36 +0100
certmanager: Fix. Again. Kim Alvefur Tue, 15 Oct 2013 10:47:34 +0200
certmanager: Add back single_dh_use and single_ecdh_use to default options (Zash breaks, Zash unbreaks) Kim Alvefur Tue, 15 Oct 2013 01:37:16 +0200
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur Tue, 03 Sep 2013 15:43:59 +0200
Merge 0.9->trunk Kim Alvefur Tue, 03 Sep 2013 13:43:39 +0200
certmanager: Fix dhparam callback, missing imports (Testing, pfft) 0.9.1 Kim Alvefur Tue, 03 Sep 2013 13:40:29 +0200
Merge 0.9->trunk Matthew Wild Tue, 03 Sep 2013 12:32:18 +0100
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur Tue, 03 Sep 2013 13:13:31 +0200
certmanager: Fix for working around a bug with LuaSec 0.4.1 that causes it to not honour the 'ciphers' option. This change will apply 0.9's default cipher string for LuaSec 0.4.1 users. Matthew Wild Tue, 03 Sep 2013 12:11:11 +0100
Remove all trailing whitespace Florian Zeitz Fri, 09 Aug 2013 17:48:21 +0200
Merge 0.9->trunk Matthew Wild Sat, 13 Jul 2013 13:17:53 +0100
certmanager: Set our own default cipher string, which includes only ciphers regarded as 'HIGH' strength (by OpenSSL). In particular this disables RC4. Matthew Wild Sat, 13 Jul 2013 13:15:24 +0100
certmanager: Overhaul of how ssl configs are built. Kim Alvefur Thu, 13 Jun 2013 17:44:42 +0200
Merge 0.9->trunk Matthew Wild Thu, 13 Jun 2013 00:46:29 +0100
certmanager: Add single_dh_use and single_ecdh_use to default options Matthew Wild Thu, 13 Jun 2013 00:45:41 +0100
Merge 0.9->trunk Matthew Wild Thu, 13 Jun 2013 00:09:56 +0100
certmanager: Set ssl.curve to 'secp384r1' by default, to enable ECC ciphers Matthew Wild Thu, 13 Jun 2013 00:04:04 +0100
Merge 0.9->trunk Matthew Wild Tue, 11 Jun 2013 21:50:41 +0100
certmanager: Use 'curve' and 'dhparam' options from ssl config if present Matthew Wild Tue, 11 Jun 2013 21:44:53 +0100
certmanager: Complain if key or certificate is missing from SSL config. Kim Alvefur Fri, 07 Jun 2013 20:55:02 +0200
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x) Matthew Wild Wed, 22 May 2013 14:32:02 +0100
core.*: Complete removal of all traces of the "core" section and section-related code. Kim Alvefur Sat, 23 Mar 2013 02:33:15 +0100
certmanager: Fix nil index if no LuaSec available Kim Alvefur Mon, 07 Jan 2013 02:17:07 +0100
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg Kim Alvefur Fri, 28 Dec 2012 15:00:43 +0100
certmanager: Remove unused import of setmetatable Matthew Wild Mon, 23 Jul 2012 16:42:26 +0100
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON) Matthew Wild Mon, 23 Jul 2012 16:39:49 +0100
certmanager: Fix traceback for missing LuaSec (thanks Link Mauve) Matthew Wild Mon, 23 Jul 2012 14:17:42 +0100
certmanager: Add quotes around cert file path when logging. Waqas Hussain Tue, 12 Jun 2012 17:02:35 +0500
certmanager: tonumber() (fix for 0b8134015635) Matthew Wild Sat, 19 May 2012 21:57:40 +0100
certmanager: Don't use no_ticket option before LuaSec 0.4 Matthew Wild Sat, 19 May 2012 21:53:43 +0100
certmanager: no_ticket is not a verification option (thanks Zash) Matthew Wild Fri, 18 May 2012 01:50:51 +0100
certmanager: Add no_ticket option for OpenSSL (we don't support resumption yet) Matthew Wild Fri, 18 May 2012 00:31:23 +0100
certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL) Matthew Wild Fri, 11 May 2012 20:24:15 +0100
core.certmanager: Log a message when a password is required but not supplied. fixes #214 Kim Alvefur Sat, 21 Apr 2012 23:11:59 +0200
certmanager: More informative logging. Waqas Hussain Tue, 01 Nov 2011 23:57:42 +0500
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain Thu, 25 Aug 2011 12:09:16 +0500
certmanager: Add required verify flags for cert verification if LuaSec (probably) supports them Matthew Wild Sun, 28 Nov 2010 21:09:55 +0000
prosody, configmanager, certmanager: Relocate prosody.resolve_relative_path() to configmanager, and update certmanager (the only user of this function) Matthew Wild Wed, 10 Nov 2010 19:46:53 +0000
certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls Matthew Wild Sat, 06 Nov 2010 18:28:15 +0000
Monster whitespace commit (beware the whitespace monster). Waqas Hussain Sat, 16 Oct 2010 23:00:42 +0500
prosody.resolve_relative_path: Updated to take a parent path to resolve against. Waqas Hussain Fri, 23 Jul 2010 23:14:50 +0500
Merge 0.7->trunk Matthew Wild Fri, 23 Jul 2010 09:22:27 +0100
certmanager: Don't disable LuaSec and future cert loading on failure, and add error messages to the no LuaSec/config cases (thanks Jakob) Matthew Wild Fri, 23 Jul 2010 09:17:11 +0100
Merge with backout Matthew Wild Thu, 15 Jul 2010 08:27:56 +0100
Backed out changeset 598c33a99a31 (already fixed a better way) Matthew Wild Thu, 15 Jul 2010 08:25:50 +0100
certmanager: Fix to handle the case of no SSL configuration at all Matthew Wild Wed, 14 Jul 2010 16:24:15 +0100
certmanager: Added copyright header. Waqas Hussain Thu, 15 Jul 2010 11:28:31 +0500
certmanager: Defined default_capath to prevent a global nil access. Waqas Hussain Thu, 15 Jul 2010 11:28:14 +0500
certmanager: Use an empty table as the default ssl config when a global 'ssl' config option isn't specified (fixes a top-level traceback on startup). Waqas Hussain Thu, 15 Jul 2010 11:25:41 +0500