# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1552244308 -3600
# Node ID 6ea3cafb6ac3c18f5673eca1d825cc37eefd1f5c
# Parent  75d2874502c3d465d9ce0416c0d566ba526ab335
core.certmanager: Do not ask for client certificates by default

Since it's mostly only mod_s2s that needs to request client
certificates it makes some sense to have mod_s2s ask for this, instead
of having eg mod_http ask to disable it.

diff -r 75d2874502c3 -r 6ea3cafb6ac3 core/certmanager.lua
--- a/core/certmanager.lua	Sun Mar 10 19:32:33 2019 +0100
+++ b/core/certmanager.lua	Sun Mar 10 19:58:28 2019 +0100
@@ -106,7 +106,7 @@
 	capath = "/etc/ssl/certs";
 	depth = 9;
 	protocol = "tlsv1+";
-	verify = (ssl_x509 and { "peer", "client_once", }) or "none";
+	verify = "none";
 	options = {
 		cipher_server_preference = luasec_has.options.cipher_server_preference;
 		no_ticket = luasec_has.options.no_ticket;
diff -r 75d2874502c3 -r 6ea3cafb6ac3 plugins/mod_http.lua
--- a/plugins/mod_http.lua	Sun Mar 10 19:32:33 2019 +0100
+++ b/plugins/mod_http.lua	Sun Mar 10 19:58:28 2019 +0100
@@ -228,9 +228,6 @@
 	listener = server.listener;
 	default_port = 5281;
 	encryption = "ssl";
-	ssl_config = {
-		verify = "none";
-	};
 	multiplex = {
 		pattern = "^[A-Z]";
 	};
diff -r 75d2874502c3 -r 6ea3cafb6ac3 plugins/mod_s2s/mod_s2s.lua
--- a/plugins/mod_s2s/mod_s2s.lua	Sun Mar 10 19:32:33 2019 +0100
+++ b/plugins/mod_s2s/mod_s2s.lua	Sun Mar 10 19:58:28 2019 +0100
@@ -738,6 +738,9 @@
 	listener = listener;
 	default_port = 5269;
 	encryption = "starttls";
+	ssl_config = {
+		verify = { "peer", "client_once", };
+	};
 	multiplex = {
 		pattern = "^<.*:stream.*%sxmlns%s*=%s*(['\"])jabber:server%1.*>";
 	};