Software / code / prosody
Changeset
11368:0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Thanks to debacle for reminding me, in the context of mod_auth_ccert
I wonder if we still need lsec_ignore_purpose, Let's Encrypt seems to
include both client and server purposes in certs.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 06 Feb 2021 22:12:38 +0100 |
| parents | 11367:9525c4b4e5de |
| children | 11369:87105a9a11df |
| files | core/certmanager.lua |
| diffstat | 1 files changed, 4 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/core/certmanager.lua Sat Feb 06 21:40:21 2021 +0100 +++ b/core/certmanager.lua Sat Feb 06 22:12:38 2021 +0100 @@ -118,7 +118,10 @@ single_dh_use = luasec_has.options.single_dh_use; single_ecdh_use = luasec_has.options.single_ecdh_use; }; - verifyext = { "lsec_continue", "lsec_ignore_purpose" }; + verifyext = { + "lsec_continue", -- Continue past certificate verification errors + "lsec_ignore_purpose", -- Validate client certificates as if they were server certificates + }; curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1"; curveslist = { "X25519",
