Software / code / prosody
Changeset
13704:1f428259544c
Merge 13.0->trunk
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 15 Feb 2025 16:57:31 +0100 |
| parents | 13702:4b83dbcddcff (current diff) 13703:99d2100d2918 (diff) |
| children | 13709:8822b5e73951 |
| files | |
| diffstat | 2 files changed, 8 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/core/certmanager.lua Sat Feb 15 10:34:26 2025 +0000 +++ b/core/certmanager.lua Sat Feb 15 16:57:31 2025 +0100 @@ -189,10 +189,6 @@ single_ecdh_use = tls.features.options.single_ecdh_use; no_renegotiation = tls.features.options.no_renegotiation; }; - verifyext = { - "lsec_continue", -- Continue past certificate verification errors - "lsec_ignore_purpose", -- Validate client certificates as if they were server certificates - }; curve = tls.features.algorithms.ec and not tls.features.capabilities.curves_list and "secp384r1"; curveslist = { "X25519",
--- a/plugins/mod_s2s.lua Sat Feb 15 10:34:26 2025 +0000 +++ b/plugins/mod_s2s.lua Sat Feb 15 16:57:31 2025 +0100 @@ -1097,6 +1097,10 @@ -- FIXME This only applies to Direct TLS, which we don't use yet. -- This gets applied for real in mod_tls verify = { "peer", "client_once", }; + verifyext = { + "lsec_continue", -- Continue past certificate verification errors + "lsec_ignore_purpose", -- Validate client certificates as if they were server certificates + }; }; multiplex = { protocol = "xmpp-server"; @@ -1111,6 +1115,10 @@ encryption = "ssl"; ssl_config = { verify = { "peer", "client_once", }; + verifyext = { + "lsec_continue", -- Continue past certificate verification errors + "lsec_ignore_purpose", -- Validate client certificates as if they were server certificates + }; }; multiplex = { protocol = "xmpp-server";
