Software / code / prosody
Changeset
9852:6ea3cafb6ac3
core.certmanager: Do not ask for client certificates by default
Since it's mostly only mod_s2s that needs to request client
certificates it makes some sense to have mod_s2s ask for this, instead
of having eg mod_http ask to disable it.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 10 Mar 2019 19:58:28 +0100 |
| parents | 9851:75d2874502c3 |
| children | 9853:9aea8dbb105d |
| files | core/certmanager.lua plugins/mod_http.lua plugins/mod_s2s/mod_s2s.lua |
| diffstat | 3 files changed, 4 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/core/certmanager.lua Sun Mar 10 19:32:33 2019 +0100 +++ b/core/certmanager.lua Sun Mar 10 19:58:28 2019 +0100 @@ -106,7 +106,7 @@ capath = "/etc/ssl/certs"; depth = 9; protocol = "tlsv1+"; - verify = (ssl_x509 and { "peer", "client_once", }) or "none"; + verify = "none"; options = { cipher_server_preference = luasec_has.options.cipher_server_preference; no_ticket = luasec_has.options.no_ticket;
--- a/plugins/mod_http.lua Sun Mar 10 19:32:33 2019 +0100 +++ b/plugins/mod_http.lua Sun Mar 10 19:58:28 2019 +0100 @@ -228,9 +228,6 @@ listener = server.listener; default_port = 5281; encryption = "ssl"; - ssl_config = { - verify = "none"; - }; multiplex = { pattern = "^[A-Z]"; };
--- a/plugins/mod_s2s/mod_s2s.lua Sun Mar 10 19:32:33 2019 +0100 +++ b/plugins/mod_s2s/mod_s2s.lua Sun Mar 10 19:58:28 2019 +0100 @@ -738,6 +738,9 @@ listener = listener; default_port = 5269; encryption = "starttls"; + ssl_config = { + verify = { "peer", "client_once", }; + }; multiplex = { pattern = "^<.*:stream.*%sxmlns%s*=%s*(['\"])jabber:server%1.*>"; };
