author | Kim Alvefur <zash@zash.se> |
Mon, 28 Nov 2016 14:27:59 +0100 | |
changeset 7772 | 2a7b52437167 |
parent 6499 | e4b998ffc922 |
child 6504 | 71b6e8b48a12 |
permissions | -rw-r--r-- |
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
1 |
-- Prosody IM |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
2 |
-- Copyright (C) 2008-2010 Matthew Wild |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
3 |
-- Copyright (C) 2008-2010 Waqas Hussain |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
4 |
-- |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
5 |
-- This project is MIT/X11 licensed. Please see the |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
6 |
-- COPYING file in the source package for more information. |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
7 |
-- |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
8 |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 |
local configmanager = require "core.configmanager"; |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
10 |
local log = require "util.logger".init("certmanager"); |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 |
local ssl = ssl; |
2564
6b4fe320a6ea
certmanager: Fix traceback with no LuaSec
Matthew Wild <mwild1@gmail.com>
parents:
2563
diff
changeset
|
12 |
local ssl_newcontext = ssl and ssl.newcontext; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 |
|
4992
e79e4d1f75de
certmanager: Remove unused import of setmetatable
Matthew Wild <mwild1@gmail.com>
parents:
4991
diff
changeset
|
14 |
local tostring = tostring; |
5820
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
15 |
local type = type; |
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
16 |
local io_open = io.open; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 |
local prosody = prosody; |
3609
954b1159f2f3
prosody, configmanager, certmanager: Relocate prosody.resolve_relative_path() to configmanager, and update certmanager (the only user of this function)
Matthew Wild <mwild1@gmail.com>
parents:
3571
diff
changeset
|
19 |
local resolve_path = configmanager.resolve_relative_path; |
3402
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
20 |
local config_path = prosody.paths.config; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 |
|
5621
63cfd59999b6
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x)
Matthew Wild <mwild1@gmail.com>
parents:
5377
diff
changeset
|
22 |
local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression; |
4991
bcbfcec620ac
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON)
Matthew Wild <mwild1@gmail.com>
parents:
4990
diff
changeset
|
23 |
if ssl then |
bcbfcec620ac
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON)
Matthew Wild <mwild1@gmail.com>
parents:
4990
diff
changeset
|
24 |
local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); |
bcbfcec620ac
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON)
Matthew Wild <mwild1@gmail.com>
parents:
4990
diff
changeset
|
25 |
luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; |
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
26 |
luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; |
5621
63cfd59999b6
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x)
Matthew Wild <mwild1@gmail.com>
parents:
5377
diff
changeset
|
27 |
luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; |
4991
bcbfcec620ac
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON)
Matthew Wild <mwild1@gmail.com>
parents:
4990
diff
changeset
|
28 |
end |
4899
0b8134015635
certmanager: Don't use no_ticket option before LuaSec 0.4
Matthew Wild <mwild1@gmail.com>
parents:
4890
diff
changeset
|
29 |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 |
module "certmanager" |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 |
-- Global SSL options if not overridden per-host |
5377
898454038524
core.*: Complete removal of all traces of the "core" section and section-related code.
Kim Alvefur <zash@zash.se>
parents:
5287
diff
changeset
|
33 |
local default_ssl_config = configmanager.get("*", "ssl"); |
3368
1748a49da906
certmanager: Defined default_capath to prevent a global nil access.
Waqas Hussain <waqas20@gmail.com>
parents:
3367
diff
changeset
|
34 |
local default_capath = "/etc/ssl/certs"; |
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
35 |
local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; |
6499
e4b998ffc922
certmanager, net.http: Disable SSLv3 by default
Matthew Wild <mwild1@gmail.com>
parents:
5921
diff
changeset
|
36 |
local default_options = { "no_sslv2", "no_sslv3", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; |
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
37 |
local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" }; |
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
38 |
|
5287
676a1a032d2f
certmanager: Fix nil index if no LuaSec available
Kim Alvefur <zash@zash.se>
parents:
5282
diff
changeset
|
39 |
if ssl and not luasec_has_verifyext and ssl.x509 then |
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
40 |
-- COMPAT mw/luasec-hg |
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
41 |
for i=1,#default_verifyext do -- Remove lsec_ prefix |
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
42 |
default_verify[#default_verify+1] = default_verifyext[i]:sub(6); |
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
43 |
end |
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
44 |
end |
5621
63cfd59999b6
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x)
Matthew Wild <mwild1@gmail.com>
parents:
5377
diff
changeset
|
45 |
if luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true then |
63cfd59999b6
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x)
Matthew Wild <mwild1@gmail.com>
parents:
5377
diff
changeset
|
46 |
default_options[#default_options+1] = "no_compression"; |
63cfd59999b6
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x)
Matthew Wild <mwild1@gmail.com>
parents:
5377
diff
changeset
|
47 |
end |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 |
|
5678
b7ebeae14053
certmanager: Add single_dh_use and single_ecdh_use to default options
Matthew Wild <mwild1@gmail.com>
parents:
5676
diff
changeset
|
49 |
if luasec_has_no_compression then -- Has no_compression? Then it has these too... |
b7ebeae14053
certmanager: Add single_dh_use and single_ecdh_use to default options
Matthew Wild <mwild1@gmail.com>
parents:
5676
diff
changeset
|
50 |
default_options[#default_options+1] = "single_dh_use"; |
b7ebeae14053
certmanager: Add single_dh_use and single_ecdh_use to default options
Matthew Wild <mwild1@gmail.com>
parents:
5676
diff
changeset
|
51 |
default_options[#default_options+1] = "single_ecdh_use"; |
b7ebeae14053
certmanager: Add single_dh_use and single_ecdh_use to default options
Matthew Wild <mwild1@gmail.com>
parents:
5676
diff
changeset
|
52 |
end |
b7ebeae14053
certmanager: Add single_dh_use and single_ecdh_use to default options
Matthew Wild <mwild1@gmail.com>
parents:
5676
diff
changeset
|
53 |
|
3571
675d65036f31
certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls
Matthew Wild <mwild1@gmail.com>
parents:
3540
diff
changeset
|
54 |
function create_context(host, mode, user_ssl_config) |
675d65036f31
certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls
Matthew Wild <mwild1@gmail.com>
parents:
3540
diff
changeset
|
55 |
user_ssl_config = user_ssl_config or default_ssl_config; |
3370
7c87af1c9a68
certmanager: Fix to handle the case of no SSL configuration at all
Matthew Wild <mwild1@gmail.com>
parents:
3369
diff
changeset
|
56 |
|
3400 | 57 |
if not ssl then return nil, "LuaSec (required for encryption) was not found"; end |
58 |
if not user_ssl_config then return nil, "No SSL/TLS configuration present for "..host; end |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
59 |
|
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
60 |
local ssl_config = { |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
61 |
mode = mode; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
62 |
protocol = user_ssl_config.protocol or "sslv23"; |
3402
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
63 |
key = resolve_path(config_path, user_ssl_config.key); |
4656
43469a2d124d
core.certmanager: Log a message when a password is required but not supplied. fixes #214
Kim Alvefur <zash@zash.se>
parents:
4408
diff
changeset
|
64 |
password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; |
3402
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
65 |
certificate = resolve_path(config_path, user_ssl_config.certificate); |
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
66 |
capath = resolve_path(config_path, user_ssl_config.capath or default_capath); |
dfc369314e53
prosody.resolve_relative_path: Updated to take a parent path to resolve against.
Waqas Hussain <waqas20@gmail.com>
parents:
3400
diff
changeset
|
67 |
cafile = resolve_path(config_path, user_ssl_config.cafile); |
3670
d6ba317cbc97
certmanager: Add required verify flags for cert verification if LuaSec (probably) supports them
Matthew Wild <mwild1@gmail.com>
parents:
3609
diff
changeset
|
68 |
verify = user_ssl_config.verify or default_verify; |
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
69 |
verifyext = user_ssl_config.verifyext or default_verifyext; |
3670
d6ba317cbc97
certmanager: Add required verify flags for cert verification if LuaSec (probably) supports them
Matthew Wild <mwild1@gmail.com>
parents:
3609
diff
changeset
|
70 |
options = user_ssl_config.options or default_options; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
71 |
depth = user_ssl_config.depth; |
5676
c1021a2e7071
certmanager: Set ssl.curve to 'secp384r1' by default, to enable ECC ciphers
Matthew Wild <mwild1@gmail.com>
parents:
5673
diff
changeset
|
72 |
curve = user_ssl_config.curve or "secp384r1"; |
5921
f7601ce30cfc
certmanager: Further cipher string tweaking. Re-enable ciphers required for DSA and ECDH certs/keys.
Matthew Wild <mwild1@gmail.com>
parents:
5915
diff
changeset
|
73 |
ciphers = user_ssl_config.ciphers or "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; |
5673
9ca4d1ada906
certmanager: Use 'curve' and 'dhparam' options from ssl config if present
Matthew Wild <mwild1@gmail.com>
parents:
5621
diff
changeset
|
74 |
dhparam = user_ssl_config.dhparam; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
75 |
}; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
76 |
|
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
77 |
-- LuaSec expects dhparam to be a callback that takes two arguments. |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
78 |
-- We ignore those because it is mostly used for having a separate |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
79 |
-- set of params for EXPORT ciphers, which we don't have by default. |
5820
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
80 |
if type(ssl_config.dhparam) == "string" then |
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
81 |
local f, err = io_open(resolve_path(config_path, ssl_config.dhparam)); |
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
82 |
if not f then return nil, "Could not open DH parameters: "..err end |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
83 |
local dhparam = f:read("*a"); |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
84 |
f:close(); |
5820
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
85 |
ssl_config.dhparam = function() return dhparam; end |
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
86 |
end |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
87 |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
88 |
local ctx, err = ssl_newcontext(ssl_config); |
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
89 |
|
5815
b93d096607b4
certmanager: Fix for working around a bug with LuaSec 0.4.1 that causes it to not honour the 'ciphers' option. This change will apply 0.9's default cipher string for LuaSec 0.4.1 users.
Matthew Wild <mwild1@gmail.com>
parents:
5745
diff
changeset
|
90 |
-- COMPAT: LuaSec 0.4.1 ignores the cipher list from the config, so we have to take |
b93d096607b4
certmanager: Fix for working around a bug with LuaSec 0.4.1 that causes it to not honour the 'ciphers' option. This change will apply 0.9's default cipher string for LuaSec 0.4.1 users.
Matthew Wild <mwild1@gmail.com>
parents:
5745
diff
changeset
|
91 |
-- care of it ourselves... |
b93d096607b4
certmanager: Fix for working around a bug with LuaSec 0.4.1 that causes it to not honour the 'ciphers' option. This change will apply 0.9's default cipher string for LuaSec 0.4.1 users.
Matthew Wild <mwild1@gmail.com>
parents:
5745
diff
changeset
|
92 |
if ctx and ssl_config.ciphers then |
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
93 |
local success; |
5815
b93d096607b4
certmanager: Fix for working around a bug with LuaSec 0.4.1 that causes it to not honour the 'ciphers' option. This change will apply 0.9's default cipher string for LuaSec 0.4.1 users.
Matthew Wild <mwild1@gmail.com>
parents:
5745
diff
changeset
|
94 |
success, err = ssl.context.setcipher(ctx, ssl_config.ciphers); |
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
95 |
if not success then ctx = nil; end |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
96 |
end |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
97 |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
98 |
if not ctx then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
99 |
err = err or "invalid ssl config" |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
100 |
local file = err:match("^error loading (.-) %("); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
101 |
if file then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
102 |
if file == "private key" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
103 |
file = ssl_config.key or "your private key"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
104 |
elseif file == "certificate" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
105 |
file = ssl_config.certificate or "your certificate file"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
106 |
end |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
107 |
local reason = err:match("%((.+)%)$") or "some reason"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
108 |
if reason == "Permission denied" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
109 |
reason = "Check that the permissions allow Prosody to read this file."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
110 |
elseif reason == "No such file or directory" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
111 |
reason = "Check that the path is correct, and the file exists."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
112 |
elseif reason == "system lib" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
113 |
reason = "Previous error (see logs), or other system error."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
114 |
elseif reason == "(null)" or not reason then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
115 |
reason = "Check that the file exists and the permissions are correct"; |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
116 |
else |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
117 |
reason = "Reason: "..tostring(reason):lower(); |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
118 |
end |
4925
55f6e0673e33
certmanager: Add quotes around cert file path when logging.
Waqas Hussain <waqas20@gmail.com>
parents:
4900
diff
changeset
|
119 |
log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
120 |
else |
4855
a31ea431d906
certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL)
Matthew Wild <mwild1@gmail.com>
parents:
4656
diff
changeset
|
121 |
log("error", "SSL/TLS: Error initialising for %s: %s", host, err); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
122 |
end |
3540
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3402
diff
changeset
|
123 |
end |
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3402
diff
changeset
|
124 |
return ctx, err; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
125 |
end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
126 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
127 |
function reload_ssl_config() |
5377
898454038524
core.*: Complete removal of all traces of the "core" section and section-related code.
Kim Alvefur <zash@zash.se>
parents:
5287
diff
changeset
|
128 |
default_ssl_config = configmanager.get("*", "ssl"); |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
129 |
end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
130 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
131 |
prosody.events.add_handler("config-reloaded", reload_ssl_config); |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
132 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
133 |
return _M; |