author | Kim Alvefur <zash@zash.se> |
Wed, 12 May 2021 17:22:02 +0200 | |
branch | 0.11 |
changeset 11562 | d0e9ffccdef9 |
parent 11555 | aaf9c6b6d18d |
child 11564 | 3bbb1af92514 |
permissions | -rw-r--r-- |
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
1 |
-- Prosody IM |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
2 |
-- Copyright (C) 2008-2010 Matthew Wild |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
3 |
-- Copyright (C) 2008-2010 Waqas Hussain |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5746
diff
changeset
|
4 |
-- |
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
5 |
-- This project is MIT/X11 licensed. Please see the |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
6 |
-- COPYING file in the source package for more information. |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
7 |
-- |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
8 |
|
6567
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6550
diff
changeset
|
9 |
local softreq = require"util.dependencies".softreq; |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6550
diff
changeset
|
10 |
local ssl = softreq"ssl"; |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6550
diff
changeset
|
11 |
if not ssl then |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6550
diff
changeset
|
12 |
return { |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6550
diff
changeset
|
13 |
create_context = function () |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6550
diff
changeset
|
14 |
return nil, "LuaSec (required for encryption) was not found"; |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6550
diff
changeset
|
15 |
end; |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6550
diff
changeset
|
16 |
reload_ssl_config = function () end; |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6550
diff
changeset
|
17 |
} |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6550
diff
changeset
|
18 |
end |
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6550
diff
changeset
|
19 |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 |
local configmanager = require "core.configmanager"; |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
21 |
local log = require "util.logger".init("certmanager"); |
6568
ffc0a57889aa
certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents:
6567
diff
changeset
|
22 |
local ssl_context = ssl.context or softreq"ssl.context"; |
ffc0a57889aa
certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents:
6567
diff
changeset
|
23 |
local ssl_x509 = ssl.x509 or softreq"ssl.x509"; |
6567
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6550
diff
changeset
|
24 |
local ssl_newcontext = ssl.newcontext; |
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
25 |
local new_config = require"util.sslconfig".new; |
7125
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
26 |
local stat = require "lfs".attributes; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
|
7163
5c1ee8c06235
certmanager: Localize tonumber
Matthew Wild <mwild1@gmail.com>
parents:
7148
diff
changeset
|
28 |
local tonumber, tostring = tonumber, tostring; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
29 |
local pairs = pairs; |
8407
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
30 |
local t_remove = table.remove; |
5820
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
31 |
local type = type; |
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
32 |
local io_open = io.open; |
6294
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
33 |
local select = select; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 |
local prosody = prosody; |
6165
6a184b16b717
core.certmanager, core.moduleapi, mod_storage_sql, mod_storage_sql2: Import from util.paths
Kim Alvefur <zash@zash.se>
parents:
6089
diff
changeset
|
36 |
local resolve_path = require"util.paths".resolve_relative_path; |
7534
2db68d1a6eeb
certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed)
Kim Alvefur <zash@zash.se>
parents:
7322
diff
changeset
|
37 |
local config_path = prosody.paths.config or "."; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 |
|
11553
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11552
diff
changeset
|
39 |
local function test_option(option) |
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11552
diff
changeset
|
40 |
return not not ssl_newcontext({mode="server",protocol="sslv23",options={ option }}); |
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11552
diff
changeset
|
41 |
end |
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11552
diff
changeset
|
42 |
|
6567
bcf32653cab7
certmanager: Early return from the entire module if LuaSec is unavailable
Kim Alvefur <zash@zash.se>
parents:
6550
diff
changeset
|
43 |
local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); |
7322
afa83f3ccaad
certmanager: Explicitly tonumber() version number segments before doing arithmetic and avoid relying on implicit coercion (thanks David Favro)
Matthew Wild <mwild1@gmail.com>
parents:
7163
diff
changeset
|
44 |
local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor); |
11552
55ef50d6cf65
core.certmanager: Attempt to directly access LuaSec config table
Kim Alvefur <zash@zash.se>
parents:
10725
diff
changeset
|
45 |
local luasec_has = ssl.config or softreq"ssl.config" or { |
8406
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8282
diff
changeset
|
46 |
algorithms = { |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8282
diff
changeset
|
47 |
ec = luasec_version >= 5; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8282
diff
changeset
|
48 |
}; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8282
diff
changeset
|
49 |
capabilities = { |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8282
diff
changeset
|
50 |
curves_list = luasec_version >= 7; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8282
diff
changeset
|
51 |
}; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8282
diff
changeset
|
52 |
options = { |
11553
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11552
diff
changeset
|
53 |
cipher_server_preference = test_option("cipher_server_preference"); |
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11552
diff
changeset
|
54 |
no_ticket = test_option("no_ticket"); |
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11552
diff
changeset
|
55 |
no_compression = test_option("no_compression"); |
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11552
diff
changeset
|
56 |
single_dh_use = test_option("single_dh_use"); |
5a484bd050a7
core.certmanager: Test for SSL options in absence of LuaSec config
Kim Alvefur <zash@zash.se>
parents:
11552
diff
changeset
|
57 |
single_ecdh_use = test_option("single_ecdh_use"); |
11555
aaf9c6b6d18d
certmanager: Disable renegotiation by default
Matthew Wild <mwild1@gmail.com>
parents:
11553
diff
changeset
|
58 |
no_renegotiation = test_option("no_renegotiation"); |
8406
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8282
diff
changeset
|
59 |
}; |
6569
1f396f0fe832
certmanager: Improve "detection" of features that depend on LuaSec version
Kim Alvefur <zash@zash.se>
parents:
6568
diff
changeset
|
60 |
}; |
4899
0b8134015635
certmanager: Don't use no_ticket option before LuaSec 0.4
Matthew Wild <mwild1@gmail.com>
parents:
4890
diff
changeset
|
61 |
|
6782
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6573
diff
changeset
|
62 |
local _ENV = nil; |
8558
4f0f5b49bb03
vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8497
diff
changeset
|
63 |
-- luacheck: std none |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
64 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
65 |
-- Global SSL options if not overridden per-host |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
66 |
local global_ssl_config = configmanager.get("*", "ssl"); |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
67 |
|
7125
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
68 |
local global_certificates = configmanager.get("*", "certificates") or "certs"; |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
69 |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
70 |
local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", }; |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
71 |
local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", }; |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
72 |
|
7143
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
73 |
local function find_cert(user_certs, name) |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
74 |
local certs = resolve_path(config_path, user_certs or global_certificates); |
8262
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8162
diff
changeset
|
75 |
log("debug", "Searching %s for a key and certificate for %s...", certs, name); |
7125
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
76 |
for i = 1, #crt_try do |
7143
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
77 |
local crt_path = certs .. crt_try[i]:format(name); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
78 |
local key_path = certs .. key_try[i]:format(name); |
7125
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
79 |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
80 |
if stat(crt_path, "mode") == "file" then |
10713
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
81 |
if crt_path == key_path then |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
82 |
if key_path:sub(-4) == ".crt" then |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
83 |
key_path = key_path:sub(1, -4) .. "key"; |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
84 |
elseif key_path:sub(-13) == "fullchain.pem" then |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
85 |
key_path = key_path:sub(1, -14) .. "privkey.pem"; |
7125
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
86 |
end |
10713
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
87 |
end |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
88 |
|
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
89 |
if stat(key_path, "mode") == "file" then |
8262
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8162
diff
changeset
|
90 |
log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name); |
7148
b1a109858502
certmanager: Try filename.key if certificate is set to a full filename ending with .crt
Kim Alvefur <zash@zash.se>
parents:
7147
diff
changeset
|
91 |
return { certificate = crt_path, key = key_path }; |
7125
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
92 |
end |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
93 |
end |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
94 |
end |
8262
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8162
diff
changeset
|
95 |
log("debug", "No certificate/key found for %s", name); |
7125
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
96 |
end |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
97 |
|
7143
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
98 |
local function find_host_cert(host) |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
99 |
if not host then return nil; end |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
100 |
return find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$")); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
101 |
end |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
102 |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
103 |
local function find_service_cert(service, port) |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
104 |
local cert_config = configmanager.get("*", service.."_certificate"); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
105 |
if type(cert_config) == "table" then |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
106 |
cert_config = cert_config[port] or cert_config.default; |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
107 |
end |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
108 |
return find_cert(cert_config, service); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
109 |
end |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
110 |
|
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
111 |
-- Built-in defaults |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
112 |
local core_defaults = { |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
113 |
capath = "/etc/ssl/certs"; |
6571
b54b33f59c6e
certmanager: Limit certificate chain depth to 9
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
114 |
depth = 9; |
6078
30ac122acdd3
certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Kim Alvefur <zash@zash.se>
parents:
6077
diff
changeset
|
115 |
protocol = "tlsv1+"; |
6568
ffc0a57889aa
certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents:
6567
diff
changeset
|
116 |
verify = (ssl_x509 and { "peer", "client_once", }) or "none"; |
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
117 |
options = { |
8406
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8282
diff
changeset
|
118 |
cipher_server_preference = luasec_has.options.cipher_server_preference; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8282
diff
changeset
|
119 |
no_ticket = luasec_has.options.no_ticket; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8282
diff
changeset
|
120 |
no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8282
diff
changeset
|
121 |
single_dh_use = luasec_has.options.single_dh_use; |
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8282
diff
changeset
|
122 |
single_ecdh_use = luasec_has.options.single_ecdh_use; |
11555
aaf9c6b6d18d
certmanager: Disable renegotiation by default
Matthew Wild <mwild1@gmail.com>
parents:
11553
diff
changeset
|
123 |
no_renegotiation = luasec_has.options.no_renegotiation; |
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
124 |
}; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
125 |
verifyext = { "lsec_continue", "lsec_ignore_purpose" }; |
8408
a3cf899fd61b
certmanager: Set single curve conditioned on LuaSec advertising EC crypto support
Kim Alvefur <zash@zash.se>
parents:
8407
diff
changeset
|
126 |
curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1"; |
8282
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8277
diff
changeset
|
127 |
curveslist = { |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8277
diff
changeset
|
128 |
"X25519", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8277
diff
changeset
|
129 |
"P-384", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8277
diff
changeset
|
130 |
"P-256", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8277
diff
changeset
|
131 |
"P-521", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8277
diff
changeset
|
132 |
}; |
7666
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
133 |
ciphers = { -- Enabled ciphers in order of preference: |
10725
3a1b1d3084fb
core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)
Kim Alvefur <zash@zash.se>
parents:
10713
diff
changeset
|
134 |
"HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange |
7666
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
135 |
"HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
136 |
"HIGH", -- Other "High strength" ciphers |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
137 |
-- Disabled cipher suites: |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
138 |
"!PSK", -- Pre-Shared Key - not used for XMPP |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
139 |
"!SRP", -- Secure Remote Password - not used for XMPP |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
140 |
"!3DES", -- 3DES - slow and of questionable security |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
141 |
"!aNULL", -- Ciphers that does not authenticate the connection |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
142 |
}; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
143 |
} |
8407
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
144 |
|
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
145 |
if luasec_has.curves then |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
146 |
for i = #core_defaults.curveslist, 1, -1 do |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
147 |
if not luasec_has.curves[ core_defaults.curveslist[i] ] then |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
148 |
t_remove(core_defaults.curveslist, i); |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
149 |
end |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
150 |
end |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
151 |
else |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
152 |
core_defaults.curveslist = nil; |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
153 |
end |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
154 |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
155 |
local path_options = { -- These we pass through resolve_path() |
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
156 |
key = true, certificate = true, cafile = true, capath = true, dhparam = true |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
157 |
} |
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
158 |
|
6573
70e65ac65219
certmanager: Fix compat for MattJs old LuaSec fork
Kim Alvefur <zash@zash.se>
parents:
6572
diff
changeset
|
159 |
if luasec_version < 5 and ssl_x509 then |
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
160 |
-- COMPAT mw/luasec-hg |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
161 |
for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
162 |
core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); |
5282
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
163 |
end |
4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
Kim Alvefur <zash@zash.se>
parents:
4992
diff
changeset
|
164 |
end |
5678
b7ebeae14053
certmanager: Add single_dh_use and single_ecdh_use to default options
Matthew Wild <mwild1@gmail.com>
parents:
5676
diff
changeset
|
165 |
|
6782
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6573
diff
changeset
|
166 |
local function create_context(host, mode, ...) |
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
167 |
local cfg = new_config(); |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
168 |
cfg:apply(core_defaults); |
8830
1a29b56a2d63
core.certmanager: Allow all non-whitespace in service name (fixes #1019)
Kim Alvefur <zash@zash.se>
parents:
8497
diff
changeset
|
169 |
local service_name, port = host:match("^(%S+) port (%d+)$"); |
7143
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
170 |
if service_name then |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
171 |
cfg:apply(find_service_cert(service_name, tonumber(port))); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
172 |
else |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
173 |
cfg:apply(find_host_cert(host)); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
174 |
end |
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
175 |
cfg:apply({ |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
176 |
mode = mode, |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
177 |
-- We can't read the password interactively when daemonized |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
178 |
password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
179 |
}); |
7147
f855ba7da30e
certmanager: Apply global ssl config later so certificate/key is not overwritten by magic
Kim Alvefur <zash@zash.se>
parents:
7143
diff
changeset
|
180 |
cfg:apply(global_ssl_config); |
6076
e0713386319a
certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents:
6075
diff
changeset
|
181 |
|
6294
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
182 |
for i = select('#', ...), 1, -1 do |
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
183 |
cfg:apply(select(i, ...)); |
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
184 |
end |
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
185 |
local user_ssl_config = cfg:final(); |
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
186 |
|
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
187 |
if mode == "server" then |
8497
4f75f4da6d4e
certmanager: Check for missing certificate before key in configuration (should be marginally less confusing)
Kim Alvefur <zash@zash.se>
parents:
8408
diff
changeset
|
188 |
if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end |
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
189 |
if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end |
6077
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
190 |
end |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
191 |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
192 |
for option in pairs(path_options) do |
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
193 |
if type(user_ssl_config[option]) == "string" then |
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
194 |
user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]); |
6906
5ff42d85d4d5
core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default)
Kim Alvefur <zash@zash.se>
parents:
6782
diff
changeset
|
195 |
else |
5ff42d85d4d5
core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default)
Kim Alvefur <zash@zash.se>
parents:
6782
diff
changeset
|
196 |
user_ssl_config[option] = nil; |
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
197 |
end |
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
198 |
end |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
199 |
|
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
200 |
-- LuaSec expects dhparam to be a callback that takes two arguments. |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
201 |
-- We ignore those because it is mostly used for having a separate |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
202 |
-- set of params for EXPORT ciphers, which we don't have by default. |
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
203 |
if type(user_ssl_config.dhparam) == "string" then |
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
204 |
local f, err = io_open(user_ssl_config.dhparam); |
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
205 |
if not f then return nil, "Could not open DH parameters: "..err end |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
206 |
local dhparam = f:read("*a"); |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
207 |
f:close(); |
5822
970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5821
diff
changeset
|
208 |
user_ssl_config.dhparam = function() return dhparam; end |
5816
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
209 |
end |
20e2b588f8c2
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Kim Alvefur <zash@zash.se>
parents:
5815
diff
changeset
|
210 |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
211 |
local ctx, err = ssl_newcontext(user_ssl_config); |
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
212 |
|
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
213 |
-- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care |
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
214 |
-- of it ourselves (W/A for #x) |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
215 |
if ctx and user_ssl_config.ciphers then |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
216 |
local success; |
6568
ffc0a57889aa
certmanager: Add locals for ssl.context and ssl.x509
Kim Alvefur <zash@zash.se>
parents:
6567
diff
changeset
|
217 |
success, err = ssl_context.setcipher(ctx, user_ssl_config.ciphers); |
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
218 |
if not success then ctx = nil; end |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
219 |
end |
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
220 |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
221 |
if not ctx then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
222 |
err = err or "invalid ssl config" |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
223 |
local file = err:match("^error loading (.-) %("); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
224 |
if file then |
7746
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7666
diff
changeset
|
225 |
local typ; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
226 |
if file == "private key" then |
7746
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7666
diff
changeset
|
227 |
typ = file; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
228 |
file = user_ssl_config.key or "your private key"; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
229 |
elseif file == "certificate" then |
7746
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7666
diff
changeset
|
230 |
typ = file; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
231 |
file = user_ssl_config.certificate or "your certificate file"; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
232 |
end |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
233 |
local reason = err:match("%((.+)%)$") or "some reason"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
234 |
if reason == "Permission denied" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
235 |
reason = "Check that the permissions allow Prosody to read this file."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
236 |
elseif reason == "No such file or directory" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
237 |
reason = "Check that the path is correct, and the file exists."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
238 |
elseif reason == "system lib" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
239 |
reason = "Previous error (see logs), or other system error."; |
7746
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7666
diff
changeset
|
240 |
elseif reason == "no start line" then |
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7666
diff
changeset
|
241 |
reason = "Check that the file contains a "..(typ or file); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
242 |
elseif reason == "(null)" or not reason then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
243 |
reason = "Check that the file exists and the permissions are correct"; |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
244 |
else |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
245 |
reason = "Reason: "..tostring(reason):lower(); |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
246 |
end |
4925
55f6e0673e33
certmanager: Add quotes around cert file path when logging.
Waqas Hussain <waqas20@gmail.com>
parents:
4900
diff
changeset
|
247 |
log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
248 |
else |
4855
a31ea431d906
certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL)
Matthew Wild <mwild1@gmail.com>
parents:
4656
diff
changeset
|
249 |
log("error", "SSL/TLS: Error initialising for %s: %s", host, err); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
250 |
end |
3540
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3402
diff
changeset
|
251 |
end |
6529
873538f0b18c
certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)
Kim Alvefur <zash@zash.se>
parents:
6523
diff
changeset
|
252 |
return ctx, err, user_ssl_config; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
253 |
end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
254 |
|
6782
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6573
diff
changeset
|
255 |
local function reload_ssl_config() |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
256 |
global_ssl_config = configmanager.get("*", "ssl"); |
8162
3850993a9bda
certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929)
Kim Alvefur <zash@zash.se>
parents:
7746
diff
changeset
|
257 |
global_certificates = configmanager.get("*", "certificates") or "certs"; |
8406
ba39d3a1d42e
certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7
Kim Alvefur <zash@zash.se>
parents:
8282
diff
changeset
|
258 |
if luasec_has.options.no_compression then |
6080
b7d1607df87d
certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents:
6079
diff
changeset
|
259 |
core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; |
b7d1607df87d
certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents:
6079
diff
changeset
|
260 |
end |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
261 |
end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
262 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
263 |
prosody.events.add_handler("config-reloaded", reload_ssl_config); |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
264 |
|
6782
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6573
diff
changeset
|
265 |
return { |
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6573
diff
changeset
|
266 |
create_context = create_context; |
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6573
diff
changeset
|
267 |
reload_ssl_config = reload_ssl_config; |
8277
3798955049e3
prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys
Kim Alvefur <zash@zash.se>
parents:
8262
diff
changeset
|
268 |
find_cert = find_cert; |
6782
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6573
diff
changeset
|
269 |
}; |