net: refactor sslconfig to not depend on LuaSec This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API.

net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.

core.moduleapi: Fix 'global' property via :context() - #1748 The 'global' property should reflect whether the module API instance represents the global context or a VirtualHost or Component context. However the module:context() method did not override this, leading the property of the previous module shining trough, leading to bugs in code relying on the 'global' property. See also #1736

Merge 0.12->trunk

util.argparse: Revise 553c6204fe5b with a different approach The second return value is (not insensibly) assumed to be an error. Instead of returning a value there in the success case, copy the positional arguments into the existing opts table.

Merge 0.12->trunk

util.argparse: Return final 'arg' table with positional arguments for convenience This is the same as the input table (which is mutated during processing), but if that table was created on the fly, such as by packing `...` it's convenient if it also gets returned from the parse function.

mod_s2s: Improve robustness of outgoing s2s certificate verification This change ensures we have positively verified the certificates of the server we are connecting to before marking the session as authenticated. It protects against situations where the verify-or-close stage of the connection was interrupted (e.g. due to an uncaught error). Thanks to Zash for discovery and testing.

mod_s2s: Distinguish DANE TLSA errors from generic cert chain errors Otherwise it would just report "is not trusted" unless you inspect the logs. This message is sent to to the remote server, and will hopefully show up in their logs, allowing the admin to fix their DANE setup.

mod_s2s: Recognise and report errors with CA or intermediate certs Should be invoked for cases such as when the Let's Encrypt intermediate certificate expired not too long ago.