Jonas Schäfer <jonas@wielicki.name> [Sat, 02 Apr 2022 11:15:33 +0200] rev 12485
net: refactor sslconfig to not depend on LuaSec
This now requires that the network backend exposes a tls_builder
function, which essentially wraps the former util.sslconfig.new()
function, passing a factory to create the eventual SSL context.
That allows a net.server backend to pick whatever it likes as SSL
context factory, as long as it understands the config table passed by
the SSL config builder. Heck, a backend could even mock and replace the
entire SSL config builder API.
Jonas Schäfer <jonas@wielicki.name> [Wed, 27 Apr 2022 17:44:14 +0200] rev 12484
net: isolate LuaSec-specifics
For this, various accessor functions are now provided directly on the
sockets, which reach down into the LuaSec implementation to obtain the
information.
While this may seem of little gain at first, it hides the implementation
detail of the LuaSec+LuaSocket combination that the actual socket and
the TLS layer are separate objects.
The net gain here is that an alternative implementation does not have to
emulate that specific implementation detail and "only" has to expose
LuaSec-compatible data structures on the new functions.
Kim Alvefur <zash@zash.se> [Wed, 27 Apr 2022 17:18:46 +0200] rev 12483
core.moduleapi: Fix 'global' property via :context() - #1748
The 'global' property should reflect whether the module API instance
represents the global context or a VirtualHost or Component context.
However the module:context() method did not override this, leading the
property of the previous module shining trough, leading to bugs in code
relying on the 'global' property.
See also #1736
Matthew Wild <mwild1@gmail.com> [Mon, 25 Apr 2022 16:35:10 +0100] rev 12482
Merge 0.12->trunk
Matthew Wild <mwild1@gmail.com> [Mon, 25 Apr 2022 15:24:56 +0100] rev 12481
util.argparse: Revise 553c6204fe5b with a different approach
The second return value is (not insensibly) assumed to be an error. Instead of
returning a value there in the success case, copy the positional arguments
into the existing opts table.
Matthew Wild <mwild1@gmail.com> [Mon, 25 Apr 2022 15:09:53 +0100] rev 12480
Merge 0.12->trunk
Matthew Wild <mwild1@gmail.com> [Mon, 25 Apr 2022 15:09:41 +0100] rev 12479
util.argparse: Return final 'arg' table with positional arguments for convenience
This is the same as the input table (which is mutated during processing), but
if that table was created on the fly, such as by packing `...` it's convenient
if it also gets returned from the parse function.
Matthew Wild <mwild1@gmail.com> [Mon, 25 Apr 2022 15:07:49 +0100] rev 12478
mod_s2s: Improve robustness of outgoing s2s certificate verification
This change ensures we have positively verified the certificates of the server
we are connecting to before marking the session as authenticated. It protects
against situations where the verify-or-close stage of the connection was
interrupted (e.g. due to an uncaught error).
Thanks to Zash for discovery and testing.
Kim Alvefur <zash@zash.se> [Mon, 25 Apr 2022 14:41:54 +0200] rev 12477
mod_s2s: Distinguish DANE TLSA errors from generic cert chain errors
Otherwise it would just report "is not trusted" unless you inspect the
logs. This message is sent to to the remote server, and will hopefully
show up in their logs, allowing the admin to fix their DANE setup.
Kim Alvefur <zash@zash.se> [Mon, 25 Apr 2022 14:36:56 +0200] rev 12476
mod_s2s: Recognise and report errors with CA or intermediate certs
Should be invoked for cases such as when the Let's Encrypt intermediate
certificate expired not too long ago.