Jonas Schäfer <jonas@wielicki.name> [Sat, 02 Apr 2022 11:18:57 +0200] rev 12487
mod_tls: tell network backend to stop reading while preparing TLS
Jonas Schäfer <jonas@wielicki.name> [Fri, 17 Sep 2021 21:18:30 +0200] rev 12486
mod_tls: Do not offer TLS if the connection is considered secure
This may be necessary if the session.conn object is not exchanged by the
network backend when establishing TLS. In that case, the starttls method
will always exist and thus that is not a good indicator for offering
TLS.
However, the secure bit already tells us that TLS has been established
or is not to be established on the connection, so we use that instead.
Jonas Schäfer <jonas@wielicki.name> [Sat, 02 Apr 2022 11:15:33 +0200] rev 12485
net: refactor sslconfig to not depend on LuaSec
This now requires that the network backend exposes a tls_builder
function, which essentially wraps the former util.sslconfig.new()
function, passing a factory to create the eventual SSL context.
That allows a net.server backend to pick whatever it likes as SSL
context factory, as long as it understands the config table passed by
the SSL config builder. Heck, a backend could even mock and replace the
entire SSL config builder API.
Jonas Schäfer <jonas@wielicki.name> [Wed, 27 Apr 2022 17:44:14 +0200] rev 12484
net: isolate LuaSec-specifics
For this, various accessor functions are now provided directly on the
sockets, which reach down into the LuaSec implementation to obtain the
information.
While this may seem of little gain at first, it hides the implementation
detail of the LuaSec+LuaSocket combination that the actual socket and
the TLS layer are separate objects.
The net gain here is that an alternative implementation does not have to
emulate that specific implementation detail and "only" has to expose
LuaSec-compatible data structures on the new functions.
Kim Alvefur <zash@zash.se> [Wed, 27 Apr 2022 17:18:46 +0200] rev 12483
core.moduleapi: Fix 'global' property via :context() - #1748
The 'global' property should reflect whether the module API instance
represents the global context or a VirtualHost or Component context.
However the module:context() method did not override this, leading the
property of the previous module shining trough, leading to bugs in code
relying on the 'global' property.
See also #1736
Matthew Wild <mwild1@gmail.com> [Mon, 25 Apr 2022 16:35:10 +0100] rev 12482
Merge 0.12->trunk
Matthew Wild <mwild1@gmail.com> [Mon, 25 Apr 2022 15:24:56 +0100] rev 12481
util.argparse: Revise 553c6204fe5b with a different approach
The second return value is (not insensibly) assumed to be an error. Instead of
returning a value there in the success case, copy the positional arguments
into the existing opts table.
Matthew Wild <mwild1@gmail.com> [Mon, 25 Apr 2022 15:09:53 +0100] rev 12480
Merge 0.12->trunk
Matthew Wild <mwild1@gmail.com> [Mon, 25 Apr 2022 15:09:41 +0100] rev 12479
util.argparse: Return final 'arg' table with positional arguments for convenience
This is the same as the input table (which is mutated during processing), but
if that table was created on the fly, such as by packing `...` it's convenient
if it also gets returned from the parse function.
Matthew Wild <mwild1@gmail.com> [Mon, 25 Apr 2022 15:07:49 +0100] rev 12478
mod_s2s: Improve robustness of outgoing s2s certificate verification
This change ensures we have positively verified the certificates of the server
we are connecting to before marking the session as authenticated. It protects
against situations where the verify-or-close stage of the connection was
interrupted (e.g. due to an uncaught error).
Thanks to Zash for discovery and testing.