Mercurial Mercurial > prosody > prosody / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
core.certmanager: Add comments explaining the 'verifyext' TLS settings
authorKim Alvefur <zash@zash.se>
Sat, 06 Feb 2021 22:12:38 +0100
changeset 11372 0bc3acf37428
parent 11371 9525c4b4e5de
child 11373 87105a9a11df
core.certmanager: Add comments explaining the 'verifyext' TLS settings Thanks to debacle for reminding me, in the context of mod_auth_ccert I wonder if we still need lsec_ignore_purpose, Let's Encrypt seems to include both client and server purposes in certs.
core/certmanager.lua file | annotate | diff | comparison | revisions 
--- a/core/certmanager.lua	Sat Feb 06 21:40:21 2021 +0100
+++ b/core/certmanager.lua	Sat Feb 06 22:12:38 2021 +0100
@@ -118,7 +118,10 @@
 		single_dh_use = luasec_has.options.single_dh_use;
 		single_ecdh_use = luasec_has.options.single_ecdh_use;
 	};
-	verifyext = { "lsec_continue", "lsec_ignore_purpose" };
+	verifyext = {
+		"lsec_continue", -- Continue past certificate verification errors
+		"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
+	};
 	curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1";
 	curveslist = {
 		"X25519",
prosody