prosody: core/certmanager.lua@54a936345aaa (annotated)

3369 9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	1	-- Prosody IM
9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	2	-- Copyright (C) 2008-2010 Matthew Wild
9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	3	-- Copyright (C) 2008-2010 Waqas Hussain
5776 bd0ff8ae98a8 Remove all trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 5746 diff changeset	4	--
3369 9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	5	-- This project is MIT/X11 licensed. Please see the
9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	6	-- COPYING file in the source package for more information.
9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	7	--
9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	8
12335 49739369dcad core.certmanager: Turn soft dependency on LuaSec into a hard Kim Alvefur <zash@zash.se> parents: 12291 diff changeset	9	local ssl = require "ssl";
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	10	local configmanager = require "core.configmanager";
2630 e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file Matthew Wild <mwild1@gmail.com> parents: 2564 diff changeset	11	local log = require "util.logger".init("certmanager");
12335 49739369dcad core.certmanager: Turn soft dependency on LuaSec into a hard Kim Alvefur <zash@zash.se> parents: 12291 diff changeset	12	local ssl_context = ssl.context or require "ssl.context";
6567 bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur <zash@zash.se> parents: 6550 diff changeset	13	local ssl_newcontext = ssl.newcontext;
6293 851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	14	local new_config = require"util.sslconfig".new;
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	15	local stat = require "lfs".attributes;
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	16
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	17	local x509 = require "util.x509";
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	18	local lfs = require "lfs";
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	19
7163 5c1ee8c06235 certmanager: Localize tonumber Matthew Wild <mwild1@gmail.com> parents: 7148 diff changeset	20	local tonumber, tostring = tonumber, tostring;
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	21	local pairs = pairs;
8407 ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	22	local t_remove = table.remove;
5820 6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft) Kim Alvefur <zash@zash.se> parents: 5816 diff changeset	23	local type = type;
6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft) Kim Alvefur <zash@zash.se> parents: 5816 diff changeset	24	local io_open = io.open;
6294 0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur <zash@zash.se> parents: 6293 diff changeset	25	local select = select;
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	26	local now = os.time;
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	27	local next = next;
11542 30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	28	local pcall = pcall;
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	29
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	30	local prosody = prosody;
11537 f97592336399 core.certmanager: Join paths with OS-aware util.paths function Kim Alvefur <zash@zash.se> parents: 11536 diff changeset	31	local pathutil = require"util.paths";
f97592336399 core.certmanager: Join paths with OS-aware util.paths function Kim Alvefur <zash@zash.se> parents: 11536 diff changeset	32	local resolve_path = pathutil.resolve_relative_path;
7534 2db68d1a6eeb certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed) Kim Alvefur <zash@zash.se> parents: 7322 diff changeset	33	local config_path = prosody.paths.config or ".";
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	34
11553 5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	35	local function test_option(option)
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	36	return not not ssl_newcontext({mode="server",protocol="sslv23",options={ option }});
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	37	end
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	38
6567 bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur <zash@zash.se> parents: 6550 diff changeset	39	local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)");
7322 afa83f3ccaad certmanager: Explicitly tonumber() version number segments before doing arithmetic and avoid relying on implicit coercion (thanks David Favro) Matthew Wild <mwild1@gmail.com> parents: 7163 diff changeset	40	local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor);
12335 49739369dcad core.certmanager: Turn soft dependency on LuaSec into a hard Kim Alvefur <zash@zash.se> parents: 12291 diff changeset	41	local luasec_has = ssl.config or {
8406 ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	42	algorithms = {
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	43	ec = luasec_version >= 5;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	44	};
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	45	capabilities = {
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	46	curves_list = luasec_version >= 7;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	47	};
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	48	options = {
11553 5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	49	cipher_server_preference = test_option("cipher_server_preference");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	50	no_ticket = test_option("no_ticket");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	51	no_compression = test_option("no_compression");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	52	single_dh_use = test_option("single_dh_use");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	53	single_ecdh_use = test_option("single_ecdh_use");
11555 aaf9c6b6d18d certmanager: Disable renegotiation by default Matthew Wild <mwild1@gmail.com> parents: 11553 diff changeset	54	no_renegotiation = test_option("no_renegotiation");
8406 ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	55	};
6569 1f396f0fe832 certmanager: Improve "detection" of features that depend on LuaSec version Kim Alvefur <zash@zash.se> parents: 6568 diff changeset	56	};
4899 0b8134015635 certmanager: Don't use no_ticket option before LuaSec 0.4 Matthew Wild <mwild1@gmail.com> parents: 4890 diff changeset	57
6782 6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	58	local _ENV = nil;
8558 4f0f5b49bb03 vairious: Add annotation when an empty environment is set [luacheck] Kim Alvefur <zash@zash.se> parents: 8497 diff changeset	59	-- luacheck: std none
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	60
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	61	-- Global SSL options if not overridden per-host
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	62	local global_ssl_config = configmanager.get("*", "ssl");
5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	63
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	64	local global_certificates = configmanager.get("*", "certificates") or "certs";
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	65
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	66	local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", };
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	67	local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", };
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	68
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	69	local function find_cert(user_certs, name)
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	70	local certs = resolve_path(config_path, user_certs or global_certificates);
8262 db063671b73e certmanager: Add debug logging (thanks av6) Matthew Wild <mwild1@gmail.com> parents: 8162 diff changeset	71	log("debug", "Searching %s for a key and certificate for %s...", certs, name);
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	72	for i = 1, #crt_try do
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	73	local crt_path = certs .. crt_try[i]:format(name);
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	74	local key_path = certs .. key_try[i]:format(name);
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	75
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	76	if stat(crt_path, "mode") == "file" then
10713 fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	77	if crt_path == key_path then
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	78	if key_path:sub(-4) == ".crt" then
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	79	key_path = key_path:sub(1, -4) .. "key";
11535 2bd91d4a0fcf core.certmanager: Check for complete filename Kim Alvefur <zash@zash.se> parents: 11372 diff changeset	80	elseif key_path:sub(-14) == "/fullchain.pem" then
10713 fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	81	key_path = key_path:sub(1, -14) .. "privkey.pem";
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	82	end
10713 fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	83	end
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	84
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	85	if stat(key_path, "mode") == "file" then
8262 db063671b73e certmanager: Add debug logging (thanks av6) Matthew Wild <mwild1@gmail.com> parents: 8162 diff changeset	86	log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name);
7148 b1a109858502 certmanager: Try filename.key if certificate is set to a full filename ending with .crt Kim Alvefur <zash@zash.se> parents: 7147 diff changeset	87	return { certificate = crt_path, key = key_path };
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	88	end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	89	end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	90	end
8262 db063671b73e certmanager: Add debug logging (thanks av6) Matthew Wild <mwild1@gmail.com> parents: 8162 diff changeset	91	log("debug", "No certificate/key found for %s", name);
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	92	end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	93
11538 1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	94	local function find_matching_key(cert_path)
12291 5cd075ed4fd3 core.certmanager: Relax certificate filename check #1713 Kim Alvefur <zash@zash.se> parents: 12201 diff changeset	95	return (cert_path:gsub("%.crt$", ".key"):gsub("fullchain", "privkey"));
11538 1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	96	end
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	97
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	98	local function index_certs(dir, files_by_name, depth_limit)
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	99	files_by_name = files_by_name or {};
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	100	depth_limit = depth_limit or 3;
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	101	if depth_limit <= 0 then return files_by_name; end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	102
11542 30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	103	local ok, iter, v, i = pcall(lfs.dir, dir);
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	104	if not ok then
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	105	log("error", "Error indexing certificate directory %s: %s", dir, iter);
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	106	-- Return an empty index, otherwise this just triggers a nil indexing
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	107	-- error, plus this function would get called again.
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	108	-- Reloading the config after correcting the problem calls this again so
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	109	-- that's what should be done.
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	110	return {}, iter;
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	111	end
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	112	for file in iter, v, i do
11537 f97592336399 core.certmanager: Join paths with OS-aware util.paths function Kim Alvefur <zash@zash.se> parents: 11536 diff changeset	113	local full = pathutil.join(dir, file);
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	114	if lfs.attributes(full, "mode") == "directory" then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	115	if file:sub(1,1) ~= "." then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	116	index_certs(full, files_by_name, depth_limit-1);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	117	end
12291 5cd075ed4fd3 core.certmanager: Relax certificate filename check #1713 Kim Alvefur <zash@zash.se> parents: 12201 diff changeset	118	elseif file:find("%.crt$") or file:find("fullchain") then -- This should catch most fullchain files
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	119	local f = io_open(full);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	120	if f then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	121	-- TODO look for chained certificates
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	122	local firstline = f:read();
12309 f8b8061461e3 core.certmanager: Ensure key exists for fullchain Kim Alvefur <zash@zash.se> parents: 12291 diff changeset	123	if firstline == "-----BEGIN CERTIFICATE-----" and lfs.attributes(find_matching_key(full), "mode") == "file" then
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	124	f:seek("set")
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	125	local cert = ssl.loadcertificate(f:read("*a"))
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	126	-- TODO if more than one cert is found for a name, the most recently
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	127	-- issued one should be used.
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	128	-- for now, just filter out expired certs
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	129	-- TODO also check if there's a corresponding key
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	130	if cert:validat(now()) then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	131	local names = x509.get_identities(cert);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	132	log("debug", "Found certificate %s with identities %q", full, names);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	133	for name, services in pairs(names) do
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	134	-- TODO check services
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	135	if files_by_name[name] then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	136	files_by_name[name][full] = services;
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	137	else
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	138	files_by_name[name] = { [full] = services; };
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	139	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	140	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	141	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	142	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	143	f:close();
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	144	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	145	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	146	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	147	log("debug", "Certificate index: %q", files_by_name);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	148	-- \| hostname \| filename \| service \|
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	149	return files_by_name;
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	150	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	151
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	152	local cert_index;
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	153
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	154	local function find_cert_in_index(index, host)
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	155	if not host then return nil; end
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	156	if not index then return nil; end
12109 47c9a76cce7d core.certmanager: Check index for wildcard certs Kim Alvefur <zash@zash.se> parents: 12108 diff changeset	157	local wildcard_host = host:gsub("^[^.]+%.", "*.");
47c9a76cce7d core.certmanager: Check index for wildcard certs Kim Alvefur <zash@zash.se> parents: 12108 diff changeset	158	local certs = index[host] or index[wildcard_host];
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	159	if certs then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	160	local cert_filename, services = next(certs);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	161	if services["*"] then
12511 e242a6e74424 core.certmanager: Expand debug messages about cert lookups in index Kim Alvefur <zash@zash.se> parents: 12366 diff changeset	162	log("debug", "Using cert %q from index for host %q", cert_filename, host);
11538 1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	163	return {
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	164	certificate = cert_filename,
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	165	key = find_matching_key(cert_filename),
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	166	}
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	167	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	168	end
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	169	return nil
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	170	end
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	171
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	172	local function find_host_cert(host)
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	173	if not host then return nil; end
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	174	if not cert_index then
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	175	cert_index = index_certs(resolve_path(config_path, global_certificates));
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	176	end
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	177
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	178	return find_cert_in_index(cert_index, host) or find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$"));
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	179	end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	180
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	181	local function find_service_cert(service, port)
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	182	if not cert_index then
11541 a09685a7b330 core.certmanager: Resolve certs path relative to config dir Kim Alvefur <zash@zash.se> parents: 11538 diff changeset	183	cert_index = index_certs(resolve_path(config_path, global_certificates));
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	184	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	185	for _, certs in pairs(cert_index) do
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	186	for cert_filename, services in pairs(certs) do
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	187	if services[service] or services["*"] then
12511 e242a6e74424 core.certmanager: Expand debug messages about cert lookups in index Kim Alvefur <zash@zash.se> parents: 12366 diff changeset	188	log("debug", "Using cert %q from index for service %s port %d", cert_filename, service, port);
11538 1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	189	return {
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	190	certificate = cert_filename,
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	191	key = find_matching_key(cert_filename),
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	192	}
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	193	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	194	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	195	end
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	196	local cert_config = configmanager.get("*", service.."_certificate");
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	197	if type(cert_config) == "table" then
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	198	cert_config = cert_config[port] or cert_config.default;
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	199	end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	200	return find_cert(cert_config, service);
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	201	end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	202
6079 5cffee5b2826 certmanager: Reformat core ssl defaults Kim Alvefur <zash@zash.se> parents: 6078 diff changeset	203	-- Built-in defaults
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	204	local core_defaults = {
5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	205	capath = "/etc/ssl/certs";
6571 b54b33f59c6e certmanager: Limit certificate chain depth to 9 Kim Alvefur <zash@zash.se> parents: 6570 diff changeset	206	depth = 9;
6078 30ac122acdd3 certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols Kim Alvefur <zash@zash.se> parents: 6077 diff changeset	207	protocol = "tlsv1+";
9856 6ea3cafb6ac3 core.certmanager: Do not ask for client certificates by default Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	208	verify = "none";
6079 5cffee5b2826 certmanager: Reformat core ssl defaults Kim Alvefur <zash@zash.se> parents: 6078 diff changeset	209	options = {
8406 ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	210	cipher_server_preference = luasec_has.options.cipher_server_preference;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	211	no_ticket = luasec_has.options.no_ticket;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	212	no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	213	single_dh_use = luasec_has.options.single_dh_use;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	214	single_ecdh_use = luasec_has.options.single_ecdh_use;
11555 aaf9c6b6d18d certmanager: Disable renegotiation by default Matthew Wild <mwild1@gmail.com> parents: 11553 diff changeset	215	no_renegotiation = luasec_has.options.no_renegotiation;
6079 5cffee5b2826 certmanager: Reformat core ssl defaults Kim Alvefur <zash@zash.se> parents: 6078 diff changeset	216	};
11372 0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings Kim Alvefur <zash@zash.se> parents: 10923 diff changeset	217	verifyext = {
0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings Kim Alvefur <zash@zash.se> parents: 10923 diff changeset	218	"lsec_continue", -- Continue past certificate verification errors
0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings Kim Alvefur <zash@zash.se> parents: 10923 diff changeset	219	"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings Kim Alvefur <zash@zash.se> parents: 10923 diff changeset	220	};
8408 a3cf899fd61b certmanager: Set single curve conditioned on LuaSec advertising EC crypto support Kim Alvefur <zash@zash.se> parents: 8407 diff changeset	221	curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1";
8282 92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	222	curveslist = {
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	223	"X25519",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	224	"P-384",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	225	"P-256",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	226	"P-521",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	227	};
7666 54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	228	ciphers = { -- Enabled ciphers in order of preference:
10725 3a1b1d3084fb core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513) Kim Alvefur <zash@zash.se> parents: 10713 diff changeset	229	"HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange
7666 54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	230	"HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	231	"HIGH", -- Other "High strength" ciphers
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	232	-- Disabled cipher suites:
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	233	"!PSK", -- Pre-Shared Key - not used for XMPP
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	234	"!SRP", -- Secure Remote Password - not used for XMPP
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	235	"!3DES", -- 3DES - slow and of questionable security
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	236	"!aNULL", -- Ciphers that does not authenticate the connection
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	237	};
12154 653a48b5a25b core.certmanager: Disable DANE name checks (not needed for XMPP) Kim Alvefur <zash@zash.se> parents: 12124 diff changeset	238	dane = luasec_has.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" };
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	239	}
8407 ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	240
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	241	local mozilla_ssl_configs = {
12101 9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	242	-- https://wiki.mozilla.org/Security/Server_Side_TLS
13182 e689d4c45681 core.certmanager: Update Mozilla TLS config to version 5.7 Kim Alvefur <zash@zash.se> parents: 12511 diff changeset	243	-- Version 5.7 as of 2023-07-09
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	244	modern = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	245	protocol = "tlsv1_3";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	246	options = { cipher_server_preference = false };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	247	ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these
12101 9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	248	curveslist = { "X25519"; "prime256v1"; "secp384r1" };
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	249	ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	250	};
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	251	intermediate = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	252	protocol = "tlsv1_2+";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	253	dhparam = nil; -- ffdhe2048.txt
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	254	options = { cipher_server_preference = false };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	255	ciphers = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	256	"ECDHE-ECDSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	257	"ECDHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	258	"ECDHE-ECDSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	259	"ECDHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	260	"ECDHE-ECDSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	261	"ECDHE-RSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	262	"DHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	263	"DHE-RSA-AES256-GCM-SHA384";
13182 e689d4c45681 core.certmanager: Update Mozilla TLS config to version 5.7 Kim Alvefur <zash@zash.se> parents: 12511 diff changeset	264	"DHE-RSA-CHACHA20-POLY1305";
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	265	};
12101 9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	266	curveslist = { "X25519"; "prime256v1"; "secp384r1" };
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	267	ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	268	};
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	269	old = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	270	protocol = "tlsv1+";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	271	dhparam = nil; -- openssl dhparam 1024
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	272	options = { cipher_server_preference = true };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	273	ciphers = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	274	"ECDHE-ECDSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	275	"ECDHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	276	"ECDHE-ECDSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	277	"ECDHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	278	"ECDHE-ECDSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	279	"ECDHE-RSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	280	"DHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	281	"DHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	282	"DHE-RSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	283	"ECDHE-ECDSA-AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	284	"ECDHE-RSA-AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	285	"ECDHE-ECDSA-AES128-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	286	"ECDHE-RSA-AES128-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	287	"ECDHE-ECDSA-AES256-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	288	"ECDHE-RSA-AES256-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	289	"ECDHE-ECDSA-AES256-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	290	"ECDHE-RSA-AES256-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	291	"DHE-RSA-AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	292	"DHE-RSA-AES256-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	293	"AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	294	"AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	295	"AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	296	"AES256-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	297	"AES128-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	298	"AES256-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	299	"DES-CBC3-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	300	};
12124 0fcd80a55f15 core.certmanager: Add curveslist to 'old' Mozilla TLS preset Kim Alvefur <zash@zash.se> parents: 12109 diff changeset	301	curveslist = { "X25519"; "prime256v1"; "secp384r1" };
12101 9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	302	ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	303	};
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	304	};
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	305
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	306
8407 ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	307	if luasec_has.curves then
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	308	for i = #core_defaults.curveslist, 1, -1 do
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	309	if not luasec_has.curves[ core_defaults.curveslist[i] ] then
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	310	t_remove(core_defaults.curveslist, i);
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	311	end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	312	end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	313	else
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	314	core_defaults.curveslist = nil;
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	315	end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	316
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	317	local path_options = { -- These we pass through resolve_path()
5822 970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5821 diff changeset	318	key = true, certificate = true, cafile = true, capath = true, dhparam = true
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	319	}
5282 4cd57cb49f99 core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg Kim Alvefur <zash@zash.se> parents: 4992 diff changeset	320
6782 6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	321	local function create_context(host, mode, ...)
6293 851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	322	local cfg = new_config();
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	323	cfg:apply(core_defaults);
8830 1a29b56a2d63 core.certmanager: Allow all non-whitespace in service name (fixes #1019) Kim Alvefur <zash@zash.se> parents: 8497 diff changeset	324	local service_name, port = host:match("^(%S+) port (%d+)$");
11595 e7a964572f6b core.certmanager: Skip service certificate lookup for https client Kim Alvefur <zash@zash.se> parents: 11564 diff changeset	325	-- port 0 is used with client-only things that normally don't need certificates, e.g. https
e7a964572f6b core.certmanager: Skip service certificate lookup for https client Kim Alvefur <zash@zash.se> parents: 11564 diff changeset	326	if service_name and port ~= "0" then
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	327	log("debug", "Automatically locating certs for service %s on port %s", service_name, port);
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	328	cfg:apply(find_service_cert(service_name, tonumber(port)));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	329	else
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	330	log("debug", "Automatically locating certs for host %s", host);
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	331	cfg:apply(find_host_cert(host));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	332	end
6293 851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	333	cfg:apply({
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	334	mode = mode,
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	335	-- We can't read the password interactively when daemonized
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	336	password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	337	});
12201 95d25e620dc2 core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation Kim Alvefur <zash@zash.se> parents: 12200 diff changeset	338	local profile = configmanager.get("*", "tls_profile") or "intermediate";
13295 24070d47a6e7 core.certmanager: Validate that 'tls_profile' is one of the valid values Kim Alvefur <zash@zash.se> parents: 13182 diff changeset	339	if mozilla_ssl_configs[profile] then
12201 95d25e620dc2 core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation Kim Alvefur <zash@zash.se> parents: 12200 diff changeset	340	cfg:apply(mozilla_ssl_configs[profile]);
13295 24070d47a6e7 core.certmanager: Validate that 'tls_profile' is one of the valid values Kim Alvefur <zash@zash.se> parents: 13182 diff changeset	341	elseif profile ~= "legacy" then
24070d47a6e7 core.certmanager: Validate that 'tls_profile' is one of the valid values Kim Alvefur <zash@zash.se> parents: 13182 diff changeset	342	log("error", "Invalid value for 'tls_profile': expected one of \"modern\", \"intermediate\" (default), \"old\" or \"legacy\" but got %q", profile);
24070d47a6e7 core.certmanager: Validate that 'tls_profile' is one of the valid values Kim Alvefur <zash@zash.se> parents: 13182 diff changeset	343	return nil, "Invalid configuration, 'tls_profile' had an unknown value.";
12102 9591b838e3b0 core.certmanager: Add "legacy" preset for keeping previous default settings Kim Alvefur <zash@zash.se> parents: 12101 diff changeset	344	end
12200 b05e0b422ff7 core.certmanager: Apply TLS preset before global settings (thanks Menel) Kim Alvefur <zash@zash.se> parents: 12154 diff changeset	345	cfg:apply(global_ssl_config);
6076 e0713386319a certmanager: Wrap long line and add comment Kim Alvefur <zash@zash.se> parents: 6075 diff changeset	346
6294 0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur <zash@zash.se> parents: 6293 diff changeset	347	for i = select('#', ...), 1, -1 do
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur <zash@zash.se> parents: 6293 diff changeset	348	cfg:apply(select(i, ...));
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur <zash@zash.se> parents: 6293 diff changeset	349	end
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur <zash@zash.se> parents: 6293 diff changeset	350	local user_ssl_config = cfg:final();
6293 851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	351
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	352	if mode == "server" then
10241 a36af4570b39 core.certmanager: Lower severity for tls config not having cert Kim Alvefur <zash@zash.se> parents: 10231 diff changeset	353	if not user_ssl_config.certificate then
a36af4570b39 core.certmanager: Lower severity for tls config not having cert Kim Alvefur <zash@zash.se> parents: 10231 diff changeset	354	log("info", "No certificate present in SSL/TLS configuration for %s. SNI will be required.", host);
a36af4570b39 core.certmanager: Lower severity for tls config not having cert Kim Alvefur <zash@zash.se> parents: 10231 diff changeset	355	end
a36af4570b39 core.certmanager: Lower severity for tls config not having cert Kim Alvefur <zash@zash.se> parents: 10231 diff changeset	356	if user_ssl_config.certificate and not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
6077 6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost Kim Alvefur <zash@zash.se> parents: 6076 diff changeset	357	end
6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost Kim Alvefur <zash@zash.se> parents: 6076 diff changeset	358
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	359	for option in pairs(path_options) do
5822 970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5821 diff changeset	360	if type(user_ssl_config[option]) == "string" then
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5821 diff changeset	361	user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]);
6906 5ff42d85d4d5 core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default) Kim Alvefur <zash@zash.se> parents: 6782 diff changeset	362	else
5ff42d85d4d5 core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default) Kim Alvefur <zash@zash.se> parents: 6782 diff changeset	363	user_ssl_config[option] = nil;
5822 970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5821 diff changeset	364	end
5816 20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	365	end
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	366
5816 20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	367	-- LuaSec expects dhparam to be a callback that takes two arguments.
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	368	-- We ignore those because it is mostly used for having a separate
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	369	-- set of params for EXPORT ciphers, which we don't have by default.
5822 970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5821 diff changeset	370	if type(user_ssl_config.dhparam) == "string" then
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5821 diff changeset	371	local f, err = io_open(user_ssl_config.dhparam);
5816 20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	372	if not f then return nil, "Could not open DH parameters: "..err end
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	373	local dhparam = f:read("*a");
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	374	f:close();
5822 970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5821 diff changeset	375	user_ssl_config.dhparam = function() return dhparam; end
5816 20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	376	end
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	377
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	378	local ctx, err = ssl_newcontext(user_ssl_config);
4359 c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain <waqas20@gmail.com> parents: 3670 diff changeset	379
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	380	-- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care
4359 c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain <waqas20@gmail.com> parents: 3670 diff changeset	381	-- of it ourselves (W/A for #x)
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain <waqas20@gmail.com> parents: 3670 diff changeset	382	if ctx and user_ssl_config.ciphers then
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain <waqas20@gmail.com> parents: 3670 diff changeset	383	local success;
6568 ffc0a57889aa certmanager: Add locals for ssl.context and ssl.x509 Kim Alvefur <zash@zash.se> parents: 6567 diff changeset	384	success, err = ssl_context.setcipher(ctx, user_ssl_config.ciphers);
4359 c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain <waqas20@gmail.com> parents: 3670 diff changeset	385	if not success then ctx = nil; end
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain <waqas20@gmail.com> parents: 3670 diff changeset	386	end
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain <waqas20@gmail.com> parents: 3670 diff changeset	387
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	388	if not ctx then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	389	err = err or "invalid ssl config"
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	390	local file = err:match("^error loading (.-) %(");
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	391	if file then
7746 d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur <zash@zash.se> parents: 7666 diff changeset	392	local typ;
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	393	if file == "private key" then
7746 d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur <zash@zash.se> parents: 7666 diff changeset	394	typ = file;
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	395	file = user_ssl_config.key or "your private key";
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	396	elseif file == "certificate" then
7746 d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur <zash@zash.se> parents: 7666 diff changeset	397	typ = file;
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	398	file = user_ssl_config.certificate or "your certificate file";
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	399	end
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	400	local reason = err:match("%((.+)%)$") or "some reason";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	401	if reason == "Permission denied" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	402	reason = "Check that the permissions allow Prosody to read this file.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	403	elseif reason == "No such file or directory" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	404	reason = "Check that the path is correct, and the file exists.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	405	elseif reason == "system lib" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	406	reason = "Previous error (see logs), or other system error.";
7746 d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur <zash@zash.se> parents: 7666 diff changeset	407	elseif reason == "no start line" then
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur <zash@zash.se> parents: 7666 diff changeset	408	reason = "Check that the file contains a "..(typ or file);
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	409	elseif reason == "(null)" or not reason then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	410	reason = "Check that the file exists and the permissions are correct";
2630 e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file Matthew Wild <mwild1@gmail.com> parents: 2564 diff changeset	411	else
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	412	reason = "Reason: "..tostring(reason):lower();
2630 e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file Matthew Wild <mwild1@gmail.com> parents: 2564 diff changeset	413	end
4925 55f6e0673e33 certmanager: Add quotes around cert file path when logging. Waqas Hussain <waqas20@gmail.com> parents: 4900 diff changeset	414	log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host);
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	415	else
4855 a31ea431d906 certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL) Matthew Wild <mwild1@gmail.com> parents: 4656 diff changeset	416	log("error", "SSL/TLS: Error initialising for %s: %s", host, err);
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	417	end
3540 bc139431830b Monster whitespace commit (beware the whitespace monster). Waqas Hussain <waqas20@gmail.com> parents: 3402 diff changeset	418	end
6529 873538f0b18c certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren) Kim Alvefur <zash@zash.se> parents: 6523 diff changeset	419	return ctx, err, user_ssl_config;
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	420	end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	421
6782 6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	422	local function reload_ssl_config()
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	423	global_ssl_config = configmanager.get("*", "ssl");
8162 3850993a9bda certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929) Kim Alvefur <zash@zash.se> parents: 7746 diff changeset	424	global_certificates = configmanager.get("*", "certificates") or "certs";
8406 ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	425	if luasec_has.options.no_compression then
6080 b7d1607df87d certmanager: Update ssl_compression when config is reloaded Kim Alvefur <zash@zash.se> parents: 6079 diff changeset	426	core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
b7d1607df87d certmanager: Update ssl_compression when config is reloaded Kim Alvefur <zash@zash.se> parents: 6079 diff changeset	427	end
11713 5810166f35d5 core.certmanager: Support 'use_dane' setting to enable DANE support Kim Alvefur <zash@zash.se> parents: 11595 diff changeset	428	core_defaults.dane = configmanager.get("*", "use_dane") or false;
11541 a09685a7b330 core.certmanager: Resolve certs path relative to config dir Kim Alvefur <zash@zash.se> parents: 11538 diff changeset	429	cert_index = index_certs(resolve_path(config_path, global_certificates));
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	430	end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	431
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	432	prosody.events.add_handler("config-reloaded", reload_ssl_config);
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	433
6782 6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	434	return {
6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	435	create_context = create_context;
6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	436	reload_ssl_config = reload_ssl_config;
8277 3798955049e3 prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys Kim Alvefur <zash@zash.se> parents: 8262 diff changeset	437	find_cert = find_cert;
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	438	index_certs = index_certs;
10467 fbeb7a3fc4eb core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support) Kim Alvefur <zash@zash.se> parents: 10241 diff changeset	439	find_host_cert = find_host_cert;
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	440	find_cert_in_index = find_cert_in_index;
6782 6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	441	};

author	Matthew Wild <mwild1@gmail.com>
	Wed, 27 Mar 2024 15:35:15 +0000
branch	0.12
changeset 13469	54a936345aaa
parent 13295	24070d47a6e7
child 13296	8fbdd878fcf6
permissions	-rw-r--r--