prosody: core/certmanager.lua@b05e0b422ff7 (annotated)

3369 9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	1	-- Prosody IM
9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	2	-- Copyright (C) 2008-2010 Matthew Wild
9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	3	-- Copyright (C) 2008-2010 Waqas Hussain
5776 bd0ff8ae98a8 Remove all trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 5746 diff changeset	4	--
3369 9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	5	-- This project is MIT/X11 licensed. Please see the
9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	6	-- COPYING file in the source package for more information.
9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	7	--
9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	8
6567 bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur <zash@zash.se> parents: 6550 diff changeset	9	local softreq = require"util.dependencies".softreq;
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur <zash@zash.se> parents: 6550 diff changeset	10	local ssl = softreq"ssl";
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur <zash@zash.se> parents: 6550 diff changeset	11	if not ssl then
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur <zash@zash.se> parents: 6550 diff changeset	12	return {
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur <zash@zash.se> parents: 6550 diff changeset	13	create_context = function ()
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur <zash@zash.se> parents: 6550 diff changeset	14	return nil, "LuaSec (required for encryption) was not found";
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur <zash@zash.se> parents: 6550 diff changeset	15	end;
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur <zash@zash.se> parents: 6550 diff changeset	16	reload_ssl_config = function () end;
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur <zash@zash.se> parents: 6550 diff changeset	17	}
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur <zash@zash.se> parents: 6550 diff changeset	18	end
bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur <zash@zash.se> parents: 6550 diff changeset	19
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	20	local configmanager = require "core.configmanager";
2630 e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file Matthew Wild <mwild1@gmail.com> parents: 2564 diff changeset	21	local log = require "util.logger".init("certmanager");
6568 ffc0a57889aa certmanager: Add locals for ssl.context and ssl.x509 Kim Alvefur <zash@zash.se> parents: 6567 diff changeset	22	local ssl_context = ssl.context or softreq"ssl.context";
6567 bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur <zash@zash.se> parents: 6550 diff changeset	23	local ssl_newcontext = ssl.newcontext;
6293 851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	24	local new_config = require"util.sslconfig".new;
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	25	local stat = require "lfs".attributes;
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	26
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	27	local x509 = require "util.x509";
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	28	local lfs = require "lfs";
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	29
7163 5c1ee8c06235 certmanager: Localize tonumber Matthew Wild <mwild1@gmail.com> parents: 7148 diff changeset	30	local tonumber, tostring = tonumber, tostring;
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	31	local pairs = pairs;
8407 ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	32	local t_remove = table.remove;
5820 6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft) Kim Alvefur <zash@zash.se> parents: 5816 diff changeset	33	local type = type;
6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft) Kim Alvefur <zash@zash.se> parents: 5816 diff changeset	34	local io_open = io.open;
6294 0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur <zash@zash.se> parents: 6293 diff changeset	35	local select = select;
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	36	local now = os.time;
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	37	local next = next;
11542 30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	38	local pcall = pcall;
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	39
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	40	local prosody = prosody;
11537 f97592336399 core.certmanager: Join paths with OS-aware util.paths function Kim Alvefur <zash@zash.se> parents: 11536 diff changeset	41	local pathutil = require"util.paths";
f97592336399 core.certmanager: Join paths with OS-aware util.paths function Kim Alvefur <zash@zash.se> parents: 11536 diff changeset	42	local resolve_path = pathutil.resolve_relative_path;
7534 2db68d1a6eeb certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed) Kim Alvefur <zash@zash.se> parents: 7322 diff changeset	43	local config_path = prosody.paths.config or ".";
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	44
11553 5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	45	local function test_option(option)
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	46	return not not ssl_newcontext({mode="server",protocol="sslv23",options={ option }});
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	47	end
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	48
6567 bcf32653cab7 certmanager: Early return from the entire module if LuaSec is unavailable Kim Alvefur <zash@zash.se> parents: 6550 diff changeset	49	local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)");
7322 afa83f3ccaad certmanager: Explicitly tonumber() version number segments before doing arithmetic and avoid relying on implicit coercion (thanks David Favro) Matthew Wild <mwild1@gmail.com> parents: 7163 diff changeset	50	local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor);
11552 55ef50d6cf65 core.certmanager: Attempt to directly access LuaSec config table Kim Alvefur <zash@zash.se> parents: 10725 diff changeset	51	local luasec_has = ssl.config or softreq"ssl.config" or {
8406 ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	52	algorithms = {
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	53	ec = luasec_version >= 5;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	54	};
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	55	capabilities = {
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	56	curves_list = luasec_version >= 7;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	57	};
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	58	options = {
11553 5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	59	cipher_server_preference = test_option("cipher_server_preference");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	60	no_ticket = test_option("no_ticket");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	61	no_compression = test_option("no_compression");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	62	single_dh_use = test_option("single_dh_use");
5a484bd050a7 core.certmanager: Test for SSL options in absence of LuaSec config Kim Alvefur <zash@zash.se> parents: 11552 diff changeset	63	single_ecdh_use = test_option("single_ecdh_use");
11555 aaf9c6b6d18d certmanager: Disable renegotiation by default Matthew Wild <mwild1@gmail.com> parents: 11553 diff changeset	64	no_renegotiation = test_option("no_renegotiation");
8406 ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	65	};
6569 1f396f0fe832 certmanager: Improve "detection" of features that depend on LuaSec version Kim Alvefur <zash@zash.se> parents: 6568 diff changeset	66	};
4899 0b8134015635 certmanager: Don't use no_ticket option before LuaSec 0.4 Matthew Wild <mwild1@gmail.com> parents: 4890 diff changeset	67
6782 6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	68	local _ENV = nil;
8558 4f0f5b49bb03 vairious: Add annotation when an empty environment is set [luacheck] Kim Alvefur <zash@zash.se> parents: 8497 diff changeset	69	-- luacheck: std none
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	70
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	71	-- Global SSL options if not overridden per-host
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	72	local global_ssl_config = configmanager.get("*", "ssl");
5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	73
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	74	local global_certificates = configmanager.get("*", "certificates") or "certs";
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	75
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	76	local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", };
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	77	local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", };
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	78
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	79	local function find_cert(user_certs, name)
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	80	local certs = resolve_path(config_path, user_certs or global_certificates);
8262 db063671b73e certmanager: Add debug logging (thanks av6) Matthew Wild <mwild1@gmail.com> parents: 8162 diff changeset	81	log("debug", "Searching %s for a key and certificate for %s...", certs, name);
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	82	for i = 1, #crt_try do
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	83	local crt_path = certs .. crt_try[i]:format(name);
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	84	local key_path = certs .. key_try[i]:format(name);
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	85
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	86	if stat(crt_path, "mode") == "file" then
10713 fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	87	if crt_path == key_path then
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	88	if key_path:sub(-4) == ".crt" then
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	89	key_path = key_path:sub(1, -4) .. "key";
11535 2bd91d4a0fcf core.certmanager: Check for complete filename Kim Alvefur <zash@zash.se> parents: 11372 diff changeset	90	elseif key_path:sub(-14) == "/fullchain.pem" then
10713 fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	91	key_path = key_path:sub(1, -14) .. "privkey.pem";
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	92	end
10713 fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	93	end
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	94
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	95	if stat(key_path, "mode") == "file" then
8262 db063671b73e certmanager: Add debug logging (thanks av6) Matthew Wild <mwild1@gmail.com> parents: 8162 diff changeset	96	log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name);
7148 b1a109858502 certmanager: Try filename.key if certificate is set to a full filename ending with .crt Kim Alvefur <zash@zash.se> parents: 7147 diff changeset	97	return { certificate = crt_path, key = key_path };
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	98	end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	99	end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	100	end
8262 db063671b73e certmanager: Add debug logging (thanks av6) Matthew Wild <mwild1@gmail.com> parents: 8162 diff changeset	101	log("debug", "No certificate/key found for %s", name);
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	102	end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	103
11538 1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	104	local function find_matching_key(cert_path)
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	105	-- FIXME we shouldn't need to guess the key filename
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	106	if cert_path:sub(-4) == ".crt" then
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	107	return cert_path:sub(1, -4) .. "key";
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	108	elseif cert_path:sub(-14) == "/fullchain.pem" then
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	109	return cert_path:sub(1, -14) .. "privkey.pem";
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	110	end
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	111	end
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	112
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	113	local function index_certs(dir, files_by_name, depth_limit)
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	114	files_by_name = files_by_name or {};
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	115	depth_limit = depth_limit or 3;
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	116	if depth_limit <= 0 then return files_by_name; end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	117
11542 30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	118	local ok, iter, v, i = pcall(lfs.dir, dir);
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	119	if not ok then
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	120	log("error", "Error indexing certificate directory %s: %s", dir, iter);
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	121	-- Return an empty index, otherwise this just triggers a nil indexing
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	122	-- error, plus this function would get called again.
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	123	-- Reloading the config after correcting the problem calls this again so
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	124	-- that's what should be done.
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	125	return {}, iter;
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	126	end
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	127	for file in iter, v, i do
11537 f97592336399 core.certmanager: Join paths with OS-aware util.paths function Kim Alvefur <zash@zash.se> parents: 11536 diff changeset	128	local full = pathutil.join(dir, file);
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	129	if lfs.attributes(full, "mode") == "directory" then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	130	if file:sub(1,1) ~= "." then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	131	index_certs(full, files_by_name, depth_limit-1);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	132	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	133	-- TODO support more filename patterns?
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	134	elseif full:match("%.crt$") or full:match("/fullchain%.pem$") then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	135	local f = io_open(full);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	136	if f then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	137	-- TODO look for chained certificates
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	138	local firstline = f:read();
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	139	if firstline == "-----BEGIN CERTIFICATE-----" then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	140	f:seek("set")
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	141	local cert = ssl.loadcertificate(f:read("*a"))
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	142	-- TODO if more than one cert is found for a name, the most recently
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	143	-- issued one should be used.
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	144	-- for now, just filter out expired certs
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	145	-- TODO also check if there's a corresponding key
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	146	if cert:validat(now()) then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	147	local names = x509.get_identities(cert);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	148	log("debug", "Found certificate %s with identities %q", full, names);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	149	for name, services in pairs(names) do
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	150	-- TODO check services
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	151	if files_by_name[name] then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	152	files_by_name[name][full] = services;
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	153	else
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	154	files_by_name[name] = { [full] = services; };
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	155	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	156	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	157	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	158	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	159	f:close();
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	160	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	161	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	162	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	163	log("debug", "Certificate index: %q", files_by_name);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	164	-- \| hostname \| filename \| service \|
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	165	return files_by_name;
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	166	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	167
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	168	local cert_index;
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	169
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	170	local function find_cert_in_index(index, host)
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	171	if not host then return nil; end
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	172	if not index then return nil; end
12109 47c9a76cce7d core.certmanager: Check index for wildcard certs Kim Alvefur <zash@zash.se> parents: 12108 diff changeset	173	local wildcard_host = host:gsub("^[^.]+%.", "*.");
47c9a76cce7d core.certmanager: Check index for wildcard certs Kim Alvefur <zash@zash.se> parents: 12108 diff changeset	174	local certs = index[host] or index[wildcard_host];
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	175	if certs then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	176	local cert_filename, services = next(certs);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	177	if services["*"] then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	178	log("debug", "Using cert %q from index", cert_filename);
11538 1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	179	return {
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	180	certificate = cert_filename,
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	181	key = find_matching_key(cert_filename),
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	182	}
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	183	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	184	end
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	185	return nil
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	186	end
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	187
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	188	local function find_host_cert(host)
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	189	if not host then return nil; end
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	190	if not cert_index then
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	191	cert_index = index_certs(resolve_path(config_path, global_certificates));
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	192	end
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	193
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	194	return find_cert_in_index(cert_index, host) or find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$"));
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	195	end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	196
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	197	local function find_service_cert(service, port)
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	198	if not cert_index then
11541 a09685a7b330 core.certmanager: Resolve certs path relative to config dir Kim Alvefur <zash@zash.se> parents: 11538 diff changeset	199	cert_index = index_certs(resolve_path(config_path, global_certificates));
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	200	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	201	for _, certs in pairs(cert_index) do
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	202	for cert_filename, services in pairs(certs) do
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	203	if services[service] or services["*"] then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	204	log("debug", "Using cert %q from index", cert_filename);
11538 1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	205	return {
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	206	certificate = cert_filename,
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	207	key = find_matching_key(cert_filename),
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	208	}
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	209	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	210	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	211	end
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	212	local cert_config = configmanager.get("*", service.."_certificate");
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	213	if type(cert_config) == "table" then
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	214	cert_config = cert_config[port] or cert_config.default;
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	215	end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	216	return find_cert(cert_config, service);
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	217	end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	218
6079 5cffee5b2826 certmanager: Reformat core ssl defaults Kim Alvefur <zash@zash.se> parents: 6078 diff changeset	219	-- Built-in defaults
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	220	local core_defaults = {
5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	221	capath = "/etc/ssl/certs";
6571 b54b33f59c6e certmanager: Limit certificate chain depth to 9 Kim Alvefur <zash@zash.se> parents: 6570 diff changeset	222	depth = 9;
6078 30ac122acdd3 certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols Kim Alvefur <zash@zash.se> parents: 6077 diff changeset	223	protocol = "tlsv1+";
9856 6ea3cafb6ac3 core.certmanager: Do not ask for client certificates by default Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	224	verify = "none";
6079 5cffee5b2826 certmanager: Reformat core ssl defaults Kim Alvefur <zash@zash.se> parents: 6078 diff changeset	225	options = {
8406 ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	226	cipher_server_preference = luasec_has.options.cipher_server_preference;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	227	no_ticket = luasec_has.options.no_ticket;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	228	no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	229	single_dh_use = luasec_has.options.single_dh_use;
ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	230	single_ecdh_use = luasec_has.options.single_ecdh_use;
11555 aaf9c6b6d18d certmanager: Disable renegotiation by default Matthew Wild <mwild1@gmail.com> parents: 11553 diff changeset	231	no_renegotiation = luasec_has.options.no_renegotiation;
6079 5cffee5b2826 certmanager: Reformat core ssl defaults Kim Alvefur <zash@zash.se> parents: 6078 diff changeset	232	};
11372 0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings Kim Alvefur <zash@zash.se> parents: 10923 diff changeset	233	verifyext = {
0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings Kim Alvefur <zash@zash.se> parents: 10923 diff changeset	234	"lsec_continue", -- Continue past certificate verification errors
0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings Kim Alvefur <zash@zash.se> parents: 10923 diff changeset	235	"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings Kim Alvefur <zash@zash.se> parents: 10923 diff changeset	236	};
8408 a3cf899fd61b certmanager: Set single curve conditioned on LuaSec advertising EC crypto support Kim Alvefur <zash@zash.se> parents: 8407 diff changeset	237	curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1";
8282 92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	238	curveslist = {
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	239	"X25519",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	240	"P-384",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	241	"P-256",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	242	"P-521",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	243	};
7666 54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	244	ciphers = { -- Enabled ciphers in order of preference:
10725 3a1b1d3084fb core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513) Kim Alvefur <zash@zash.se> parents: 10713 diff changeset	245	"HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange
7666 54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	246	"HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	247	"HIGH", -- Other "High strength" ciphers
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	248	-- Disabled cipher suites:
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	249	"!PSK", -- Pre-Shared Key - not used for XMPP
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	250	"!SRP", -- Secure Remote Password - not used for XMPP
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	251	"!3DES", -- 3DES - slow and of questionable security
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	252	"!aNULL", -- Ciphers that does not authenticate the connection
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	253	};
12154 653a48b5a25b core.certmanager: Disable DANE name checks (not needed for XMPP) Kim Alvefur <zash@zash.se> parents: 12124 diff changeset	254	dane = luasec_has.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" };
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	255	}
8407 ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	256
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	257	local mozilla_ssl_configs = {
12101 9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	258	-- https://wiki.mozilla.org/Security/Server_Side_TLS
12124 0fcd80a55f15 core.certmanager: Add curveslist to 'old' Mozilla TLS preset Kim Alvefur <zash@zash.se> parents: 12109 diff changeset	259	-- Version 5.6 as of 2021-12-26
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	260	modern = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	261	protocol = "tlsv1_3";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	262	options = { cipher_server_preference = false };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	263	ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these
12101 9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	264	curveslist = { "X25519"; "prime256v1"; "secp384r1" };
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	265	ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	266	};
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	267	intermediate = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	268	protocol = "tlsv1_2+";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	269	dhparam = nil; -- ffdhe2048.txt
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	270	options = { cipher_server_preference = false };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	271	ciphers = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	272	"ECDHE-ECDSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	273	"ECDHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	274	"ECDHE-ECDSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	275	"ECDHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	276	"ECDHE-ECDSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	277	"ECDHE-RSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	278	"DHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	279	"DHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	280	};
12101 9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	281	curveslist = { "X25519"; "prime256v1"; "secp384r1" };
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	282	ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	283	};
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	284	old = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	285	protocol = "tlsv1+";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	286	dhparam = nil; -- openssl dhparam 1024
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	287	options = { cipher_server_preference = true };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	288	ciphers = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	289	"ECDHE-ECDSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	290	"ECDHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	291	"ECDHE-ECDSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	292	"ECDHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	293	"ECDHE-ECDSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	294	"ECDHE-RSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	295	"DHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	296	"DHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	297	"DHE-RSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	298	"ECDHE-ECDSA-AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	299	"ECDHE-RSA-AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	300	"ECDHE-ECDSA-AES128-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	301	"ECDHE-RSA-AES128-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	302	"ECDHE-ECDSA-AES256-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	303	"ECDHE-RSA-AES256-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	304	"ECDHE-ECDSA-AES256-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	305	"ECDHE-RSA-AES256-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	306	"DHE-RSA-AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	307	"DHE-RSA-AES256-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	308	"AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	309	"AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	310	"AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	311	"AES256-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	312	"AES128-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	313	"AES256-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	314	"DES-CBC3-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	315	};
12124 0fcd80a55f15 core.certmanager: Add curveslist to 'old' Mozilla TLS preset Kim Alvefur <zash@zash.se> parents: 12109 diff changeset	316	curveslist = { "X25519"; "prime256v1"; "secp384r1" };
12101 9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	317	ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	318	};
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	319	};
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	320
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	321
8407 ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	322	if luasec_has.curves then
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	323	for i = #core_defaults.curveslist, 1, -1 do
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	324	if not luasec_has.curves[ core_defaults.curveslist[i] ] then
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	325	t_remove(core_defaults.curveslist, i);
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	326	end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	327	end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	328	else
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	329	core_defaults.curveslist = nil;
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	330	end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	331
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	332	local path_options = { -- These we pass through resolve_path()
5822 970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5821 diff changeset	333	key = true, certificate = true, cafile = true, capath = true, dhparam = true
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	334	}
5282 4cd57cb49f99 core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg Kim Alvefur <zash@zash.se> parents: 4992 diff changeset	335
6782 6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	336	local function create_context(host, mode, ...)
6293 851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	337	local cfg = new_config();
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	338	cfg:apply(core_defaults);
8830 1a29b56a2d63 core.certmanager: Allow all non-whitespace in service name (fixes #1019) Kim Alvefur <zash@zash.se> parents: 8497 diff changeset	339	local service_name, port = host:match("^(%S+) port (%d+)$");
11595 e7a964572f6b core.certmanager: Skip service certificate lookup for https client Kim Alvefur <zash@zash.se> parents: 11564 diff changeset	340	-- port 0 is used with client-only things that normally don't need certificates, e.g. https
e7a964572f6b core.certmanager: Skip service certificate lookup for https client Kim Alvefur <zash@zash.se> parents: 11564 diff changeset	341	if service_name and port ~= "0" then
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	342	log("debug", "Automatically locating certs for service %s on port %s", service_name, port);
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	343	cfg:apply(find_service_cert(service_name, tonumber(port)));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	344	else
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	345	log("debug", "Automatically locating certs for host %s", host);
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	346	cfg:apply(find_host_cert(host));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	347	end
6293 851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	348	cfg:apply({
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	349	mode = mode,
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	350	-- We can't read the password interactively when daemonized
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	351	password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	352	});
12103 b344edad61d3 core.certmanager: Rename preset option to 'tls_preset' Kim Alvefur <zash@zash.se> parents: 12102 diff changeset	353	local preset = configmanager.get("*", "tls_preset") or "intermediate";
12102 9591b838e3b0 core.certmanager: Add "legacy" preset for keeping previous default settings Kim Alvefur <zash@zash.se> parents: 12101 diff changeset	354	if preset ~= "legacy" then
9591b838e3b0 core.certmanager: Add "legacy" preset for keeping previous default settings Kim Alvefur <zash@zash.se> parents: 12101 diff changeset	355	cfg:apply(mozilla_ssl_configs[preset]);
9591b838e3b0 core.certmanager: Add "legacy" preset for keeping previous default settings Kim Alvefur <zash@zash.se> parents: 12101 diff changeset	356	end
12200 b05e0b422ff7 core.certmanager: Apply TLS preset before global settings (thanks Menel) Kim Alvefur <zash@zash.se> parents: 12154 diff changeset	357	cfg:apply(global_ssl_config);
6076 e0713386319a certmanager: Wrap long line and add comment Kim Alvefur <zash@zash.se> parents: 6075 diff changeset	358
6294 0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur <zash@zash.se> parents: 6293 diff changeset	359	for i = select('#', ...), 1, -1 do
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur <zash@zash.se> parents: 6293 diff changeset	360	cfg:apply(select(i, ...));
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur <zash@zash.se> parents: 6293 diff changeset	361	end
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur <zash@zash.se> parents: 6293 diff changeset	362	local user_ssl_config = cfg:final();
6293 851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	363
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	364	if mode == "server" then
10241 a36af4570b39 core.certmanager: Lower severity for tls config not having cert Kim Alvefur <zash@zash.se> parents: 10231 diff changeset	365	if not user_ssl_config.certificate then
a36af4570b39 core.certmanager: Lower severity for tls config not having cert Kim Alvefur <zash@zash.se> parents: 10231 diff changeset	366	log("info", "No certificate present in SSL/TLS configuration for %s. SNI will be required.", host);
a36af4570b39 core.certmanager: Lower severity for tls config not having cert Kim Alvefur <zash@zash.se> parents: 10231 diff changeset	367	end
a36af4570b39 core.certmanager: Lower severity for tls config not having cert Kim Alvefur <zash@zash.se> parents: 10231 diff changeset	368	if user_ssl_config.certificate and not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
6077 6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost Kim Alvefur <zash@zash.se> parents: 6076 diff changeset	369	end
6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost Kim Alvefur <zash@zash.se> parents: 6076 diff changeset	370
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	371	for option in pairs(path_options) do
5822 970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5821 diff changeset	372	if type(user_ssl_config[option]) == "string" then
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5821 diff changeset	373	user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]);
6906 5ff42d85d4d5 core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default) Kim Alvefur <zash@zash.se> parents: 6782 diff changeset	374	else
5ff42d85d4d5 core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default) Kim Alvefur <zash@zash.se> parents: 6782 diff changeset	375	user_ssl_config[option] = nil;
5822 970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5821 diff changeset	376	end
5816 20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	377	end
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	378
5816 20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	379	-- LuaSec expects dhparam to be a callback that takes two arguments.
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	380	-- We ignore those because it is mostly used for having a separate
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	381	-- set of params for EXPORT ciphers, which we don't have by default.
5822 970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5821 diff changeset	382	if type(user_ssl_config.dhparam) == "string" then
970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5821 diff changeset	383	local f, err = io_open(user_ssl_config.dhparam);
5816 20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	384	if not f then return nil, "Could not open DH parameters: "..err end
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	385	local dhparam = f:read("*a");
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	386	f:close();
5822 970c666c5586 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5821 diff changeset	387	user_ssl_config.dhparam = function() return dhparam; end
5816 20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	388	end
20e2b588f8c2 certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback Kim Alvefur <zash@zash.se> parents: 5815 diff changeset	389
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	390	local ctx, err = ssl_newcontext(user_ssl_config);
4359 c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain <waqas20@gmail.com> parents: 3670 diff changeset	391
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	392	-- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care
4359 c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain <waqas20@gmail.com> parents: 3670 diff changeset	393	-- of it ourselves (W/A for #x)
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain <waqas20@gmail.com> parents: 3670 diff changeset	394	if ctx and user_ssl_config.ciphers then
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain <waqas20@gmail.com> parents: 3670 diff changeset	395	local success;
6568 ffc0a57889aa certmanager: Add locals for ssl.context and ssl.x509 Kim Alvefur <zash@zash.se> parents: 6567 diff changeset	396	success, err = ssl_context.setcipher(ctx, user_ssl_config.ciphers);
4359 c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain <waqas20@gmail.com> parents: 3670 diff changeset	397	if not success then ctx = nil; end
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain <waqas20@gmail.com> parents: 3670 diff changeset	398	end
c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain <waqas20@gmail.com> parents: 3670 diff changeset	399
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	400	if not ctx then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	401	err = err or "invalid ssl config"
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	402	local file = err:match("^error loading (.-) %(");
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	403	if file then
7746 d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur <zash@zash.se> parents: 7666 diff changeset	404	local typ;
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	405	if file == "private key" then
7746 d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur <zash@zash.se> parents: 7666 diff changeset	406	typ = file;
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	407	file = user_ssl_config.key or "your private key";
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	408	elseif file == "certificate" then
7746 d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur <zash@zash.se> parents: 7666 diff changeset	409	typ = file;
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	410	file = user_ssl_config.certificate or "your certificate file";
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	411	end
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	412	local reason = err:match("%((.+)%)$") or "some reason";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	413	if reason == "Permission denied" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	414	reason = "Check that the permissions allow Prosody to read this file.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	415	elseif reason == "No such file or directory" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	416	reason = "Check that the path is correct, and the file exists.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	417	elseif reason == "system lib" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	418	reason = "Previous error (see logs), or other system error.";
7746 d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur <zash@zash.se> parents: 7666 diff changeset	419	elseif reason == "no start line" then
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur <zash@zash.se> parents: 7666 diff changeset	420	reason = "Check that the file contains a "..(typ or file);
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	421	elseif reason == "(null)" or not reason then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	422	reason = "Check that the file exists and the permissions are correct";
2630 e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file Matthew Wild <mwild1@gmail.com> parents: 2564 diff changeset	423	else
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	424	reason = "Reason: "..tostring(reason):lower();
2630 e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file Matthew Wild <mwild1@gmail.com> parents: 2564 diff changeset	425	end
4925 55f6e0673e33 certmanager: Add quotes around cert file path when logging. Waqas Hussain <waqas20@gmail.com> parents: 4900 diff changeset	426	log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host);
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	427	else
4855 a31ea431d906 certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL) Matthew Wild <mwild1@gmail.com> parents: 4656 diff changeset	428	log("error", "SSL/TLS: Error initialising for %s: %s", host, err);
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	429	end
3540 bc139431830b Monster whitespace commit (beware the whitespace monster). Waqas Hussain <waqas20@gmail.com> parents: 3402 diff changeset	430	end
6529 873538f0b18c certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren) Kim Alvefur <zash@zash.se> parents: 6523 diff changeset	431	return ctx, err, user_ssl_config;
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	432	end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	433
6782 6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	434	local function reload_ssl_config()
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	435	global_ssl_config = configmanager.get("*", "ssl");
8162 3850993a9bda certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929) Kim Alvefur <zash@zash.se> parents: 7746 diff changeset	436	global_certificates = configmanager.get("*", "certificates") or "certs";
8406 ba39d3a1d42e certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 Kim Alvefur <zash@zash.se> parents: 8282 diff changeset	437	if luasec_has.options.no_compression then
6080 b7d1607df87d certmanager: Update ssl_compression when config is reloaded Kim Alvefur <zash@zash.se> parents: 6079 diff changeset	438	core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
b7d1607df87d certmanager: Update ssl_compression when config is reloaded Kim Alvefur <zash@zash.se> parents: 6079 diff changeset	439	end
11713 5810166f35d5 core.certmanager: Support 'use_dane' setting to enable DANE support Kim Alvefur <zash@zash.se> parents: 11595 diff changeset	440	core_defaults.dane = configmanager.get("*", "use_dane") or false;
11541 a09685a7b330 core.certmanager: Resolve certs path relative to config dir Kim Alvefur <zash@zash.se> parents: 11538 diff changeset	441	cert_index = index_certs(resolve_path(config_path, global_certificates));
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	442	end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	443
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	444	prosody.events.add_handler("config-reloaded", reload_ssl_config);
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	445
6782 6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	446	return {
6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	447	create_context = create_context;
6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	448	reload_ssl_config = reload_ssl_config;
8277 3798955049e3 prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys Kim Alvefur <zash@zash.se> parents: 8262 diff changeset	449	find_cert = find_cert;
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	450	index_certs = index_certs;
10467 fbeb7a3fc4eb core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support) Kim Alvefur <zash@zash.se> parents: 10241 diff changeset	451	find_host_cert = find_host_cert;
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	452	find_cert_in_index = find_cert_in_index;
6782 6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	453	};

author	Kim Alvefur <zash@zash.se>
	Tue, 18 Jan 2022 08:04:16 +0100
changeset 12200	b05e0b422ff7
parent 12154	653a48b5a25b
child 12201	95d25e620dc2
permissions	-rw-r--r--