author | Kim Alvefur <zash@zash.se> |
Thu, 04 Apr 2024 19:44:17 +0200 | |
changeset 13476 | d5a9847b0e55 |
parent 13307 | 05c0ac580552 |
permissions | -rw-r--r-- |
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
1 |
-- Prosody IM |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
2 |
-- Copyright (C) 2008-2010 Matthew Wild |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
3 |
-- Copyright (C) 2008-2010 Waqas Hussain |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5746
diff
changeset
|
4 |
-- |
3369
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
5 |
-- This project is MIT/X11 licensed. Please see the |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
6 |
-- COPYING file in the source package for more information. |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
7 |
-- |
9a96969d4670
certmanager: Added copyright header.
Waqas Hussain <waqas20@gmail.com>
parents:
3368
diff
changeset
|
8 |
|
12976
ead41e25ebc0
core: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12512
diff
changeset
|
9 |
local configmanager = require "prosody.core.configmanager"; |
ead41e25ebc0
core: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12512
diff
changeset
|
10 |
local log = require "prosody.util.logger".init("certmanager"); |
ead41e25ebc0
core: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12512
diff
changeset
|
11 |
local new_config = require"prosody.net.server".tls_builder; |
13119
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12976
diff
changeset
|
12 |
local tls = require "prosody.net.tls_luasec"; |
7125
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
13 |
local stat = require "lfs".attributes; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 |
|
12976
ead41e25ebc0
core: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12512
diff
changeset
|
15 |
local x509 = require "prosody.util.x509"; |
11536
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
16 |
local lfs = require "lfs"; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
17 |
|
7163
5c1ee8c06235
certmanager: Localize tonumber
Matthew Wild <mwild1@gmail.com>
parents:
7148
diff
changeset
|
18 |
local tonumber, tostring = tonumber, tostring; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
19 |
local pairs = pairs; |
8407
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
20 |
local t_remove = table.remove; |
5820
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
21 |
local type = type; |
6bc4077bc1f9
certmanager: Fix dhparam callback, missing imports (Testing, pfft)
Kim Alvefur <zash@zash.se>
parents:
5816
diff
changeset
|
22 |
local io_open = io.open; |
6294
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
23 |
local select = select; |
11536
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
24 |
local now = os.time; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
25 |
local next = next; |
11542
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11541
diff
changeset
|
26 |
local pcall = pcall; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 |
local prosody = prosody; |
12976
ead41e25ebc0
core: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12512
diff
changeset
|
29 |
local pathutil = require"prosody.util.paths"; |
11537
f97592336399
core.certmanager: Join paths with OS-aware util.paths function
Kim Alvefur <zash@zash.se>
parents:
11536
diff
changeset
|
30 |
local resolve_path = pathutil.resolve_relative_path; |
7534
2db68d1a6eeb
certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed)
Kim Alvefur <zash@zash.se>
parents:
7322
diff
changeset
|
31 |
local config_path = prosody.paths.config or "."; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 |
|
6782
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6573
diff
changeset
|
33 |
local _ENV = nil; |
8558
4f0f5b49bb03
vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8497
diff
changeset
|
34 |
-- luacheck: std none |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 |
-- Global SSL options if not overridden per-host |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
37 |
local global_ssl_config = configmanager.get("*", "ssl"); |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
38 |
|
7125
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
39 |
local global_certificates = configmanager.get("*", "certificates") or "certs"; |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
40 |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
41 |
local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", }; |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
42 |
local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", }; |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
43 |
|
7143
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
44 |
local function find_cert(user_certs, name) |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
45 |
local certs = resolve_path(config_path, user_certs or global_certificates); |
8262
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8162
diff
changeset
|
46 |
log("debug", "Searching %s for a key and certificate for %s...", certs, name); |
7125
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
47 |
for i = 1, #crt_try do |
7143
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
48 |
local crt_path = certs .. crt_try[i]:format(name); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
49 |
local key_path = certs .. key_try[i]:format(name); |
7125
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
50 |
|
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
51 |
if stat(crt_path, "mode") == "file" then |
10713
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
52 |
if crt_path == key_path then |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
53 |
if key_path:sub(-4) == ".crt" then |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
54 |
key_path = key_path:sub(1, -4) .. "key"; |
11535
2bd91d4a0fcf
core.certmanager: Check for complete filename
Kim Alvefur <zash@zash.se>
parents:
11372
diff
changeset
|
55 |
elseif key_path:sub(-14) == "/fullchain.pem" then |
10713
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
56 |
key_path = key_path:sub(1, -14) .. "privkey.pem"; |
7125
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
57 |
end |
10713
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
58 |
end |
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
59 |
|
fcf7f50ccdd0
core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
60 |
if stat(key_path, "mode") == "file" then |
8262
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8162
diff
changeset
|
61 |
log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name); |
7148
b1a109858502
certmanager: Try filename.key if certificate is set to a full filename ending with .crt
Kim Alvefur <zash@zash.se>
parents:
7147
diff
changeset
|
62 |
return { certificate = crt_path, key = key_path }; |
7125
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
63 |
end |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
64 |
end |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
65 |
end |
8262
db063671b73e
certmanager: Add debug logging (thanks av6)
Matthew Wild <mwild1@gmail.com>
parents:
8162
diff
changeset
|
66 |
log("debug", "No certificate/key found for %s", name); |
7125
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
67 |
end |
89c51ee23122
core.certmanager: Look for certificate and key in a few different places
Kim Alvefur <zash@zash.se>
parents:
6906
diff
changeset
|
68 |
|
11538
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
69 |
local function find_matching_key(cert_path) |
12291
5cd075ed4fd3
core.certmanager: Relax certificate filename check #1713
Kim Alvefur <zash@zash.se>
parents:
12201
diff
changeset
|
70 |
return (cert_path:gsub("%.crt$", ".key"):gsub("fullchain", "privkey")); |
11538
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
71 |
end |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
72 |
|
11536
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
73 |
local function index_certs(dir, files_by_name, depth_limit) |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
74 |
files_by_name = files_by_name or {}; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
75 |
depth_limit = depth_limit or 3; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
76 |
if depth_limit <= 0 then return files_by_name; end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
77 |
|
11542
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11541
diff
changeset
|
78 |
local ok, iter, v, i = pcall(lfs.dir, dir); |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11541
diff
changeset
|
79 |
if not ok then |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11541
diff
changeset
|
80 |
log("error", "Error indexing certificate directory %s: %s", dir, iter); |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11541
diff
changeset
|
81 |
-- Return an empty index, otherwise this just triggers a nil indexing |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11541
diff
changeset
|
82 |
-- error, plus this function would get called again. |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11541
diff
changeset
|
83 |
-- Reloading the config after correcting the problem calls this again so |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11541
diff
changeset
|
84 |
-- that's what should be done. |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11541
diff
changeset
|
85 |
return {}, iter; |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11541
diff
changeset
|
86 |
end |
30feeb4d9d0b
core.certmanager: Catch error from lfs
Kim Alvefur <zash@zash.se>
parents:
11541
diff
changeset
|
87 |
for file in iter, v, i do |
11537
f97592336399
core.certmanager: Join paths with OS-aware util.paths function
Kim Alvefur <zash@zash.se>
parents:
11536
diff
changeset
|
88 |
local full = pathutil.join(dir, file); |
11536
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
89 |
if lfs.attributes(full, "mode") == "directory" then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
90 |
if file:sub(1,1) ~= "." then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
91 |
index_certs(full, files_by_name, depth_limit-1); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
92 |
end |
12291
5cd075ed4fd3
core.certmanager: Relax certificate filename check #1713
Kim Alvefur <zash@zash.se>
parents:
12201
diff
changeset
|
93 |
elseif file:find("%.crt$") or file:find("fullchain") then -- This should catch most fullchain files |
11536
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
94 |
local f = io_open(full); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
95 |
if f then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
96 |
-- TODO look for chained certificates |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
97 |
local firstline = f:read(); |
12309
f8b8061461e3
core.certmanager: Ensure key exists for fullchain
Kim Alvefur <zash@zash.se>
parents:
12291
diff
changeset
|
98 |
if firstline == "-----BEGIN CERTIFICATE-----" and lfs.attributes(find_matching_key(full), "mode") == "file" then |
11536
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
99 |
f:seek("set") |
13120
58e793288d9c
net.tls_luasec: Expose method for loading a certificate
Kim Alvefur <zash@zash.se>
parents:
13119
diff
changeset
|
100 |
local cert = tls.load_certificate(f:read("*a")) |
11536
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
101 |
-- TODO if more than one cert is found for a name, the most recently |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
102 |
-- issued one should be used. |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
103 |
-- for now, just filter out expired certs |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
104 |
-- TODO also check if there's a corresponding key |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
105 |
if cert:validat(now()) then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
106 |
local names = x509.get_identities(cert); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
107 |
log("debug", "Found certificate %s with identities %q", full, names); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
108 |
for name, services in pairs(names) do |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
109 |
-- TODO check services |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
110 |
if files_by_name[name] then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
111 |
files_by_name[name][full] = services; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
112 |
else |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
113 |
files_by_name[name] = { [full] = services; }; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
114 |
end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
115 |
end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
116 |
end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
117 |
end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
118 |
f:close(); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
119 |
end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
120 |
end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
121 |
end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
122 |
log("debug", "Certificate index: %q", files_by_name); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
123 |
-- | hostname | filename | service | |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
124 |
return files_by_name; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
125 |
end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
126 |
|
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
127 |
local cert_index; |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
128 |
|
12108
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12103
diff
changeset
|
129 |
local function find_cert_in_index(index, host) |
7143
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
130 |
if not host then return nil; end |
12108
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12103
diff
changeset
|
131 |
if not index then return nil; end |
12109
47c9a76cce7d
core.certmanager: Check index for wildcard certs
Kim Alvefur <zash@zash.se>
parents:
12108
diff
changeset
|
132 |
local wildcard_host = host:gsub("^[^.]+%.", "*."); |
47c9a76cce7d
core.certmanager: Check index for wildcard certs
Kim Alvefur <zash@zash.se>
parents:
12108
diff
changeset
|
133 |
local certs = index[host] or index[wildcard_host]; |
11536
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
134 |
if certs then |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
135 |
local cert_filename, services = next(certs); |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
136 |
if services["*"] then |
12511
e242a6e74424
core.certmanager: Expand debug messages about cert lookups in index
Kim Alvefur <zash@zash.se>
parents:
12366
diff
changeset
|
137 |
log("debug", "Using cert %q from index for host %q", cert_filename, host); |
11538
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
138 |
return { |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
139 |
certificate = cert_filename, |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
140 |
key = find_matching_key(cert_filename), |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
141 |
} |
11536
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
142 |
end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
143 |
end |
12108
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12103
diff
changeset
|
144 |
return nil |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12103
diff
changeset
|
145 |
end |
11536
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
146 |
|
12108
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12103
diff
changeset
|
147 |
local function find_host_cert(host) |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12103
diff
changeset
|
148 |
if not host then return nil; end |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12103
diff
changeset
|
149 |
if not cert_index then |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12103
diff
changeset
|
150 |
cert_index = index_certs(resolve_path(config_path, global_certificates)); |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12103
diff
changeset
|
151 |
end |
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12103
diff
changeset
|
152 |
|
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12103
diff
changeset
|
153 |
return find_cert_in_index(cert_index, host) or find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$")); |
7143
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
154 |
end |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
155 |
|
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
156 |
local function find_service_cert(service, port) |
11536
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
157 |
if not cert_index then |
11541
a09685a7b330
core.certmanager: Resolve certs path relative to config dir
Kim Alvefur <zash@zash.se>
parents:
11538
diff
changeset
|
158 |
cert_index = index_certs(resolve_path(config_path, global_certificates)); |
11536
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
159 |
end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
160 |
for _, certs in pairs(cert_index) do |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
161 |
for cert_filename, services in pairs(certs) do |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
162 |
if services[service] or services["*"] then |
12511
e242a6e74424
core.certmanager: Expand debug messages about cert lookups in index
Kim Alvefur <zash@zash.se>
parents:
12366
diff
changeset
|
163 |
log("debug", "Using cert %q from index for service %s port %d", cert_filename, service, port); |
11538
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
164 |
return { |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
165 |
certificate = cert_filename, |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
166 |
key = find_matching_key(cert_filename), |
1cef62ca3e03
core.certmanager: Skip directly to guessing of key from cert filename
Kim Alvefur <zash@zash.se>
parents:
11537
diff
changeset
|
167 |
} |
11536
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
168 |
end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
169 |
end |
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
170 |
end |
7143
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
171 |
local cert_config = configmanager.get("*", service.."_certificate"); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
172 |
if type(cert_config) == "table" then |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
173 |
cert_config = cert_config[port] or cert_config.default; |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
174 |
end |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
175 |
return find_cert(cert_config, service); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
176 |
end |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
177 |
|
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
178 |
-- Built-in defaults |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
179 |
local core_defaults = { |
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
180 |
capath = "/etc/ssl/certs"; |
6571
b54b33f59c6e
certmanager: Limit certificate chain depth to 9
Kim Alvefur <zash@zash.se>
parents:
6570
diff
changeset
|
181 |
depth = 9; |
6078
30ac122acdd3
certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Kim Alvefur <zash@zash.se>
parents:
6077
diff
changeset
|
182 |
protocol = "tlsv1+"; |
9856
6ea3cafb6ac3
core.certmanager: Do not ask for client certificates by default
Kim Alvefur <zash@zash.se>
parents:
8831
diff
changeset
|
183 |
verify = "none"; |
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
184 |
options = { |
13119
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12976
diff
changeset
|
185 |
cipher_server_preference = tls.features.options.cipher_server_preference; |
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12976
diff
changeset
|
186 |
no_ticket = tls.features.options.no_ticket; |
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12976
diff
changeset
|
187 |
no_compression = tls.features.options.no_compression and configmanager.get("*", "ssl_compression") ~= true; |
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12976
diff
changeset
|
188 |
single_dh_use = tls.features.options.single_dh_use; |
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12976
diff
changeset
|
189 |
single_ecdh_use = tls.features.options.single_ecdh_use; |
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12976
diff
changeset
|
190 |
no_renegotiation = tls.features.options.no_renegotiation; |
6079
5cffee5b2826
certmanager: Reformat core ssl defaults
Kim Alvefur <zash@zash.se>
parents:
6078
diff
changeset
|
191 |
}; |
11372
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10923
diff
changeset
|
192 |
verifyext = { |
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10923
diff
changeset
|
193 |
"lsec_continue", -- Continue past certificate verification errors |
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10923
diff
changeset
|
194 |
"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates |
0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Kim Alvefur <zash@zash.se>
parents:
10923
diff
changeset
|
195 |
}; |
13119
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12976
diff
changeset
|
196 |
curve = tls.features.algorithms.ec and not tls.features.capabilities.curves_list and "secp384r1"; |
8282
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8277
diff
changeset
|
197 |
curveslist = { |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8277
diff
changeset
|
198 |
"X25519", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8277
diff
changeset
|
199 |
"P-384", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8277
diff
changeset
|
200 |
"P-256", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8277
diff
changeset
|
201 |
"P-521", |
92cddfe65003
core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1
Kim Alvefur <zash@zash.se>
parents:
8277
diff
changeset
|
202 |
}; |
7666
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
203 |
ciphers = { -- Enabled ciphers in order of preference: |
10725
3a1b1d3084fb
core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)
Kim Alvefur <zash@zash.se>
parents:
10713
diff
changeset
|
204 |
"HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange |
7666
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
205 |
"HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
206 |
"HIGH", -- Other "High strength" ciphers |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
207 |
-- Disabled cipher suites: |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
208 |
"!PSK", -- Pre-Shared Key - not used for XMPP |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
209 |
"!SRP", -- Secure Remote Password - not used for XMPP |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
210 |
"!3DES", -- 3DES - slow and of questionable security |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
211 |
"!aNULL", -- Ciphers that does not authenticate the connection |
54424e981796
core.certmanager: Split cipher list into array with comments explaining each part
Kim Alvefur <zash@zash.se>
parents:
7534
diff
changeset
|
212 |
}; |
13119
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12976
diff
changeset
|
213 |
dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" }; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
214 |
} |
8407
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
215 |
|
12100
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
216 |
local mozilla_ssl_configs = { |
12101
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12100
diff
changeset
|
217 |
-- https://wiki.mozilla.org/Security/Server_Side_TLS |
13182
e689d4c45681
core.certmanager: Update Mozilla TLS config to version 5.7
Kim Alvefur <zash@zash.se>
parents:
12511
diff
changeset
|
218 |
-- Version 5.7 as of 2023-07-09 |
12100
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
219 |
modern = { |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
220 |
protocol = "tlsv1_3"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
221 |
options = { cipher_server_preference = false }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
222 |
ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these |
12101
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12100
diff
changeset
|
223 |
curveslist = { "X25519"; "prime256v1"; "secp384r1" }; |
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12100
diff
changeset
|
224 |
ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; |
12100
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
225 |
}; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
226 |
intermediate = { |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
227 |
protocol = "tlsv1_2+"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
228 |
dhparam = nil; -- ffdhe2048.txt |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
229 |
options = { cipher_server_preference = false }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
230 |
ciphers = { |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
231 |
"ECDHE-ECDSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
232 |
"ECDHE-RSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
233 |
"ECDHE-ECDSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
234 |
"ECDHE-RSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
235 |
"ECDHE-ECDSA-CHACHA20-POLY1305"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
236 |
"ECDHE-RSA-CHACHA20-POLY1305"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
237 |
"DHE-RSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
238 |
"DHE-RSA-AES256-GCM-SHA384"; |
13182
e689d4c45681
core.certmanager: Update Mozilla TLS config to version 5.7
Kim Alvefur <zash@zash.se>
parents:
12511
diff
changeset
|
239 |
"DHE-RSA-CHACHA20-POLY1305"; |
12100
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
240 |
}; |
12101
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12100
diff
changeset
|
241 |
curveslist = { "X25519"; "prime256v1"; "secp384r1" }; |
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12100
diff
changeset
|
242 |
ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; |
12100
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
243 |
}; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
244 |
old = { |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
245 |
protocol = "tlsv1+"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
246 |
dhparam = nil; -- openssl dhparam 1024 |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
247 |
options = { cipher_server_preference = true }; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
248 |
ciphers = { |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
249 |
"ECDHE-ECDSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
250 |
"ECDHE-RSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
251 |
"ECDHE-ECDSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
252 |
"ECDHE-RSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
253 |
"ECDHE-ECDSA-CHACHA20-POLY1305"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
254 |
"ECDHE-RSA-CHACHA20-POLY1305"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
255 |
"DHE-RSA-AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
256 |
"DHE-RSA-AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
257 |
"DHE-RSA-CHACHA20-POLY1305"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
258 |
"ECDHE-ECDSA-AES128-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
259 |
"ECDHE-RSA-AES128-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
260 |
"ECDHE-ECDSA-AES128-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
261 |
"ECDHE-RSA-AES128-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
262 |
"ECDHE-ECDSA-AES256-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
263 |
"ECDHE-RSA-AES256-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
264 |
"ECDHE-ECDSA-AES256-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
265 |
"ECDHE-RSA-AES256-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
266 |
"DHE-RSA-AES128-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
267 |
"DHE-RSA-AES256-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
268 |
"AES128-GCM-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
269 |
"AES256-GCM-SHA384"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
270 |
"AES128-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
271 |
"AES256-SHA256"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
272 |
"AES128-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
273 |
"AES256-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
274 |
"DES-CBC3-SHA"; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
275 |
}; |
12124
0fcd80a55f15
core.certmanager: Add curveslist to 'old' Mozilla TLS preset
Kim Alvefur <zash@zash.se>
parents:
12109
diff
changeset
|
276 |
curveslist = { "X25519"; "prime256v1"; "secp384r1" }; |
12101
9c794d5f6f8d
core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets
Kim Alvefur <zash@zash.se>
parents:
12100
diff
changeset
|
277 |
ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" }; |
12100
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
278 |
}; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
279 |
}; |
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
280 |
|
dfb29b5b0a57
core.certmanager: Presets based on Mozilla SSL Configuration Generator
Kim Alvefur <zash@zash.se>
parents:
11713
diff
changeset
|
281 |
|
13119
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12976
diff
changeset
|
282 |
if tls.features.curves then |
8407
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
283 |
for i = #core_defaults.curveslist, 1, -1 do |
13119
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12976
diff
changeset
|
284 |
if not tls.features.curves[ core_defaults.curveslist[i] ] then |
8407
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
285 |
t_remove(core_defaults.curveslist, i); |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
286 |
end |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
287 |
end |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
288 |
else |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
289 |
core_defaults.curveslist = nil; |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
290 |
end |
ca52d40e74da
certmanager: Filter out curves not supported by LuaSec
Kim Alvefur <zash@zash.se>
parents:
8406
diff
changeset
|
291 |
|
6782
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6573
diff
changeset
|
292 |
local function create_context(host, mode, ...) |
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
293 |
local cfg = new_config(); |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
294 |
cfg:apply(core_defaults); |
8830
1a29b56a2d63
core.certmanager: Allow all non-whitespace in service name (fixes #1019)
Kim Alvefur <zash@zash.se>
parents:
8497
diff
changeset
|
295 |
local service_name, port = host:match("^(%S+) port (%d+)$"); |
11595
e7a964572f6b
core.certmanager: Skip service certificate lookup for https client
Kim Alvefur <zash@zash.se>
parents:
11564
diff
changeset
|
296 |
-- port 0 is used with client-only things that normally don't need certificates, e.g. https |
e7a964572f6b
core.certmanager: Skip service certificate lookup for https client
Kim Alvefur <zash@zash.se>
parents:
11564
diff
changeset
|
297 |
if service_name and port ~= "0" then |
11536
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
298 |
log("debug", "Automatically locating certs for service %s on port %s", service_name, port); |
7143
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
299 |
cfg:apply(find_service_cert(service_name, tonumber(port))); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
300 |
else |
11536
c0c859425c22
core.certmanager: Build an index over certificates
Kim Alvefur <zash@zash.se>
parents:
11535
diff
changeset
|
301 |
log("debug", "Automatically locating certs for host %s", host); |
7143
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
302 |
cfg:apply(find_host_cert(host)); |
b19438c2ca1b
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
Matthew Wild <mwild1@gmail.com>
parents:
7125
diff
changeset
|
303 |
end |
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
304 |
cfg:apply({ |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
305 |
mode = mode, |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
306 |
-- We can't read the password interactively when daemonized |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
307 |
password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; |
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
308 |
}); |
12201
95d25e620dc2
core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation
Kim Alvefur <zash@zash.se>
parents:
12200
diff
changeset
|
309 |
local profile = configmanager.get("*", "tls_profile") or "intermediate"; |
13295
24070d47a6e7
core.certmanager: Validate that 'tls_profile' is one of the valid values
Kim Alvefur <zash@zash.se>
parents:
13182
diff
changeset
|
310 |
if mozilla_ssl_configs[profile] then |
12201
95d25e620dc2
core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation
Kim Alvefur <zash@zash.se>
parents:
12200
diff
changeset
|
311 |
cfg:apply(mozilla_ssl_configs[profile]); |
13295
24070d47a6e7
core.certmanager: Validate that 'tls_profile' is one of the valid values
Kim Alvefur <zash@zash.se>
parents:
13182
diff
changeset
|
312 |
elseif profile ~= "legacy" then |
24070d47a6e7
core.certmanager: Validate that 'tls_profile' is one of the valid values
Kim Alvefur <zash@zash.se>
parents:
13182
diff
changeset
|
313 |
log("error", "Invalid value for 'tls_profile': expected one of \"modern\", \"intermediate\" (default), \"old\" or \"legacy\" but got %q", profile); |
24070d47a6e7
core.certmanager: Validate that 'tls_profile' is one of the valid values
Kim Alvefur <zash@zash.se>
parents:
13182
diff
changeset
|
314 |
return nil, "Invalid configuration, 'tls_profile' had an unknown value."; |
12102
9591b838e3b0
core.certmanager: Add "legacy" preset for keeping previous default settings
Kim Alvefur <zash@zash.se>
parents:
12101
diff
changeset
|
315 |
end |
12200
b05e0b422ff7
core.certmanager: Apply TLS preset before global settings (thanks Menel)
Kim Alvefur <zash@zash.se>
parents:
12154
diff
changeset
|
316 |
cfg:apply(global_ssl_config); |
6076
e0713386319a
certmanager: Wrap long line and add comment
Kim Alvefur <zash@zash.se>
parents:
6075
diff
changeset
|
317 |
|
6294
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
318 |
for i = select('#', ...), 1, -1 do |
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
319 |
cfg:apply(select(i, ...)); |
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
320 |
end |
0033b021038f
core.certmanager: Make create_context() support an arbitrary number of option sets, merging all
Kim Alvefur <zash@zash.se>
parents:
6293
diff
changeset
|
321 |
local user_ssl_config = cfg:final(); |
6293
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
322 |
|
851fb5e9fa0c
core.certmanager: Use util.sslconfig
Kim Alvefur <zash@zash.se>
parents:
6165
diff
changeset
|
323 |
if mode == "server" then |
10241
a36af4570b39
core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents:
10231
diff
changeset
|
324 |
if not user_ssl_config.certificate then |
13298
4a05fbda927f
core.certmanager: Tweak log level of message about SNI being required
Kim Alvefur <zash@zash.se>
parents:
13296
diff
changeset
|
325 |
log("debug", "No certificate present in SSL/TLS configuration for %s. SNI will be required.", host); |
10241
a36af4570b39
core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents:
10231
diff
changeset
|
326 |
end |
a36af4570b39
core.certmanager: Lower severity for tls config not having cert
Kim Alvefur <zash@zash.se>
parents:
10231
diff
changeset
|
327 |
if user_ssl_config.certificate and not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end |
6077
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
328 |
end |
6999d4415a58
certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost
Kim Alvefur <zash@zash.se>
parents:
6076
diff
changeset
|
329 |
|
12484
7e9ebdc75ce4
net: isolate LuaSec-specifics
Jonas Schäfer <jonas@wielicki.name>
parents:
12366
diff
changeset
|
330 |
local ctx, err = cfg:build(); |
4359
c69cbac4178f
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option.
Waqas Hussain <waqas20@gmail.com>
parents:
3670
diff
changeset
|
331 |
|
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
332 |
if not ctx then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
333 |
err = err or "invalid ssl config" |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
334 |
local file = err:match("^error loading (.-) %("); |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
335 |
if file then |
7746
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7666
diff
changeset
|
336 |
local typ; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
337 |
if file == "private key" then |
7746
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7666
diff
changeset
|
338 |
typ = file; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
339 |
file = user_ssl_config.key or "your private key"; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
340 |
elseif file == "certificate" then |
7746
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7666
diff
changeset
|
341 |
typ = file; |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
342 |
file = user_ssl_config.certificate or "your certificate file"; |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
343 |
end |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
344 |
local reason = err:match("%((.+)%)$") or "some reason"; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
345 |
if reason == "Permission denied" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
346 |
reason = "Check that the permissions allow Prosody to read this file."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
347 |
elseif reason == "No such file or directory" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
348 |
reason = "Check that the path is correct, and the file exists."; |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
349 |
elseif reason == "system lib" then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
350 |
reason = "Previous error (see logs), or other system error."; |
7746
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7666
diff
changeset
|
351 |
elseif reason == "no start line" then |
d018ffc9238c
core.certmanager: Translate "no start line" to something friendlier (thanks santiago)
Kim Alvefur <zash@zash.se>
parents:
7666
diff
changeset
|
352 |
reason = "Check that the file contains a "..(typ or file); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
353 |
elseif reason == "(null)" or not reason then |
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
354 |
reason = "Check that the file exists and the permissions are correct"; |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
355 |
else |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
356 |
reason = "Reason: "..tostring(reason):lower(); |
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
357 |
end |
4925
55f6e0673e33
certmanager: Add quotes around cert file path when logging.
Waqas Hussain <waqas20@gmail.com>
parents:
4900
diff
changeset
|
358 |
log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
359 |
else |
4855
a31ea431d906
certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL)
Matthew Wild <mwild1@gmail.com>
parents:
4656
diff
changeset
|
360 |
log("error", "SSL/TLS: Error initialising for %s: %s", host, err); |
3355
9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
Matthew Wild <mwild1@gmail.com>
parents:
2739
diff
changeset
|
361 |
end |
3540
bc139431830b
Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents:
3402
diff
changeset
|
362 |
end |
6529
873538f0b18c
certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)
Kim Alvefur <zash@zash.se>
parents:
6523
diff
changeset
|
363 |
return ctx, err, user_ssl_config; |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
364 |
end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
365 |
|
6782
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6573
diff
changeset
|
366 |
local function reload_ssl_config() |
5684
5554029d759b
certmanager: Overhaul of how ssl configs are built.
Kim Alvefur <zash@zash.se>
parents:
5679
diff
changeset
|
367 |
global_ssl_config = configmanager.get("*", "ssl"); |
8162
3850993a9bda
certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929)
Kim Alvefur <zash@zash.se>
parents:
7746
diff
changeset
|
368 |
global_certificates = configmanager.get("*", "certificates") or "certs"; |
13119
749376d75b40
net.certmanager: Move LuaSec feature detection to net.tls_luasec
Kim Alvefur <zash@zash.se>
parents:
12976
diff
changeset
|
369 |
if tls.features.options.no_compression then |
6080
b7d1607df87d
certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents:
6079
diff
changeset
|
370 |
core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; |
b7d1607df87d
certmanager: Update ssl_compression when config is reloaded
Kim Alvefur <zash@zash.se>
parents:
6079
diff
changeset
|
371 |
end |
13307
05c0ac580552
core.certmanager: Handle dane context setting same way on reload as on initialization
Kim Alvefur <zash@zash.se>
parents:
13298
diff
changeset
|
372 |
if not configmanager.get("*", "use_dane") then |
05c0ac580552
core.certmanager: Handle dane context setting same way on reload as on initialization
Kim Alvefur <zash@zash.se>
parents:
13298
diff
changeset
|
373 |
core_defaults.dane = false; |
05c0ac580552
core.certmanager: Handle dane context setting same way on reload as on initialization
Kim Alvefur <zash@zash.se>
parents:
13298
diff
changeset
|
374 |
elseif tls.features.capabilities.dane then |
05c0ac580552
core.certmanager: Handle dane context setting same way on reload as on initialization
Kim Alvefur <zash@zash.se>
parents:
13298
diff
changeset
|
375 |
core_defaults.dane = { "no_ee_namechecks" }; |
05c0ac580552
core.certmanager: Handle dane context setting same way on reload as on initialization
Kim Alvefur <zash@zash.se>
parents:
13298
diff
changeset
|
376 |
else |
05c0ac580552
core.certmanager: Handle dane context setting same way on reload as on initialization
Kim Alvefur <zash@zash.se>
parents:
13298
diff
changeset
|
377 |
core_defaults.dane = true; |
05c0ac580552
core.certmanager: Handle dane context setting same way on reload as on initialization
Kim Alvefur <zash@zash.se>
parents:
13298
diff
changeset
|
378 |
end |
11541
a09685a7b330
core.certmanager: Resolve certs path relative to config dir
Kim Alvefur <zash@zash.se>
parents:
11538
diff
changeset
|
379 |
cert_index = index_certs(resolve_path(config_path, global_certificates)); |
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
380 |
end |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
381 |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
382 |
prosody.events.add_handler("config-reloaded", reload_ssl_config); |
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
383 |
|
6782
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6573
diff
changeset
|
384 |
return { |
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6573
diff
changeset
|
385 |
create_context = create_context; |
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6573
diff
changeset
|
386 |
reload_ssl_config = reload_ssl_config; |
8277
3798955049e3
prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys
Kim Alvefur <zash@zash.se>
parents:
8262
diff
changeset
|
387 |
find_cert = find_cert; |
12108
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12103
diff
changeset
|
388 |
index_certs = index_certs; |
10467
fbeb7a3fc4eb
core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support)
Kim Alvefur <zash@zash.se>
parents:
10241
diff
changeset
|
389 |
find_host_cert = find_host_cert; |
12108
29765ac7f72f
prosodyctl cert: use the indexing functions for better UX
Jonas Schäfer <jonas@wielicki.name>
parents:
12103
diff
changeset
|
390 |
find_cert_in_index = find_cert_in_index; |
6782
6236668da30a
core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents:
6573
diff
changeset
|
391 |
}; |