prosody: core/certmanager.lua@6f840763fc73 (annotated)

3369 9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	1	-- Prosody IM
9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	2	-- Copyright (C) 2008-2010 Matthew Wild
9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	3	-- Copyright (C) 2008-2010 Waqas Hussain
5776 bd0ff8ae98a8 Remove all trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 5746 diff changeset	4	--
3369 9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	5	-- This project is MIT/X11 licensed. Please see the
9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	6	-- COPYING file in the source package for more information.
9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	7	--
9a96969d4670 certmanager: Added copyright header. Waqas Hussain <waqas20@gmail.com> parents: 3368 diff changeset	8
12976 ead41e25ebc0 core: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12512 diff changeset	9	local configmanager = require "prosody.core.configmanager";
ead41e25ebc0 core: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12512 diff changeset	10	local log = require "prosody.util.logger".init("certmanager");
ead41e25ebc0 core: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12512 diff changeset	11	local new_config = require"prosody.net.server".tls_builder;
13119 749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec Kim Alvefur <zash@zash.se> parents: 12976 diff changeset	12	local tls = require "prosody.net.tls_luasec";
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	13	local stat = require "lfs".attributes;
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	14
12976 ead41e25ebc0 core: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12512 diff changeset	15	local x509 = require "prosody.util.x509";
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	16	local lfs = require "lfs";
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	17
7163 5c1ee8c06235 certmanager: Localize tonumber Matthew Wild <mwild1@gmail.com> parents: 7148 diff changeset	18	local tonumber, tostring = tonumber, tostring;
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	19	local pairs = pairs;
8407 ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	20	local t_remove = table.remove;
5820 6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft) Kim Alvefur <zash@zash.se> parents: 5816 diff changeset	21	local type = type;
6bc4077bc1f9 certmanager: Fix dhparam callback, missing imports (Testing, pfft) Kim Alvefur <zash@zash.se> parents: 5816 diff changeset	22	local io_open = io.open;
6294 0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur <zash@zash.se> parents: 6293 diff changeset	23	local select = select;
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	24	local now = os.time;
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	25	local next = next;
11542 30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	26	local pcall = pcall;
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	27
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	28	local prosody = prosody;
12976 ead41e25ebc0 core: Prefix module imports with prosody namespace Kim Alvefur <zash@zash.se> parents: 12512 diff changeset	29	local pathutil = require"prosody.util.paths";
11537 f97592336399 core.certmanager: Join paths with OS-aware util.paths function Kim Alvefur <zash@zash.se> parents: 11536 diff changeset	30	local resolve_path = pathutil.resolve_relative_path;
7534 2db68d1a6eeb certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed) Kim Alvefur <zash@zash.se> parents: 7322 diff changeset	31	local config_path = prosody.paths.config or ".";
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	32
6782 6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	33	local _ENV = nil;
8558 4f0f5b49bb03 vairious: Add annotation when an empty environment is set [luacheck] Kim Alvefur <zash@zash.se> parents: 8497 diff changeset	34	-- luacheck: std none
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	35
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	36	-- Global SSL options if not overridden per-host
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	37	local global_ssl_config = configmanager.get("*", "ssl");
5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	38
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	39	local global_certificates = configmanager.get("*", "certificates") or "certs";
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	40
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	41	local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", };
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	42	local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", };
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	43
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	44	local function find_cert(user_certs, name)
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	45	local certs = resolve_path(config_path, user_certs or global_certificates);
8262 db063671b73e certmanager: Add debug logging (thanks av6) Matthew Wild <mwild1@gmail.com> parents: 8162 diff changeset	46	log("debug", "Searching %s for a key and certificate for %s...", certs, name);
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	47	for i = 1, #crt_try do
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	48	local crt_path = certs .. crt_try[i]:format(name);
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	49	local key_path = certs .. key_try[i]:format(name);
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	50
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	51	if stat(crt_path, "mode") == "file" then
10713 fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	52	if crt_path == key_path then
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	53	if key_path:sub(-4) == ".crt" then
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	54	key_path = key_path:sub(1, -4) .. "key";
11535 2bd91d4a0fcf core.certmanager: Check for complete filename Kim Alvefur <zash@zash.se> parents: 11372 diff changeset	55	elseif key_path:sub(-14) == "/fullchain.pem" then
10713 fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	56	key_path = key_path:sub(1, -14) .. "privkey.pem";
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	57	end
10713 fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	58	end
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	59
fcf7f50ccdd0 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	60	if stat(key_path, "mode") == "file" then
8262 db063671b73e certmanager: Add debug logging (thanks av6) Matthew Wild <mwild1@gmail.com> parents: 8162 diff changeset	61	log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name);
7148 b1a109858502 certmanager: Try filename.key if certificate is set to a full filename ending with .crt Kim Alvefur <zash@zash.se> parents: 7147 diff changeset	62	return { certificate = crt_path, key = key_path };
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	63	end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	64	end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	65	end
8262 db063671b73e certmanager: Add debug logging (thanks av6) Matthew Wild <mwild1@gmail.com> parents: 8162 diff changeset	66	log("debug", "No certificate/key found for %s", name);
7125 89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	67	end
89c51ee23122 core.certmanager: Look for certificate and key in a few different places Kim Alvefur <zash@zash.se> parents: 6906 diff changeset	68
11538 1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	69	local function find_matching_key(cert_path)
12291 5cd075ed4fd3 core.certmanager: Relax certificate filename check #1713 Kim Alvefur <zash@zash.se> parents: 12201 diff changeset	70	return (cert_path:gsub("%.crt$", ".key"):gsub("fullchain", "privkey"));
11538 1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	71	end
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	72
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	73	local function index_certs(dir, files_by_name, depth_limit)
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	74	files_by_name = files_by_name or {};
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	75	depth_limit = depth_limit or 3;
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	76	if depth_limit <= 0 then return files_by_name; end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	77
11542 30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	78	local ok, iter, v, i = pcall(lfs.dir, dir);
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	79	if not ok then
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	80	log("error", "Error indexing certificate directory %s: %s", dir, iter);
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	81	-- Return an empty index, otherwise this just triggers a nil indexing
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	82	-- error, plus this function would get called again.
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	83	-- Reloading the config after correcting the problem calls this again so
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	84	-- that's what should be done.
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	85	return {}, iter;
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	86	end
30feeb4d9d0b core.certmanager: Catch error from lfs Kim Alvefur <zash@zash.se> parents: 11541 diff changeset	87	for file in iter, v, i do
11537 f97592336399 core.certmanager: Join paths with OS-aware util.paths function Kim Alvefur <zash@zash.se> parents: 11536 diff changeset	88	local full = pathutil.join(dir, file);
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	89	if lfs.attributes(full, "mode") == "directory" then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	90	if file:sub(1,1) ~= "." then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	91	index_certs(full, files_by_name, depth_limit-1);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	92	end
12291 5cd075ed4fd3 core.certmanager: Relax certificate filename check #1713 Kim Alvefur <zash@zash.se> parents: 12201 diff changeset	93	elseif file:find("%.crt$") or file:find("fullchain") then -- This should catch most fullchain files
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	94	local f = io_open(full);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	95	if f then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	96	-- TODO look for chained certificates
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	97	local firstline = f:read();
12309 f8b8061461e3 core.certmanager: Ensure key exists for fullchain Kim Alvefur <zash@zash.se> parents: 12291 diff changeset	98	if firstline == "-----BEGIN CERTIFICATE-----" and lfs.attributes(find_matching_key(full), "mode") == "file" then
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	99	f:seek("set")
13120 58e793288d9c net.tls_luasec: Expose method for loading a certificate Kim Alvefur <zash@zash.se> parents: 13119 diff changeset	100	local cert = tls.load_certificate(f:read("*a"))
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	101	-- TODO if more than one cert is found for a name, the most recently
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	102	-- issued one should be used.
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	103	-- for now, just filter out expired certs
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	104	-- TODO also check if there's a corresponding key
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	105	if cert:validat(now()) then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	106	local names = x509.get_identities(cert);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	107	log("debug", "Found certificate %s with identities %q", full, names);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	108	for name, services in pairs(names) do
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	109	-- TODO check services
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	110	if files_by_name[name] then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	111	files_by_name[name][full] = services;
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	112	else
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	113	files_by_name[name] = { [full] = services; };
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	114	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	115	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	116	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	117	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	118	f:close();
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	119	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	120	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	121	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	122	log("debug", "Certificate index: %q", files_by_name);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	123	-- \| hostname \| filename \| service \|
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	124	return files_by_name;
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	125	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	126
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	127	local cert_index;
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	128
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	129	local function find_cert_in_index(index, host)
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	130	if not host then return nil; end
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	131	if not index then return nil; end
12109 47c9a76cce7d core.certmanager: Check index for wildcard certs Kim Alvefur <zash@zash.se> parents: 12108 diff changeset	132	local wildcard_host = host:gsub("^[^.]+%.", "*.");
47c9a76cce7d core.certmanager: Check index for wildcard certs Kim Alvefur <zash@zash.se> parents: 12108 diff changeset	133	local certs = index[host] or index[wildcard_host];
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	134	if certs then
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	135	local cert_filename, services = next(certs);
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	136	if services["*"] then
12511 e242a6e74424 core.certmanager: Expand debug messages about cert lookups in index Kim Alvefur <zash@zash.se> parents: 12366 diff changeset	137	log("debug", "Using cert %q from index for host %q", cert_filename, host);
11538 1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	138	return {
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	139	certificate = cert_filename,
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	140	key = find_matching_key(cert_filename),
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	141	}
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	142	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	143	end
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	144	return nil
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	145	end
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	146
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	147	local function find_host_cert(host)
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	148	if not host then return nil; end
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	149	if not cert_index then
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	150	cert_index = index_certs(resolve_path(config_path, global_certificates));
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	151	end
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	152
29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	153	return find_cert_in_index(cert_index, host) or find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$"));
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	154	end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	155
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	156	local function find_service_cert(service, port)
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	157	if not cert_index then
11541 a09685a7b330 core.certmanager: Resolve certs path relative to config dir Kim Alvefur <zash@zash.se> parents: 11538 diff changeset	158	cert_index = index_certs(resolve_path(config_path, global_certificates));
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	159	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	160	for _, certs in pairs(cert_index) do
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	161	for cert_filename, services in pairs(certs) do
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	162	if services[service] or services["*"] then
12511 e242a6e74424 core.certmanager: Expand debug messages about cert lookups in index Kim Alvefur <zash@zash.se> parents: 12366 diff changeset	163	log("debug", "Using cert %q from index for service %s port %d", cert_filename, service, port);
11538 1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	164	return {
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	165	certificate = cert_filename,
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	166	key = find_matching_key(cert_filename),
1cef62ca3e03 core.certmanager: Skip directly to guessing of key from cert filename Kim Alvefur <zash@zash.se> parents: 11537 diff changeset	167	}
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	168	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	169	end
c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	170	end
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	171	local cert_config = configmanager.get("*", service.."_certificate");
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	172	if type(cert_config) == "table" then
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	173	cert_config = cert_config[port] or cert_config.default;
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	174	end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	175	return find_cert(cert_config, service);
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	176	end
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	177
6079 5cffee5b2826 certmanager: Reformat core ssl defaults Kim Alvefur <zash@zash.se> parents: 6078 diff changeset	178	-- Built-in defaults
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	179	local core_defaults = {
5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	180	capath = "/etc/ssl/certs";
6571 b54b33f59c6e certmanager: Limit certificate chain depth to 9 Kim Alvefur <zash@zash.se> parents: 6570 diff changeset	181	depth = 9;
6078 30ac122acdd3 certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols Kim Alvefur <zash@zash.se> parents: 6077 diff changeset	182	protocol = "tlsv1+";
9856 6ea3cafb6ac3 core.certmanager: Do not ask for client certificates by default Kim Alvefur <zash@zash.se> parents: 8831 diff changeset	183	verify = "none";
6079 5cffee5b2826 certmanager: Reformat core ssl defaults Kim Alvefur <zash@zash.se> parents: 6078 diff changeset	184	options = {
13119 749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec Kim Alvefur <zash@zash.se> parents: 12976 diff changeset	185	cipher_server_preference = tls.features.options.cipher_server_preference;
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec Kim Alvefur <zash@zash.se> parents: 12976 diff changeset	186	no_ticket = tls.features.options.no_ticket;
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec Kim Alvefur <zash@zash.se> parents: 12976 diff changeset	187	no_compression = tls.features.options.no_compression and configmanager.get("*", "ssl_compression") ~= true;
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec Kim Alvefur <zash@zash.se> parents: 12976 diff changeset	188	single_dh_use = tls.features.options.single_dh_use;
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec Kim Alvefur <zash@zash.se> parents: 12976 diff changeset	189	single_ecdh_use = tls.features.options.single_ecdh_use;
749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec Kim Alvefur <zash@zash.se> parents: 12976 diff changeset	190	no_renegotiation = tls.features.options.no_renegotiation;
6079 5cffee5b2826 certmanager: Reformat core ssl defaults Kim Alvefur <zash@zash.se> parents: 6078 diff changeset	191	};
11372 0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings Kim Alvefur <zash@zash.se> parents: 10923 diff changeset	192	verifyext = {
0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings Kim Alvefur <zash@zash.se> parents: 10923 diff changeset	193	"lsec_continue", -- Continue past certificate verification errors
0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings Kim Alvefur <zash@zash.se> parents: 10923 diff changeset	194	"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
0bc3acf37428 core.certmanager: Add comments explaining the 'verifyext' TLS settings Kim Alvefur <zash@zash.se> parents: 10923 diff changeset	195	};
13119 749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec Kim Alvefur <zash@zash.se> parents: 12976 diff changeset	196	curve = tls.features.algorithms.ec and not tls.features.capabilities.curves_list and "secp384r1";
8282 92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	197	curveslist = {
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	198	"X25519",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	199	"P-384",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	200	"P-256",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	201	"P-521",
92cddfe65003 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 Kim Alvefur <zash@zash.se> parents: 8277 diff changeset	202	};
7666 54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	203	ciphers = { -- Enabled ciphers in order of preference:
10725 3a1b1d3084fb core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513) Kim Alvefur <zash@zash.se> parents: 10713 diff changeset	204	"HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange
7666 54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	205	"HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	206	"HIGH", -- Other "High strength" ciphers
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	207	-- Disabled cipher suites:
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	208	"!PSK", -- Pre-Shared Key - not used for XMPP
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	209	"!SRP", -- Secure Remote Password - not used for XMPP
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	210	"!3DES", -- 3DES - slow and of questionable security
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	211	"!aNULL", -- Ciphers that does not authenticate the connection
54424e981796 core.certmanager: Split cipher list into array with comments explaining each part Kim Alvefur <zash@zash.se> parents: 7534 diff changeset	212	};
13119 749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec Kim Alvefur <zash@zash.se> parents: 12976 diff changeset	213	dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" };
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	214	}
8407 ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	215
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	216	local mozilla_ssl_configs = {
12101 9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	217	-- https://wiki.mozilla.org/Security/Server_Side_TLS
13182 e689d4c45681 core.certmanager: Update Mozilla TLS config to version 5.7 Kim Alvefur <zash@zash.se> parents: 12511 diff changeset	218	-- Version 5.7 as of 2023-07-09
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	219	modern = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	220	protocol = "tlsv1_3";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	221	options = { cipher_server_preference = false };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	222	ciphers = "DEFAULT"; -- TLS 1.3 uses 'ciphersuites' rather than these
12101 9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	223	curveslist = { "X25519"; "prime256v1"; "secp384r1" };
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	224	ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	225	};
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	226	intermediate = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	227	protocol = "tlsv1_2+";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	228	dhparam = nil; -- ffdhe2048.txt
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	229	options = { cipher_server_preference = false };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	230	ciphers = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	231	"ECDHE-ECDSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	232	"ECDHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	233	"ECDHE-ECDSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	234	"ECDHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	235	"ECDHE-ECDSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	236	"ECDHE-RSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	237	"DHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	238	"DHE-RSA-AES256-GCM-SHA384";
13182 e689d4c45681 core.certmanager: Update Mozilla TLS config to version 5.7 Kim Alvefur <zash@zash.se> parents: 12511 diff changeset	239	"DHE-RSA-CHACHA20-POLY1305";
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	240	};
12101 9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	241	curveslist = { "X25519"; "prime256v1"; "secp384r1" };
9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	242	ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	243	};
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	244	old = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	245	protocol = "tlsv1+";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	246	dhparam = nil; -- openssl dhparam 1024
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	247	options = { cipher_server_preference = true };
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	248	ciphers = {
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	249	"ECDHE-ECDSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	250	"ECDHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	251	"ECDHE-ECDSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	252	"ECDHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	253	"ECDHE-ECDSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	254	"ECDHE-RSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	255	"DHE-RSA-AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	256	"DHE-RSA-AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	257	"DHE-RSA-CHACHA20-POLY1305";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	258	"ECDHE-ECDSA-AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	259	"ECDHE-RSA-AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	260	"ECDHE-ECDSA-AES128-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	261	"ECDHE-RSA-AES128-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	262	"ECDHE-ECDSA-AES256-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	263	"ECDHE-RSA-AES256-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	264	"ECDHE-ECDSA-AES256-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	265	"ECDHE-RSA-AES256-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	266	"DHE-RSA-AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	267	"DHE-RSA-AES256-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	268	"AES128-GCM-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	269	"AES256-GCM-SHA384";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	270	"AES128-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	271	"AES256-SHA256";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	272	"AES128-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	273	"AES256-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	274	"DES-CBC3-SHA";
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	275	};
12124 0fcd80a55f15 core.certmanager: Add curveslist to 'old' Mozilla TLS preset Kim Alvefur <zash@zash.se> parents: 12109 diff changeset	276	curveslist = { "X25519"; "prime256v1"; "secp384r1" };
12101 9c794d5f6f8d core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets Kim Alvefur <zash@zash.se> parents: 12100 diff changeset	277	ciphersuites = { "TLS_AES_128_GCM_SHA256"; "TLS_AES_256_GCM_SHA384"; "TLS_CHACHA20_POLY1305_SHA256" };
12100 dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	278	};
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	279	};
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	280
dfb29b5b0a57 core.certmanager: Presets based on Mozilla SSL Configuration Generator Kim Alvefur <zash@zash.se> parents: 11713 diff changeset	281
13119 749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec Kim Alvefur <zash@zash.se> parents: 12976 diff changeset	282	if tls.features.curves then
8407 ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	283	for i = #core_defaults.curveslist, 1, -1 do
13119 749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec Kim Alvefur <zash@zash.se> parents: 12976 diff changeset	284	if not tls.features.curves[ core_defaults.curveslist[i] ] then
8407 ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	285	t_remove(core_defaults.curveslist, i);
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	286	end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	287	end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	288	else
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	289	core_defaults.curveslist = nil;
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	290	end
ca52d40e74da certmanager: Filter out curves not supported by LuaSec Kim Alvefur <zash@zash.se> parents: 8406 diff changeset	291
6782 6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	292	local function create_context(host, mode, ...)
6293 851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	293	local cfg = new_config();
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	294	cfg:apply(core_defaults);
8830 1a29b56a2d63 core.certmanager: Allow all non-whitespace in service name (fixes #1019) Kim Alvefur <zash@zash.se> parents: 8497 diff changeset	295	local service_name, port = host:match("^(%S+) port (%d+)$");
11595 e7a964572f6b core.certmanager: Skip service certificate lookup for https client Kim Alvefur <zash@zash.se> parents: 11564 diff changeset	296	-- port 0 is used with client-only things that normally don't need certificates, e.g. https
e7a964572f6b core.certmanager: Skip service certificate lookup for https client Kim Alvefur <zash@zash.se> parents: 11564 diff changeset	297	if service_name and port ~= "0" then
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	298	log("debug", "Automatically locating certs for service %s on port %s", service_name, port);
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	299	cfg:apply(find_service_cert(service_name, tonumber(port)));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	300	else
11536 c0c859425c22 core.certmanager: Build an index over certificates Kim Alvefur <zash@zash.se> parents: 11535 diff changeset	301	log("debug", "Automatically locating certs for host %s", host);
7143 b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	302	cfg:apply(find_host_cert(host));
b19438c2ca1b certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) Matthew Wild <mwild1@gmail.com> parents: 7125 diff changeset	303	end
6293 851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	304	cfg:apply({
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	305	mode = mode,
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	306	-- We can't read the password interactively when daemonized
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	307	password = function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	308	});
12201 95d25e620dc2 core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation Kim Alvefur <zash@zash.se> parents: 12200 diff changeset	309	local profile = configmanager.get("*", "tls_profile") or "intermediate";
13295 24070d47a6e7 core.certmanager: Validate that 'tls_profile' is one of the valid values Kim Alvefur <zash@zash.se> parents: 13182 diff changeset	310	if mozilla_ssl_configs[profile] then
12201 95d25e620dc2 core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation Kim Alvefur <zash@zash.se> parents: 12200 diff changeset	311	cfg:apply(mozilla_ssl_configs[profile]);
13295 24070d47a6e7 core.certmanager: Validate that 'tls_profile' is one of the valid values Kim Alvefur <zash@zash.se> parents: 13182 diff changeset	312	elseif profile ~= "legacy" then
24070d47a6e7 core.certmanager: Validate that 'tls_profile' is one of the valid values Kim Alvefur <zash@zash.se> parents: 13182 diff changeset	313	log("error", "Invalid value for 'tls_profile': expected one of \"modern\", \"intermediate\" (default), \"old\" or \"legacy\" but got %q", profile);
24070d47a6e7 core.certmanager: Validate that 'tls_profile' is one of the valid values Kim Alvefur <zash@zash.se> parents: 13182 diff changeset	314	return nil, "Invalid configuration, 'tls_profile' had an unknown value.";
12102 9591b838e3b0 core.certmanager: Add "legacy" preset for keeping previous default settings Kim Alvefur <zash@zash.se> parents: 12101 diff changeset	315	end
12200 b05e0b422ff7 core.certmanager: Apply TLS preset before global settings (thanks Menel) Kim Alvefur <zash@zash.se> parents: 12154 diff changeset	316	cfg:apply(global_ssl_config);
6076 e0713386319a certmanager: Wrap long line and add comment Kim Alvefur <zash@zash.se> parents: 6075 diff changeset	317
6294 0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur <zash@zash.se> parents: 6293 diff changeset	318	for i = select('#', ...), 1, -1 do
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur <zash@zash.se> parents: 6293 diff changeset	319	cfg:apply(select(i, ...));
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur <zash@zash.se> parents: 6293 diff changeset	320	end
0033b021038f core.certmanager: Make create_context() support an arbitrary number of option sets, merging all Kim Alvefur <zash@zash.se> parents: 6293 diff changeset	321	local user_ssl_config = cfg:final();
6293 851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	322
851fb5e9fa0c core.certmanager: Use util.sslconfig Kim Alvefur <zash@zash.se> parents: 6165 diff changeset	323	if mode == "server" then
10241 a36af4570b39 core.certmanager: Lower severity for tls config not having cert Kim Alvefur <zash@zash.se> parents: 10231 diff changeset	324	if not user_ssl_config.certificate then
13298 4a05fbda927f core.certmanager: Tweak log level of message about SNI being required Kim Alvefur <zash@zash.se> parents: 13296 diff changeset	325	log("debug", "No certificate present in SSL/TLS configuration for %s. SNI will be required.", host);
10241 a36af4570b39 core.certmanager: Lower severity for tls config not having cert Kim Alvefur <zash@zash.se> parents: 10231 diff changeset	326	end
a36af4570b39 core.certmanager: Lower severity for tls config not having cert Kim Alvefur <zash@zash.se> parents: 10231 diff changeset	327	if user_ssl_config.certificate and not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
6077 6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost Kim Alvefur <zash@zash.se> parents: 6076 diff changeset	328	end
6999d4415a58 certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost Kim Alvefur <zash@zash.se> parents: 6076 diff changeset	329
12484 7e9ebdc75ce4 net: isolate LuaSec-specifics Jonas Schäfer <jonas@wielicki.name> parents: 12366 diff changeset	330	local ctx, err = cfg:build();
4359 c69cbac4178f certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. Waqas Hussain <waqas20@gmail.com> parents: 3670 diff changeset	331
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	332	if not ctx then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	333	err = err or "invalid ssl config"
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	334	local file = err:match("^error loading (.-) %(");
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	335	if file then
7746 d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur <zash@zash.se> parents: 7666 diff changeset	336	local typ;
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	337	if file == "private key" then
7746 d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur <zash@zash.se> parents: 7666 diff changeset	338	typ = file;
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	339	file = user_ssl_config.key or "your private key";
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	340	elseif file == "certificate" then
7746 d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur <zash@zash.se> parents: 7666 diff changeset	341	typ = file;
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	342	file = user_ssl_config.certificate or "your certificate file";
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	343	end
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	344	local reason = err:match("%((.+)%)$") or "some reason";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	345	if reason == "Permission denied" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	346	reason = "Check that the permissions allow Prosody to read this file.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	347	elseif reason == "No such file or directory" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	348	reason = "Check that the path is correct, and the file exists.";
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	349	elseif reason == "system lib" then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	350	reason = "Previous error (see logs), or other system error.";
7746 d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur <zash@zash.se> parents: 7666 diff changeset	351	elseif reason == "no start line" then
d018ffc9238c core.certmanager: Translate "no start line" to something friendlier (thanks santiago) Kim Alvefur <zash@zash.se> parents: 7666 diff changeset	352	reason = "Check that the file contains a "..(typ or file);
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	353	elseif reason == "(null)" or not reason then
9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	354	reason = "Check that the file exists and the permissions are correct";
2630 e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file Matthew Wild <mwild1@gmail.com> parents: 2564 diff changeset	355	else
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	356	reason = "Reason: "..tostring(reason):lower();
2630 e8fc67b73820 certmanager: Bring back the friendly errors when failing to load the key/certificate file Matthew Wild <mwild1@gmail.com> parents: 2564 diff changeset	357	end
4925 55f6e0673e33 certmanager: Add quotes around cert file path when logging. Waqas Hussain <waqas20@gmail.com> parents: 4900 diff changeset	358	log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host);
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	359	else
4855 a31ea431d906 certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL) Matthew Wild <mwild1@gmail.com> parents: 4656 diff changeset	360	log("error", "SSL/TLS: Error initialising for %s: %s", host, err);
3355 9bb2da325d4d certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 Matthew Wild <mwild1@gmail.com> parents: 2739 diff changeset	361	end
3540 bc139431830b Monster whitespace commit (beware the whitespace monster). Waqas Hussain <waqas20@gmail.com> parents: 3402 diff changeset	362	end
6529 873538f0b18c certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren) Kim Alvefur <zash@zash.se> parents: 6523 diff changeset	363	return ctx, err, user_ssl_config;
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	364	end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	365
6782 6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	366	local function reload_ssl_config()
5684 5554029d759b certmanager: Overhaul of how ssl configs are built. Kim Alvefur <zash@zash.se> parents: 5679 diff changeset	367	global_ssl_config = configmanager.get("*", "ssl");
8162 3850993a9bda certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929) Kim Alvefur <zash@zash.se> parents: 7746 diff changeset	368	global_certificates = configmanager.get("*", "certificates") or "certs";
13119 749376d75b40 net.certmanager: Move LuaSec feature detection to net.tls_luasec Kim Alvefur <zash@zash.se> parents: 12976 diff changeset	369	if tls.features.options.no_compression then
6080 b7d1607df87d certmanager: Update ssl_compression when config is reloaded Kim Alvefur <zash@zash.se> parents: 6079 diff changeset	370	core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
b7d1607df87d certmanager: Update ssl_compression when config is reloaded Kim Alvefur <zash@zash.se> parents: 6079 diff changeset	371	end
13307 05c0ac580552 core.certmanager: Handle dane context setting same way on reload as on initialization Kim Alvefur <zash@zash.se> parents: 13298 diff changeset	372	if not configmanager.get("*", "use_dane") then
05c0ac580552 core.certmanager: Handle dane context setting same way on reload as on initialization Kim Alvefur <zash@zash.se> parents: 13298 diff changeset	373	core_defaults.dane = false;
05c0ac580552 core.certmanager: Handle dane context setting same way on reload as on initialization Kim Alvefur <zash@zash.se> parents: 13298 diff changeset	374	elseif tls.features.capabilities.dane then
05c0ac580552 core.certmanager: Handle dane context setting same way on reload as on initialization Kim Alvefur <zash@zash.se> parents: 13298 diff changeset	375	core_defaults.dane = { "no_ee_namechecks" };
05c0ac580552 core.certmanager: Handle dane context setting same way on reload as on initialization Kim Alvefur <zash@zash.se> parents: 13298 diff changeset	376	else
05c0ac580552 core.certmanager: Handle dane context setting same way on reload as on initialization Kim Alvefur <zash@zash.se> parents: 13298 diff changeset	377	core_defaults.dane = true;
05c0ac580552 core.certmanager: Handle dane context setting same way on reload as on initialization Kim Alvefur <zash@zash.se> parents: 13298 diff changeset	378	end
11541 a09685a7b330 core.certmanager: Resolve certs path relative to config dir Kim Alvefur <zash@zash.se> parents: 11538 diff changeset	379	cert_index = index_certs(resolve_path(config_path, global_certificates));
2554 b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	380	end
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	381
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	382	prosody.events.add_handler("config-reloaded", reload_ssl_config);
b877533d4ec9 certmanager: Hello world, I'm come to manage your SSL contexts Matthew Wild <mwild1@gmail.com> parents: diff changeset	383
6782 6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	384	return {
6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	385	create_context = create_context;
6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	386	reload_ssl_config = reload_ssl_config;
8277 3798955049e3 prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys Kim Alvefur <zash@zash.se> parents: 8262 diff changeset	387	find_cert = find_cert;
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	388	index_certs = index_certs;
10467 fbeb7a3fc4eb core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support) Kim Alvefur <zash@zash.se> parents: 10241 diff changeset	389	find_host_cert = find_host_cert;
12108 29765ac7f72f prosodyctl cert: use the indexing functions for better UX Jonas Schäfer <jonas@wielicki.name> parents: 12103 diff changeset	390	find_cert_in_index = find_cert_in_index;
6782 6236668da30a core.: Remove use of module() function Kim Alvefur <zash@zash.se>* parents: 6573 diff changeset	391	};

author	Kim Alvefur <zash@zash.se>
	Tue, 14 May 2024 17:07:47 +0200
changeset 13494	6f840763fc73
parent 13307	05c0ac580552
permissions	-rw-r--r--