core.certmanager: Do not ask for client certificates by default
Since it's mostly only mod_s2s that needs to request client
certificates it makes some sense to have mod_s2s ask for this, instead
of having eg mod_http ask to disable it.
--- a/core/certmanager.lua Sun Mar 10 19:32:33 2019 +0100
+++ b/core/certmanager.lua Sun Mar 10 19:58:28 2019 +0100
@@ -106,7 +106,7 @@
capath = "/etc/ssl/certs";
depth = 9;
protocol = "tlsv1+";
- verify = (ssl_x509 and { "peer", "client_once", }) or "none";
+ verify = "none";
options = {
cipher_server_preference = luasec_has.options.cipher_server_preference;
no_ticket = luasec_has.options.no_ticket;
--- a/plugins/mod_http.lua Sun Mar 10 19:32:33 2019 +0100
+++ b/plugins/mod_http.lua Sun Mar 10 19:58:28 2019 +0100
@@ -228,9 +228,6 @@
listener = server.listener;
default_port = 5281;
encryption = "ssl";
- ssl_config = {
- verify = "none";
- };
multiplex = {
pattern = "^[A-Z]";
};
--- a/plugins/mod_s2s/mod_s2s.lua Sun Mar 10 19:32:33 2019 +0100
+++ b/plugins/mod_s2s/mod_s2s.lua Sun Mar 10 19:58:28 2019 +0100
@@ -738,6 +738,9 @@
listener = listener;
default_port = 5269;
encryption = "starttls";
+ ssl_config = {
+ verify = { "peer", "client_once", };
+ };
multiplex = {
pattern = "^<.*:stream.*%sxmlns%s*=%s*(['\"])jabber:server%1.*>";
};