Mercurial Mercurial > prosody > prosody / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
net.http: fail open if surrounding code does not configure TLS
authorJonas Schäfer <jonas@wielicki.name>
Sun, 29 Aug 2021 15:04:47 +0200
changeset 11753 83d6d6a70edf
parent 11751 9f723b54e111
child 11754 a8760562a096
net.http: fail open if surrounding code does not configure TLS Previously, if surrounding code was not configuring the TLS context used default in net.http, it would not validate certificates at all. This is not a security issue with prosody, because prosody updates the context with `verify = "peer"` as well as paths to CA certificates in util.startup.init_http_client. Nevertheless... Let's not leave this pitfall out there in the open.
net/http.lua file | annotate | diff | comparison | revisions 
--- a/net/http.lua	Thu Aug 26 16:42:42 2021 +0100
+++ b/net/http.lua	Sun Aug 29 15:04:47 2021 +0200
@@ -332,7 +332,7 @@
 end
 
 local default_http = new({
-	sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" }, alpn = "http/1.1" };
+	sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" }, alpn = "http/1.1", verify = "peer" };
 	suppress_errors = true;
 });
prosody