diff options
| author | Kim Alvefur <zash@zash.se> | 2025-03-29 22:25:19 +0100 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2025-03-29 22:25:19 +0100 |
| commit | 96aadab60bb391c7b88091659f89a8e176036538 (patch) | |
| tree | e09a9986b8824be58d5f899d113e958a59b092fd | |
| parent | be51e54c680fd94303a5e8681fd5340503976f0b (diff) | |
| download | prosody-96aadab60bb391c7b88091659f89a8e176036538.tar.gz prosody-96aadab60bb391c7b88091659f89a8e176036538.zip | |
core.portmanager: Restore use of per-host 'ssl' for SNI hosts. Fixes #1915.
This was an unintentional regression, as per-host 'ssl' options became valid
in 0.12 when SNI support was added for direct TLS ports. While we encourage
most people to use the simpler automatic certificate selection (and it seems
most do, given the overlooking of this bug), there are likely always going to
be use cases for manually-configured certificates.
The issue was introduced in commit 7e9ebdc75ce4 which inadvertently removed
the per-host option checking for SNI.
| -rw-r--r-- | core/portmanager.lua | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/core/portmanager.lua b/core/portmanager.lua index 904c979c..88bd7b61 100644 --- a/core/portmanager.lua +++ b/core/portmanager.lua @@ -245,22 +245,26 @@ local function add_sni_host(host, service) for name, interface, port, n, active_service --luacheck: ignore 213 in active_services:iter(service, nil, nil, nil) do if active_service.server and active_service.tls_cfg then + local config_prefix = (active_service.config_prefix or name).."_"; + if config_prefix == "_" then config_prefix = ""; end + local prefix_ssl_config = config.get(host, config_prefix.."ssl"); local alternate_host = name and config.get(host, name.."_host"); if not alternate_host and name == "https" then -- TODO should this be some generic thing? e.g. in the service definition alternate_host = config.get(host, "http_host"); end - local autocert = certmanager.find_host_cert(alternate_host or host); - local manualcert = active_service.tls_cfg; - local certificate = (autocert and autocert.certificate) or manualcert.certificate; - local key = (autocert and autocert.key) or manualcert.key; - local ok, err = active_service.server:sslctx():set_sni_host( - host, - certificate, - key - ); - if not ok then + local ssl, err, cfg = certmanager.create_context(alternate_host or host, "server", prefix_ssl_config, active_service.tls_cfg); + if not ssl then log("error", "Error creating TLS context for SNI host %s: %s", host, err); + else + local ok, err = active_service.server:sslctx():set_sni_host( + host, + cfg.certificate, + cfg.key + ); + if not ok then + log("error", "Error creating TLS context for SNI host %s: %s", host, err); + end end end end |