diff options
author | Matthew Wild <mwild1@gmail.com> | 2016-02-05 00:03:41 +0000 |
---|---|---|
committer | Matthew Wild <mwild1@gmail.com> | 2016-02-05 00:03:41 +0000 |
commit | e2b370c6bf9d1495d9d180fb8713d3a5d774e0fd (patch) | |
tree | 3599cb89f066843ed03da7ed4830b5c76cc3a71c | |
parent | 1ca9c3d5200f76d6aa0bc8ab47d288b4b5fe6179 (diff) | |
download | prosody-e2b370c6bf9d1495d9d180fb8713d3a5d774e0fd.tar.gz prosody-e2b370c6bf9d1495d9d180fb8713d3a5d774e0fd.zip |
certmanager: Support new certificate configuration for non-XMPP services too (fixes #614)
-rw-r--r-- | core/certmanager.lua | 29 |
1 files changed, 23 insertions, 6 deletions
diff --git a/core/certmanager.lua b/core/certmanager.lua index db3cf58e..b1ff648d 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -56,12 +56,11 @@ local global_certificates = configmanager.get("*", "certificates") or "certs"; local crt_try = { "", "/%s.crt", "/%s/fullchain.pem", "/%s.pem", }; local key_try = { "", "/%s.key", "/%s/privkey.pem", "/%s.pem", }; -local function find_cert(host) - local certs = configmanager.get(host, "certificate") or global_certificates; - certs = resolve_path(config_path, certs); +local function find_cert(user_certs, name) + local certs = resolve_path(config_path, user_certs or global_certificates); for i = 1, #crt_try do - local crt_path = certs .. crt_try[i]:format(host); - local key_path = certs .. key_try[i]:format(host); + local crt_path = certs .. crt_try[i]:format(name); + local key_path = certs .. key_try[i]:format(name); if stat(crt_path, "mode") == "file" then if stat(key_path, "mode") == "file" then @@ -77,6 +76,19 @@ local function find_cert(host) end end +local function find_host_cert(host) + if not host then return nil; end + return find_cert(configmanager.get(host, "certificate"), host) or find_host_cert(host:match("%.(.+)$")); +end + +local function find_service_cert(service, port) + local cert_config = configmanager.get("*", service.."_certificate"); + if type(cert_config) == "table" then + cert_config = cert_config[port] or cert_config.default; + end + return find_cert(cert_config, service); +end + -- Built-in defaults local core_defaults = { capath = "/etc/ssl/certs"; @@ -109,7 +121,12 @@ local function create_context(host, mode, ...) local cfg = new_config(); cfg:apply(core_defaults); cfg:apply(global_ssl_config); - cfg:apply(find_cert(host) or find_cert(host:match("%.(.*)"))); + local service_name, port = host:match("^(%w+) port (%d+)$"); + if service_name then + cfg:apply(find_service_cert(service_name, tonumber(port))); + else + cfg:apply(find_host_cert(host)); + end cfg:apply({ mode = mode, -- We can't read the password interactively when daemonized |