diff options
| author | Kim Alvefur <zash@zash.se> | 2021-02-06 22:12:38 +0100 |
|---|---|---|
| committer | Kim Alvefur <zash@zash.se> | 2021-02-06 22:12:38 +0100 |
| commit | 0f16ee66e2ab2e592f3d153435fcc34ccca2646b (patch) | |
| tree | a9fb9ef0caba7582153f1f4ee643ee7dd9127b23 | |
| parent | 89064c8cfb9a397547a31b7fb44319870dc0d821 (diff) | |
| download | prosody-0f16ee66e2ab2e592f3d153435fcc34ccca2646b.tar.gz prosody-0f16ee66e2ab2e592f3d153435fcc34ccca2646b.zip | |
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Thanks to debacle for reminding me, in the context of mod_auth_ccert
I wonder if we still need lsec_ignore_purpose, Let's Encrypt seems to
include both client and server purposes in certs.
| -rw-r--r-- | core/certmanager.lua | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/core/certmanager.lua b/core/certmanager.lua index 023218fa..4bc98935 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -118,7 +118,10 @@ local core_defaults = { single_dh_use = luasec_has.options.single_dh_use; single_ecdh_use = luasec_has.options.single_ecdh_use; }; - verifyext = { "lsec_continue", "lsec_ignore_purpose" }; + verifyext = { + "lsec_continue", -- Continue past certificate verification errors + "lsec_ignore_purpose", -- Validate client certificates as if they were server certificates + }; curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1"; curveslist = { "X25519", |