aboutsummaryrefslogtreecommitdiffstats
path: root/core/certmanager.lua
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2020-11-05 22:31:25 +0100
committerKim Alvefur <zash@zash.se>2020-11-05 22:31:25 +0100
commit238b2bfc1cdb65ae7d051c2f29c1427149317795 (patch)
tree58547de6e7795740633c1b93e67c217eb621fe8f /core/certmanager.lua
parentce3e3808f5359f481f3ea063220ba71428b26ad5 (diff)
parent48521ba1538f797f5bef64f5fe5f3a9fb6e68f7f (diff)
downloadprosody-238b2bfc1cdb65ae7d051c2f29c1427149317795.tar.gz
prosody-238b2bfc1cdb65ae7d051c2f29c1427149317795.zip
Merge 0.11->trunk
Diffstat (limited to 'core/certmanager.lua')
-rw-r--r--core/certmanager.lua20
1 files changed, 9 insertions, 11 deletions
diff --git a/core/certmanager.lua b/core/certmanager.lua
index 20b91318..023218fa 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -20,7 +20,6 @@ end
local configmanager = require "core.configmanager";
local log = require "util.logger".init("certmanager");
local ssl_context = ssl.context or softreq"ssl.context";
-local ssl_x509 = ssl.x509 or softreq"ssl.x509";
local ssl_newcontext = ssl.newcontext;
local new_config = require"util.sslconfig".new;
local stat = require "lfs".attributes;
@@ -38,6 +37,9 @@ local config_path = prosody.paths.config or ".";
local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)");
local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor);
+-- TODO Use ssl.config instead of require here once we are sure that the fix
+-- in LuaSec has been widely distributed
+-- https://github.com/brunoos/luasec/issues/149
local luasec_has = softreq"ssl.config" or {
algorithms = {
ec = luasec_version >= 5;
@@ -108,7 +110,7 @@ local core_defaults = {
capath = "/etc/ssl/certs";
depth = 9;
protocol = "tlsv1+";
- verify = (ssl_x509 and { "peer", "client_once", }) or "none";
+ verify = "none";
options = {
cipher_server_preference = luasec_has.options.cipher_server_preference;
no_ticket = luasec_has.options.no_ticket;
@@ -150,13 +152,6 @@ local path_options = { -- These we pass through resolve_path()
key = true, certificate = true, cafile = true, capath = true, dhparam = true
}
-if luasec_version < 5 and ssl_x509 then
- -- COMPAT mw/luasec-hg
- for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix
- core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6);
- end
-end
-
local function create_context(host, mode, ...)
local cfg = new_config();
cfg:apply(core_defaults);
@@ -179,8 +174,10 @@ local function create_context(host, mode, ...)
local user_ssl_config = cfg:final();
if mode == "server" then
- if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end
- if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
+ if not user_ssl_config.certificate then
+ log("info", "No certificate present in SSL/TLS configuration for %s. SNI will be required.", host);
+ end
+ if user_ssl_config.certificate and not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
end
for option in pairs(path_options) do
@@ -260,4 +257,5 @@ return {
create_context = create_context;
reload_ssl_config = reload_ssl_config;
find_cert = find_cert;
+ find_host_cert = find_host_cert;
};