aboutsummaryrefslogtreecommitdiffstats
path: root/core/certmanager.lua
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2019-11-16 16:52:31 +0100
committerKim Alvefur <zash@zash.se>2019-11-16 16:52:31 +0100
commit908f5b61c55e4cba39e61ac415b0fca384a1095d (patch)
tree6e391ff6608608f181e42c92ee6dfd7c534da255 /core/certmanager.lua
parentc4c38d2f01d5f2711b527c7c2412250ed6c58738 (diff)
parentfd9ccf20d5b652dbad1f37cecd540661f4642ee6 (diff)
downloadprosody-908f5b61c55e4cba39e61ac415b0fca384a1095d.tar.gz
prosody-908f5b61c55e4cba39e61ac415b0fca384a1095d.zip
Merge 0.11->trunk
Diffstat (limited to 'core/certmanager.lua')
-rw-r--r--core/certmanager.lua18
1 files changed, 6 insertions, 12 deletions
diff --git a/core/certmanager.lua b/core/certmanager.lua
index 5282a6f5..b20a0cdb 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -20,7 +20,6 @@ end
local configmanager = require "core.configmanager";
local log = require "util.logger".init("certmanager");
local ssl_context = ssl.context or softreq"ssl.context";
-local ssl_x509 = ssl.x509 or softreq"ssl.x509";
local ssl_newcontext = ssl.newcontext;
local new_config = require"util.sslconfig".new;
local stat = require "lfs".attributes;
@@ -106,7 +105,7 @@ local core_defaults = {
capath = "/etc/ssl/certs";
depth = 9;
protocol = "tlsv1+";
- verify = (ssl_x509 and { "peer", "client_once", }) or "none";
+ verify = "none";
options = {
cipher_server_preference = luasec_has.options.cipher_server_preference;
no_ticket = luasec_has.options.no_ticket;
@@ -123,8 +122,8 @@ local core_defaults = {
"P-521",
};
ciphers = { -- Enabled ciphers in order of preference:
- "HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set
"HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange
+ "HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set
"HIGH", -- Other "High strength" ciphers
-- Disabled cipher suites:
"!PSK", -- Pre-Shared Key - not used for XMPP
@@ -148,13 +147,6 @@ local path_options = { -- These we pass through resolve_path()
key = true, certificate = true, cafile = true, capath = true, dhparam = true
}
-if luasec_version < 5 and ssl_x509 then
- -- COMPAT mw/luasec-hg
- for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix
- core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6);
- end
-end
-
local function create_context(host, mode, ...)
local cfg = new_config();
cfg:apply(core_defaults);
@@ -177,8 +169,10 @@ local function create_context(host, mode, ...)
local user_ssl_config = cfg:final();
if mode == "server" then
- if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end
- if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
+ if not user_ssl_config.certificate then
+ log("info", "No certificate present in SSL/TLS configuration for %s. SNI will be required.", host);
+ end
+ if user_ssl_config.certificate and not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
end
for option in pairs(path_options) do