diff options
author | Kim Alvefur <zash@zash.se> | 2014-04-15 00:45:07 +0200 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2014-04-15 00:45:07 +0200 |
commit | 7229a760a41d22e002e82f2f8d00aec8cc271f30 (patch) | |
tree | ccbf8cb9b2b8fe0fa125e75c857ca1a491741c1f /core/certmanager.lua | |
parent | 01c2957f0296cee49cca7af4d6fedc13ffbb7cbd (diff) | |
download | prosody-7229a760a41d22e002e82f2f8d00aec8cc271f30.tar.gz prosody-7229a760a41d22e002e82f2f8d00aec8cc271f30.zip |
certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols
Diffstat (limited to 'core/certmanager.lua')
-rw-r--r-- | core/certmanager.lua | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/core/certmanager.lua b/core/certmanager.lua index cf745ad2..3741145d 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -36,9 +36,9 @@ local global_ssl_config = configmanager.get("*", "ssl"); local core_defaults = { capath = "/etc/ssl/certs"; - protocol = "sslv23"; + protocol = "tlsv1+"; verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; - options = { "no_sslv2", "no_sslv3", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; + options = { "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; verifyext = { "lsec_continue", "lsec_ignore_purpose" }; curve = "secp384r1"; ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; @@ -77,6 +77,9 @@ local function merge_set(t, o) return o; end +local protocols = { "sslv2", "sslv3", "tlsv1", "tlsv1_1", "tlsv1_2" }; +for i = 1, #protocols do protocols[protocols[i] .. "+"] = i - 1; end + function create_context(host, mode, user_ssl_config) user_ssl_config = user_ssl_config or {} user_ssl_config.mode = mode; @@ -97,6 +100,14 @@ function create_context(host, mode, user_ssl_config) end end + local min_protocol = protocols[user_ssl_config.protocol]; + if min_protocol then + user_ssl_config.protocol = "sslv23"; + for i = min_protocol, 1, -1 do + user_ssl_config.options["no_"..protocols[i]] = true; + end + end + for option in pairs(set_options) do local merged = {}; merge_set(core_defaults[option], merged); |