aboutsummaryrefslogtreecommitdiffstats
path: root/core
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2013-09-03 15:43:59 +0200
committerKim Alvefur <zash@zash.se>2013-09-03 15:43:59 +0200
commit247c7be5c780c54a9f08a20dd1a12e176896bb19 (patch)
treecdadc167187b543fe2e4619e03324c437b0385ca /core
parent49ac28447067580a77c87266d9a6f3b94191f2ec (diff)
downloadprosody-247c7be5c780c54a9f08a20dd1a12e176896bb19.tar.gz
prosody-247c7be5c780c54a9f08a20dd1a12e176896bb19.zip
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
Diffstat (limited to 'core')
-rw-r--r--core/certmanager.lua19
1 files changed, 17 insertions, 2 deletions
diff --git a/core/certmanager.lua b/core/certmanager.lua
index b39f4ed4..caa4afce 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -13,6 +13,8 @@ local ssl_newcontext = ssl and ssl.newcontext;
local tostring = tostring;
local pairs = pairs;
+local type = type;
+local io_open = io.open;
local prosody = prosody;
local resolve_path = configmanager.resolve_relative_path;
@@ -41,7 +43,7 @@ local core_defaults = {
ciphers = "HIGH:!DSS:!aNULL@STRENGTH";
}
local path_options = { -- These we pass through resolve_path()
- key = true, certificate = true, cafile = true, capath = true
+ key = true, certificate = true, cafile = true, capath = true, dhparam = true
}
if ssl and not luasec_has_verifyext and ssl.x509 then
@@ -75,12 +77,25 @@ function create_context(host, mode, user_ssl_config)
end
user_ssl_config.password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
for option in pairs(path_options) do
- user_ssl_config[option] = user_ssl_config[option] and resolve_path(config_path, user_ssl_config[option]);
+ if type(user_ssl_config[option]) == "string" then
+ user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]);
+ end
end
if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end
+ -- LuaSec expects dhparam to be a callback that takes two arguments.
+ -- We ignore those because it is mostly used for having a separate
+ -- set of params for EXPORT ciphers, which we don't have by default.
+ if type(user_ssl_config.dhparam) == "string" then
+ local f, err = io_open(user_ssl_config.dhparam);
+ if not f then return nil, "Could not open DH parameters: "..err end
+ local dhparam = f:read("*a");
+ f:close();
+ user_ssl_config.dhparam = function() return dhparam; end
+ end
+
local ctx, err = ssl_newcontext(user_ssl_config);
-- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care