certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost

1 files changed, 29 insertions, 0 deletions

diff --git a/core/certmanager.lua b/core/certmanager.lua
index 5cbec241..cf745ad2 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -46,6 +46,9 @@ local core_defaults = {
 local path_options = { -- These we pass through resolve_path()
 	key = true, certificate = true, cafile = true, capath = true, dhparam = true
 }
+local set_options = {
+	options = true, verify = true, verifyext = true
+}
 
 if ssl and not luasec_has_verifyext and ssl.x509 then
 	-- COMPAT mw/luasec-hg
@@ -62,6 +65,18 @@ if luasec_has_no_compression then -- Has no_compression? Then it has these too..
 	end
 end
 
+local function merge_set(t, o)
+	if type(t) ~= "table" then t = { t } end
+	for k,v in pairs(t) do
+		if v == true or v == false then
+			o[k] = v;
+		else
+			o[v] = true;
+		end
+	end
+	return o;
+end
+
 function create_context(host, mode, user_ssl_config)
 	user_ssl_config = user_ssl_config or {}
 	user_ssl_config.mode = mode;
@@ -82,6 +97,20 @@ function create_context(host, mode, user_ssl_config)
 		end
 	end
 
+	for option in pairs(set_options) do
+		local merged = {};
+		merge_set(core_defaults[option], merged);
+		merge_set(global_ssl_config[option], merged);
+		merge_set(user_ssl_config[option], merged);
+		local final_array = {};
+		for opt, enable in pairs(merged) do
+			if enable then
+				final_array[#final_array+1] = opt;
+			end
+		end
+		user_ssl_config[option] = final_array;
+	end
+
 	-- We can't read the password interactively when daemonized
 	user_ssl_config.password = user_ssl_config.password or
 		function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;