aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJonas Schäfer <jonas@wielicki.name>2021-08-29 15:04:47 +0200
committerJonas Schäfer <jonas@wielicki.name>2021-08-29 15:04:47 +0200
commit52a9ddd22a9cbf0af9a9cae9fb7ce244c5ab4f35 (patch)
tree1c758c46610ae2dcced475927cf5a0370376469c /net
parent43345d4169f0b6fb66a1f2eb8ee297bf5c4ccfc4 (diff)
downloadprosody-52a9ddd22a9cbf0af9a9cae9fb7ce244c5ab4f35.tar.gz
prosody-52a9ddd22a9cbf0af9a9cae9fb7ce244c5ab4f35.zip
net.http: fail open if surrounding code does not configure TLS
Previously, if surrounding code was not configuring the TLS context used default in net.http, it would not validate certificates at all. This is not a security issue with prosody, because prosody updates the context with `verify = "peer"` as well as paths to CA certificates in util.startup.init_http_client. Nevertheless... Let's not leave this pitfall out there in the open.
Diffstat (limited to 'net')
-rw-r--r--net/http.lua2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/http.lua b/net/http.lua
index a13c3942..f5d03b19 100644
--- a/net/http.lua
+++ b/net/http.lua
@@ -332,7 +332,7 @@ local function new(options)
end
local default_http = new({
- sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" }, alpn = "http/1.1" };
+ sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" }, alpn = "http/1.1", verify = "peer" };
suppress_errors = true;
});