aboutsummaryrefslogtreecommitdiffstats
path: root/core
diff options
context:
space:
mode:
Diffstat (limited to 'core')
-rw-r--r--core/certmanager.lua36
-rw-r--r--core/portmanager.lua21
2 files changed, 13 insertions, 44 deletions
diff --git a/core/certmanager.lua b/core/certmanager.lua
index c193e824..7958e8a9 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -9,9 +9,8 @@
local ssl = require "ssl";
local configmanager = require "core.configmanager";
local log = require "util.logger".init("certmanager");
-local ssl_context = ssl.context or require "ssl.context";
local ssl_newcontext = ssl.newcontext;
-local new_config = require"util.sslconfig".new;
+local new_config = require"net.server".tls_builder;
local stat = require "lfs".attributes;
local x509 = require "util.x509";
@@ -313,10 +312,6 @@ else
core_defaults.curveslist = nil;
end
-local path_options = { -- These we pass through resolve_path()
- key = true, certificate = true, cafile = true, capath = true, dhparam = true
-}
-
local function create_context(host, mode, ...)
local cfg = new_config();
cfg:apply(core_defaults);
@@ -352,34 +347,7 @@ local function create_context(host, mode, ...)
if user_ssl_config.certificate and not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
end
- for option in pairs(path_options) do
- if type(user_ssl_config[option]) == "string" then
- user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]);
- else
- user_ssl_config[option] = nil;
- end
- end
-
- -- LuaSec expects dhparam to be a callback that takes two arguments.
- -- We ignore those because it is mostly used for having a separate
- -- set of params for EXPORT ciphers, which we don't have by default.
- if type(user_ssl_config.dhparam) == "string" then
- local f, err = io_open(user_ssl_config.dhparam);
- if not f then return nil, "Could not open DH parameters: "..err end
- local dhparam = f:read("*a");
- f:close();
- user_ssl_config.dhparam = function() return dhparam; end
- end
-
- local ctx, err = ssl_newcontext(user_ssl_config);
-
- -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care
- -- of it ourselves (W/A for #x)
- if ctx and user_ssl_config.ciphers then
- local success;
- success, err = ssl_context.setcipher(ctx, user_ssl_config.ciphers);
- if not success then ctx = nil; end
- end
+ local ctx, err = cfg:build();
if not ctx then
err = err or "invalid ssl config"
diff --git a/core/portmanager.lua b/core/portmanager.lua
index 38c74b66..8c7dfddb 100644
--- a/core/portmanager.lua
+++ b/core/portmanager.lua
@@ -240,21 +240,22 @@ local function add_sni_host(host, service)
log("debug", "Gathering certificates for SNI for host %s, %s service", host, service or "default");
for name, interface, port, n, active_service --luacheck: ignore 213
in active_services:iter(service, nil, nil, nil) do
- if active_service.server.hosts and active_service.tls_cfg then
- local config_prefix = (active_service.config_prefix or name).."_";
- if config_prefix == "_" then config_prefix = ""; end
- local prefix_ssl_config = config.get(host, config_prefix.."ssl");
+ if active_service.server and active_service.tls_cfg then
local alternate_host = name and config.get(host, name.."_host");
if not alternate_host and name == "https" then
-- TODO should this be some generic thing? e.g. in the service definition
alternate_host = config.get(host, "http_host");
end
local autocert = certmanager.find_host_cert(alternate_host or host);
- -- luacheck: ignore 211/cfg
- local ssl, err, cfg = certmanager.create_context(host, "server", prefix_ssl_config, autocert, active_service.tls_cfg);
- if ssl then
- active_service.server.hosts[alternate_host or host] = ssl;
- else
+ local manualcert = active_service.tls_cfg;
+ local certificate = (autocert and autocert.certificate) or manualcert.certificate;
+ local key = (autocert and autocert.key) or manualcert.key;
+ local ok, err = active_service.server:sslctx():set_sni_host(
+ host,
+ certificate,
+ key
+ );
+ if not ok then
log("error", "Error creating TLS context for SNI host %s: %s", host, err);
end
end
@@ -277,7 +278,7 @@ prosody.events.add_handler("host-deactivated", function (host)
for name, interface, port, n, active_service --luacheck: ignore 213
in active_services:iter(nil, nil, nil, nil) do
if active_service.tls_cfg then
- active_service.server.hosts[host] = nil;
+ active_service.server:sslctx():remove_sni_host(host)
end
end
end);