Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | moduleapi: Update Teal spec | Kim Alvefur | 2023-11-13 | 1 | -1/+4 |
| | | | | Updates for 65fb0d7a2312::59c3d775c7fa | ||||
* | util.prosodyctl.check: Disable https cert check if http_external_url set | Kim Alvefur | 2023-11-13 | 1 | -0/+4 |
| | | | | | This would indicate that a reverse proxy is used, which gets to be responsible for that since it probably holds the actual cert. | ||||
* | util.prosodyctl.check: Check cert for HTTPS if http module enabled | Kim Alvefur | 2023-11-13 | 1 | -3/+13 |
| | |||||
* | util.prosodyctl.check: Update conditions for s2s cert checks | Kim Alvefur | 2023-11-13 | 1 | -3/+3 |
| | | | | | | The 'anonymous_login' setting is deprecated and prosodyctl check config will tell you to change it to 'authentication = "internal_hashed"', so we shouldn't need to care about here anymore. | ||||
* | util.prosodyctl.check: Simplify conditions for c2s and s2s cert checks | Kim Alvefur | 2023-11-13 | 1 | -3/+3 |
| | | | | This code is hard to follow and in need of some refactoring. | ||||
* | tools/build-env: Tools for building and testing in a container | Kim Alvefur | 2023-11-12 | 3 | -0/+61 |
| | | | | | | | | | ./tools/build-env/build.sh Creates a container image based on Debian or Ubuntu ./tools/build-env/here.sh Starts a container and mounts in the current working directory, from where one can ./configure; make; make test etc | ||||
* | mod_s2s_auth_dane_in: Bail out on explicit service denial | Kim Alvefur | 2023-11-12 | 1 | -0/+1 |
| | |||||
* | mod_tokenauth: Include more details in debug logs | Kim Alvefur | 2023-11-12 | 1 | -5/+5 |
| | | | | | Had a hard time following what was happening when it did not specify which grant or token was being removed. | ||||
* | net.http: Set Connection header based on connection pool usage | Kim Alvefur | 2023-11-11 | 1 | -1/+8 |
| | | | | Connection: keep-alive is implicit in HTTP/1.1 but explicit > implicit | ||||
* | net.http: Add simple connection pooling | Kim Alvefur | 2023-11-11 | 1 | -1/+38 |
| | | | | | | | | | | | | | | This should speed up repeated requests to the same site by keeping their connections around and sending more requests on them. Sending multiple requests at the same time is not supported, instead a request started while another to the same authority is in progress would open a new one and the first one to complete would go back in the pool. This could be investigated in the future. Some http servers limit the number of requests per connection and this is not tested and could cause one request to fail, but hopefully it will close the connection and prevent it from being reused. | ||||
* | mod_storage_sql: Use UUIDv7 as keys | Kim Alvefur | 2023-07-17 | 1 | -1/+1 |
| | | | | | Potentially allows sorting on those directly as they will be in increasing order. | ||||
* | util.uuid: Add UUIDv7 | Kim Alvefur | 2021-08-15 | 2 | -0/+39 |
| | | | | | | | | | Allows sorting by id as a substitute for sorting by timestamp since it has the timestamp in the encoded in the first part, and only things that happen extremely close together may get out of order by such a sort, which might not matter. From draft-ietf-uuidrev-rfc4122bis formerly draft-peabody-dispatch-new-uuid-format | ||||
* | util.prosodyctl.check: Try to clarify check for misplaced k=v in ↵ | Kim Alvefur | 2023-11-11 | 1 | -2/+2 |
| | | | | modules_enabled (thanks aab and Menel) | ||||
* | doap: Update XEP-0359 version, no protocol changes | Kim Alvefur | 2023-11-11 | 1 | -1/+1 |
| | | | | Security considerations added, no protocol changes. | ||||
* | doap: Update XEP-0353 version, no change affecting server handling | Kim Alvefur | 2023-11-11 | 1 | -1/+1 |
| | |||||
* | doap: Update XEP-0313 version, only change align with current mod_mam behavior | Kim Alvefur | 2023-11-11 | 1 | -1/+1 |
| | |||||
* | doap: Update XEP-0045 version, only minor changes | Kim Alvefur | 2023-11-11 | 1 | -1/+1 |
| | |||||
* | util.startup: Attempt to bring some order to startup/shutdown with util.fsm | Matthew Wild | 2023-11-07 | 1 | -10/+41 |
| | |||||
* | .luacheckrc: Add module:could() | Matthew Wild | 2023-11-07 | 1 | -0/+1 |
| | |||||
* | moduleapi: may(): Support explicit actor_jid in context object | Matthew Wild | 2023-11-07 | 1 | -18/+24 |
| | |||||
* | mod_muc: Switch to module:could() for some implicit access control checks | Matthew Wild | 2023-11-07 | 1 | -2/+2 |
| | |||||
* | mod_muc: Allow guest users to list rooms by default | Matthew Wild | 2023-11-07 | 1 | -0/+3 |
| | |||||
* | mod_muc: Add :list-rooms permission | Matthew Wild | 2023-11-07 | 1 | -1/+5 |
| | |||||
* | mod_tokenauth: Fix saving grants after clearing expired tokens | Kim Alvefur | 2023-11-05 | 1 | -4/+4 |
| | | | | | Previously the whole grant was deleted if it found one expired toke, which was not indented. | ||||
* | mod_s2s_auth_certs: Remove LuaSec compat that moved to net.server | Kim Alvefur | 2023-11-04 | 1 | -6/+1 |
| | |||||
* | core.certmanager: Handle dane context setting same way on reload as on ↵ | Kim Alvefur | 2023-11-04 | 1 | -1/+7 |
| | | | | initialization | ||||
* | util.prosodyctl.check: Print DANE TLSA records for certificates | Kim Alvefur | 2023-11-03 | 1 | -0/+10 |
| | | | | Not the prosodyctl check dane I wanted to make but a start. | ||||
* | util.prosodyctl.check: Wrap each check in a function | Kim Alvefur | 2023-11-03 | 1 | -13/+29 |
| | | | | | | | One small refactor but one huge step in the right direction Mostly because adding another check would make the line checking for a valid check exceed the column limit. | ||||
* | muc.register: Clarify what's going on when enforcing nicknames | Kim Alvefur | 2023-11-03 | 1 | -0/+2 |
| | | | | Does this make it clearer what is going on? | ||||
* | util.datamanager: Clean up list index files on purge (i.e. user deletion) | Kim Alvefur | 2023-11-02 | 1 | -0/+2 |
| | |||||
* | mod_s2s: Automagically enable DANE for s2sin if 'use_dane' is enabled | Kim Alvefur | 2023-11-02 | 1 | -0/+6 |
| | | | | Simplifies configuration, only one already existing boolean to flip. | ||||
* | mod_s2s_auth_dane_in: DANE support for s2sin | Kim Alvefur | 2023-11-01 | 2 | -0/+115 |
| | | | | | Complements the DANE support for outgoing connections included in net.connect | ||||
* | migrator: Add mod_http_file_share example to config template | Kim Alvefur | 2023-11-01 | 1 | -0/+6 |
| | |||||
* | migrator: Update default config template with new stores | Kim Alvefur | 2023-11-01 | 1 | -0/+4 |
| | | | | | | * mod_authz_internal adds account_roles * mod_cron has its state * mod_smacks also has some non-critical state | ||||
* | core.certmanager: Tweak log level of message about SNI being required | Kim Alvefur | 2023-10-29 | 1 | -1/+1 |
| | | | | Everything supports SNI today, so this is not useful information. | ||||
* | mod_bosh: Include stream attributes in stream-features event | Matthew Wild | 2023-10-28 | 1 | -1/+1 |
| | | | | | This matches what mod_c2s does, and fixes a traceback in mod_sasl2_fast when used with BOSH (that module tries to use event.stream.from). | ||||
* | Merge 0.12->trunk | Kim Alvefur | 2023-10-27 | 1 | -1/+4 |
|\ | |||||
| * | core.certmanager: Validate that 'tls_profile' is one of the valid values | Kim Alvefur | 2023-10-27 | 1 | -1/+4 |
| | | | | | | | | A typo should not result in ending up with "legacy" | ||||
* | | mod_saslauth: Clear 'auto' from endpoint hash var, it's not a real hash ↵ | Matthew Wild | 2023-10-26 | 1 | -0/+1 |
| | | | | | | | | (thanks tmolitor) | ||||
* | | mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by default | Matthew Wild | 2023-10-26 | 2 | -14/+23 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This channel binding method is now enabled when a hash is manually set in the config, or it attempts to discover the hash automatically if the value is the special string "auto". A related change to mod_c2s prevents complicated certificate lookups in the client connection hot path - this work now happens only when this channel binding method is used. I'm not aware of anything else that uses ssl_cfg (vs ssl_ctx). Rationale for disabling by default: - Minor performance impact in automatic cert detection - This method is weak against a leaked/stolen private key (other methods such as 'tls-exporter' would not be compromised in such a case) Rationale for keeping the implementation: - For some deployments, this may be the only method available (e.g. due to TLS offloading in another process/server). | ||||
* | | mod_saslauth: Fix traceback in tls-server-end-point channel binding | Matthew Wild | 2023-10-26 | 1 | -3/+8 |
| | | |||||
* | | mod_admin_shell: Make 'Role' column dynamically sized | Kim Alvefur | 2023-10-26 | 1 | -1/+1 |
| | | | | | | | | | | | | | | Some of the new roles don't quite fit nicely into 4 characters (excluding ellipsis). Given the ability to dynamically add additional roles from the config and possibly from modules, it seems better to just make it a relative size since we can't know how long they will be. | ||||
* | | mod_saslauth: Actively close cert file after reading | Matthew Wild | 2023-10-24 | 1 | -0/+1 |
| | | | | | | | | Explicit > implicit | ||||
* | | mod_saslauth: Fix read format string (thanks tmolitor) | Matthew Wild | 2023-10-24 | 1 | -1/+1 |
| | | |||||
* | | mod_cron: Make task frequencies configurable in overly generic manner | Kim Alvefur | 2023-10-22 | 3 | -10/+10 |
| | | | | | | | | Requested feature for many modules, notably MAM and file sharing. | ||||
* | | mod_cron: Fix missing restore method in Teal record definition | Kim Alvefur | 2023-10-22 | 1 | -0/+1 |
| | | |||||
* | | CHANGES: Mention 'tls-server-end-point' | Kim Alvefur | 2023-10-22 | 1 | -0/+1 |
| | | |||||
* | | mod_saslauth: Get correct 'tls-server-end-point' with new LuaSec API | Kim Alvefur | 2022-10-23 | 1 | -12/+15 |
| | | | | | | | | | | | | MattJ contributed new APIs for retrieving the actually used certificate and chain to LuaSec, which are not in a release at the time of this commit. | ||||
* | | mod_c2s: Add session.ssl_cfg/ssl_ctx for direct TLS connections | Matthew Wild | 2022-09-07 | 1 | -0/+8 |
| | | |||||
* | | portmanager: Expose API to get at SSL/TLS config for a given interface/port | Matthew Wild | 2022-09-07 | 1 | -0/+8 |
| | |