aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Merge 13.0->trunkKim Alvefur2 days2-10/+46
|\
| * mod_storage_internal: Fix queries with only start returning extra itemsKim Alvefur2 days2-10/+46
| | | | | | | | | | | | | | | | | | | | Queries with start > last item would return one item, because there's some boundary condition in binary_search(). This is here fixed by always applying filters that omit items outside the requested range. See also 2374c7665d0b
* | Merge 13.0->trunkKim Alvefur5 days1-1/+1
|\|
| * mod_storage_sql: Retrieve all indices to see if the new one existsKim Alvefur5 days1-1/+1
| | | | | | | | Otherwise it warns about it being missing, even if it exists.
* | Merge 13.0->trunkMatthew Wild6 days1-2/+14
|\|
| * mod_invites_register: Stricter validation of registration eventsMatthew Wild6 days1-2/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes two problems: 1) Account invites that were created with a specific username were not in fact restricted to that username. 2) Password reset invites were not restricted to resetting passwords, but could be used to create an arbitrary new account if the client or registration frontend (e.g. mod_invites_register_web) doesn't handle/enforce the username. This new validation ensures that registrations and resets are always for the username specified in the invitation.
* | Merge 13.0->trunkMatthew Wild6 days2-0/+16
|\|
| * prosodyctl check config: add recommendation to switch from admin_telnet to shellMatthew Wild6 days1-0/+6
| |
| * configmanager: Emit config warning when referencing non-existent valueMatthew Wild6 days1-0/+10
| |
* | Merge 13.0->trunkKim Alvefur7 days1-1/+1
|\|
| * mod_storage_sql: Mark unused argument as suchKim Alvefur7 days1-1/+1
| | | | | | | | Make `make lint` happy again
* | Merge 13.0->trunkKim Alvefur7 days2-19/+66
|\|
| * mod_storage_sql: Handle failure to deploy new UNIQUE indexKim Alvefur7 days1-4/+6
| | | | | | | | | | | | | | | | | | | | Somehow a user ended up with duplicate data preventing creation of the new unique index needed for UPSERT (see 3ec48555b773). This should eventually self-heal #1918 if the duplicate data is replaced by the older DELETE + INSERT method. Without any index at all, it will be slower.
| * mod_http: Log problems parsing IP addresses in X-Forwarded-For (Thanks Boris)Kim Alvefur7 days1-3/+11
| |
| * mod_http: Fix IP address normalization (Thanks Boris)Kim Alvefur7 days1-1/+1
| | | | | | | | | | | | | | | | | | | | This fixes the problem that an un-bracketed IPv6 address will not match the first pattern (since it matches brackets) and instead the first decimal digits will match the pattern meant to strip port numbers from IPv4 addresses, e.g. 2001:db8::1 --> 2000 This pattern instead matches enough of a regular IPv4 address to make an IPv6 address fall back to the last case.
| * mod_storage_sql: Add shell command to create tables and indices (again)Kim Alvefur7 days1-0/+33
| | | | | | | | | | | | | | This is meant as a way to diagnose e.g. issues creating indices. It would have been nice to capture e.g. PostgreSQL notices, but LuaDBI would need support for this first, see https://github.com/mwild1/luadbi/issues/62
| * mod_storage_sql: Delay showing SQL library error until attempted loadKim Alvefur9 days1-13/+17
| | | | | | | | | | | | | | This should ensure that e.g. failure to load LuaSQLite3 is not logged unless it is needed, since module failures are very verbose. Closes #1919
* | Merge 13.0->trunkMatthew Wild7 days5-33/+131
|\|
| * prosodyctl check config: List modules which Prosody cannot successfully loadMatthew Wild7 days1-0/+19
| |
| * modulemanager, util.pluginloader: Improve error message when load fails but ↵Matthew Wild7 days2-32/+47
| | | | | | | | some candidates were filtered
| * mod_admin_shell: Add role:list() and role:show() commandsMatthew Wild12 days1-0/+60
| |
| * mod_authz_internal: Improve error message when invalid role specifiedMatthew Wild12 days1-1/+5
| |
* | Merge 13.0->trunkMatthew Wild13 days0-0/+0
|\|
| * Added tag 13.0.1 for changeset e78e79f1b5f5Matthew Wild13 days0-0/+0
| |
* | Merge 13.0->trunkMatthew Wild13 days3-3/+14
|\|
| * mod_admin_shell: Visual tweaks to the output of debug:cert_index()13.0.1Matthew Wild13 days1-2/+9
| |
| * .luacheckrc: Ignore config files in spec/tlsMatthew Wild13 days1-0/+5
| |
| * certmanager: Remove obsolete index log (replaced by shell command)Matthew Wild13 days1-1/+0
| | | | | | | | | | This information can now be retrieved on-demand using the debug:cert_index() command, so we don't need to log it after every scan (it is rather verbose).
* | Merge 13.0->trunkMatthew Wild13 days2-1/+55
|\|
| * mod_admin_shell: Add debug:cert_index() commandMatthew Wild13 days1-0/+50
| |
| * certmanager: Improve logging for all cases where certs are skippedMatthew Wild13 days1-1/+5
| |
* | Merge 13.0->trunkMatthew Wild13 days13-0/+237
|\|
| * spec/tls: Add TLS/certificate integration testsMatthew Wild13 days13-0/+237
| | | | | | | | | | | | These tests help to verify that various configurations translate into the expected running TLS setups. Specifically right now we are checking the correct certificate is served.
* | Merge 13.0->trunkMatthew Wild13 days1-1/+3
|\|
| * portmanager: Add debug log message to state which certificate we end up usingMatthew Wild13 days1-0/+1
| |
| * portmanager: Take automatic cert selection into account when setting SNI certMatthew Wild13 days1-1/+2
| | | | | | | | | | This fixes (another) issue with the fix in 4ea7bd7325be, where it no longer checked the automatic cert index for an appropriate certificate.
* | Merge 13.0->trunkMatthew Wild14 days1-1/+1
|\|
| * prosodyctl check certs: Use correct hostname in warning message about HTTPSMatthew Wild14 days1-1/+1
| |
* | Merge 13.0->trunkKim Alvefur14 days1-1/+1
|\|
| * net.server_epoll: Use correct connection timeout when initiating Direct TLSKim Alvefur14 days1-1/+1
| | | | | | | | | | Otherwise it takes a lot longer to time out Direct TLS connections than TCP / STARTTLS connections.
* | Merge 13.0->trunkMatthew Wild14 days1-1/+1
|\|
| * portmanager: Use alternate host (if any) for SNI (many thanks Zaak!)Matthew Wild14 days1-1/+1
| | | | | | | | | | This was an oversight in the fix for #1915 in commit 4ea7bd7325be (though it seems commit 7e9ebdc75ce4 was the first to introduce this bug).
* | Merge 13.0->trunkKim Alvefur2025-04-012-10/+17
|\|
| * mod_tls: Collect full certificate chain validation informationKim Alvefur2025-04-011-1/+2
| | | | | | | | | | | | Enabling at least one of the ssl.verifyext modes enables a callback that collects all the errors, which are used by mod_s2s to report better problem descriptions.
| * mod_s2s: Handle single message from chain validationKim Alvefur2025-04-011-9/+15
| | | | | | | | | | | | Setting ssl.verifyext enables a callback that collects all errors from every layer of the certificate chain. Otherwise a single string is returned, which we did not handle before.
* | Merge 13.0->trunkKim Alvefur2025-04-013-2/+6
|\|
| * mod_s2s: Deal with OpenSSL changing spelling in stringsKim Alvefur2025-04-011-1/+1
| | | | | | | | https://github.com/openssl/openssl/commit/ade08735f9d0ac85d611c5abee8a1df651bbca13
| * mod_tls: Enable Prosody's certificate checking for incoming s2s connections ↵Matthew Wild2025-04-011-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (fixes #1916) (thanks Damian, Zash) Various options in Prosody allow control over the behaviour of the certificate verification process For example, some deployments choose to allow falling back to traditional "dialback" authentication (XEP-0220), while others verify via DANE, hard-coded fingerprints, or other custom plugins. Implementing this flexibility requires us to override OpenSSL's default certificate verification, to allow Prosody to verify the certificate itself, apply custom policies and make decisions based on the outcome. To enable our custom logic, we have to suppress OpenSSL's default behaviour of aborting the connection with a TLS alert message. With LuaSec, this can be achieved by using the verifyext "lsec_continue" flag. We also need to use the lsec_ignore_purpose flag, because XMPP s2s uses server certificates as "client" certificates (for mutual TLS verification in outgoing s2s connections). Commit 99d2100d2918 moved these settings out of the defaults and into mod_s2s, because we only really need these changes for s2s, and they should be opt-in, rather than automatically applied to all TLS services we offer. That commit was incomplete, because it only added the flags for incoming direct TLS connections. StartTLS connections are handled by mod_tls, which was not applying the lsec_* flags. It previously worked because they were already in the defaults. This resulted in incoming s2s connections with "invalid" certificates being aborted early by OpenSSL, even if settings such as `s2s_secure_auth = false` or DANE were present in the config. Outgoing s2s connections inherit verify "none" from the defaults, which means OpenSSL will receive the cert but will not terminate the connection when it is deemed invalid. This means we don't need lsec_continue there, and we also don't need lsec_ignore_purpose (because the remote peer is a "server"). Wondering why we can't just use verify "none" for incoming s2s? It's because in that mode, OpenSSL won't request a certificate from the peer for incoming connections. Setting verify "peer" is how you ask OpenSSL to request a certificate from the client, but also what triggers its built-in verification.
| * prosodyctl: Fix spacing in warning messageMatthew Wild2025-04-011-0/+1
| |
* | Merge 13.0->trunkKim Alvefur2025-03-311-1/+1
|\|
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-16 13:51:58 +0000