Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | core.certmanager: Move EECDH ciphers before EDH in default cipherstring | Kim Alvefur | 2019-08-25 | 1 | -1/+1 |
| | | | | | | | | | | | | | | | | | | The original intent of having kEDH before kEECDH was that if a `dhparam` file was specified, this would be interpreted as a preference by the admin for old and well-tested Diffie-Hellman key agreement over newer elliptic curve ones. Otherwise the faster elliptic curve ciphersuites would be preferred. This didn't really work as intended since this affects the ClientHello on outgoing s2s connections, leading to some servers using poorly configured kEDH. With Debian shipping OpenSSL settings that enforce a higher security level, this caused interoperability problems with servers that use DH params smaller than 2048 bits. E.g. jabber.org at the time of this writing has 1024 bit DH params. MattJ says > Curves have won, and OpenSSL is less weird about them now | ||||
* | core.certmanager: Do not ask for client certificates by default | Kim Alvefur | 2019-03-10 | 1 | -1/+1 |
| | | | | | | Since it's mostly only mod_s2s that needs to request client certificates it makes some sense to have mod_s2s ask for this, instead of having eg mod_http ask to disable it. | ||||
* | Merge 0.10->trunk | Kim Alvefur | 2018-05-25 | 1 | -1/+1 |
|\ | |||||
| * | core.certmanager: Allow all non-whitespace in service name (fixes #1019) | Kim Alvefur | 2018-05-25 | 1 | -1/+1 |
| | | |||||
* | | vairious: Add annotation when an empty environment is set [luacheck] | Kim Alvefur | 2018-02-28 | 1 | -0/+1 |
|/ | |||||
* | certmanager: Check for missing certificate before key in configuration ↵ | Kim Alvefur | 2017-12-28 | 1 | -1/+1 |
| | | | | (should be marginally less confusing) | ||||
* | certmanager: Set single curve conditioned on LuaSec advertising EC crypto ↵ | Kim Alvefur | 2017-11-20 | 1 | -1/+1 |
| | | | | support | ||||
* | certmanager: Filter out curves not supported by LuaSec | Kim Alvefur | 2017-11-20 | 1 | -0/+12 |
| | |||||
* | certmanager: Change table representing LuaSec capabilities to match ↵ | Kim Alvefur | 2017-11-20 | 1 | -13/+20 |
| | | | | capabilities table exposed in LuaSec 0.7 | ||||
* | core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if ↵ | Kim Alvefur | 2017-09-27 | 1 | -0/+6 |
| | | | | used along with luasec 0.7 and openssl 1.1 | ||||
* | prosodyctl: cert import: Reuse function from certmanager for locating ↵ | Kim Alvefur | 2017-09-27 | 1 | -0/+1 |
| | | | | certificates and keys | ||||
* | certmanager: Add debug logging (thanks av6) | Matthew Wild | 2017-09-23 | 1 | -0/+4 |
| | |||||
* | certmanager: Update the 'certificates' option after the config has been ↵ | Kim Alvefur | 2017-06-01 | 1 | -0/+1 |
| | | | | reloaded (fixes #929) | ||||
* | core.certmanager: Translate "no start line" to something friendlier (thanks ↵ | Kim Alvefur | 2016-11-26 | 1 | -0/+5 |
| | | | | santiago) | ||||
* | core.certmanager: Split cipher list into array with comments explaining each ↵ | Kim Alvefur | 2016-09-12 | 1 | -1/+10 |
| | | | | part | ||||
* | certmanager: Assume default config path of '.' (fixes prosodyctl check certs ↵ | Kim Alvefur | 2016-07-29 | 1 | -1/+1 |
| | | | | when not installed) | ||||
* | certmanager: Explicitly tonumber() version number segments before doing ↵ | Matthew Wild | 2016-03-26 | 1 | -1/+1 |
| | | | | arithmetic and avoid relying on implicit coercion (thanks David Favro) | ||||
* | certmanager: Localize tonumber | Matthew Wild | 2016-02-18 | 1 | -1/+1 |
| | |||||
* | certmanager: Try filename.key if certificate is set to a full filename ↵ | Kim Alvefur | 2016-02-05 | 1 | -3/+2 |
| | | | | ending with .crt | ||||
* | certmanager: Apply global ssl config later so certificate/key is not ↵ | Kim Alvefur | 2016-02-05 | 1 | -1/+1 |
| | | | | overwritten by magic | ||||
* | certmanager: Support new certificate configuration for non-XMPP services too ↵ | Matthew Wild | 2016-02-05 | 1 | -6/+23 |
| | | | | (fixes #614) | ||||
* | core.certmanager: Look for certificate and key in a few different places | Kim Alvefur | 2016-02-03 | 1 | -0/+28 |
| | |||||
* | core.certmanager: Remove non-string filenames (allows setting eg capath to ↵ | Kim Alvefur | 2015-10-11 | 1 | -0/+2 |
| | | | | false to disable the built in default) | ||||
* | core.*: Remove use of module() function | Kim Alvefur | 2015-02-21 | 1 | -4/+7 |
| | |||||
* | certmanager: Fix compat for MattJs old LuaSec fork | Kim Alvefur | 2015-02-05 | 1 | -1/+1 |
| | |||||
* | certmanager: Fix previous commit | Kim Alvefur | 2015-02-05 | 1 | -1/+1 |
| | |||||
* | certmanager: Limit certificate chain depth to 9 | Kim Alvefur | 2015-02-05 | 1 | -0/+1 |
| | |||||
* | certmanager: Options that appear to be available since LuaSec 0.2 | Kim Alvefur | 2015-02-05 | 1 | -3/+3 |
| | |||||
* | certmanager: Improve "detection" of features that depend on LuaSec version | Kim Alvefur | 2015-02-05 | 1 | -11/+15 |
| | |||||
* | certmanager: Add locals for ssl.context and ssl.x509 | Kim Alvefur | 2015-02-05 | 1 | -3/+5 |
| | |||||
* | certmanager: Early return from the entire module if LuaSec is unavailable | Kim Alvefur | 2015-02-05 | 1 | -12/+18 |
| | |||||
* | certmanager: Make global variable access explicit | Matthew Wild | 2015-01-20 | 1 | -1/+1 |
| | |||||
* | certmanager, mod_tls: Return final ssl config as third return value (fix for ↵ | Kim Alvefur | 2014-11-22 | 1 | -3/+1 |
| | | | | c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren) | ||||
* | certmanager: Return final ssl config along with ssl context on success | Kim Alvefur | 2014-11-19 | 1 | -1/+3 |
| | |||||
* | core.certmanager: Make create_context() support an arbitrary number of ↵ | Kim Alvefur | 2014-07-03 | 1 | -3/+6 |
| | | | | option sets, merging all | ||||
* | core.certmanager: Use util.sslconfig | Kim Alvefur | 2014-07-03 | 1 | -71/+14 |
| | |||||
* | core.certmanager, core.moduleapi, mod_storage_sql, mod_storage_sql2: Import ↵ | Kim Alvefur | 2014-05-09 | 1 | -1/+1 |
| | | | | from util.paths | ||||
* | certmanager: Move ssl.protocol handling to after ssl.options is a table ↵ | Kim Alvefur | 2014-04-21 | 1 | -8/+9 |
| | | | | (thanks Ralph) | ||||
* | certmanager: Fix traceback if no global 'ssl' section set (thanks albert) | Kim Alvefur | 2014-04-20 | 1 | -1/+3 |
| | |||||
* | certmanager: Update ssl_compression when config is reloaded | Kim Alvefur | 2014-04-15 | 1 | -0/+3 |
| | |||||
* | certmanager: Reformat core ssl defaults | Kim Alvefur | 2014-04-15 | 1 | -9/+9 |
| | |||||
* | certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older ↵ | Kim Alvefur | 2014-04-15 | 1 | -2/+13 |
| | | | | protocols | ||||
* | certmanager: Merge ssl.options, verify etc from core defaults and global ssl ↵ | Kim Alvefur | 2014-04-15 | 1 | -0/+29 |
| | | | | settings with inheritance while allowing options to be disabled per virtualhost | ||||
* | certmanager: Wrap long line and add comment | Kim Alvefur | 2014-04-14 | 1 | -1/+5 |
| | |||||
* | certmanager: Concatenate cipher list if given as a table | Kim Alvefur | 2014-04-14 | 1 | -0/+6 |
| | |||||
* | certmanager: Allow non-server contexts to be without certificate and key | Kim Alvefur | 2014-04-14 | 1 | -2/+4 |
| | |||||
* | certmanager: Check for non-nil values instead of true-ish values, allows ↵ | Kim Alvefur | 2014-04-14 | 1 | -2/+3 |
| | | | | removing defaults | ||||
* | Merge 0.9->0.10 | Matthew Wild | 2013-11-21 | 1 | -1/+1 |
|\ | |||||
| * | certmanager: Further cipher string tweaking. Re-enable ciphers required for ↵ | Matthew Wild | 2013-11-21 | 1 | -1/+1 |
| | | | | | | | | DSA and ECDH certs/keys. | ||||
| * | Back out 1b0ac7950129, as SSLv3 appears to still be in moderate use on the ↵ | Matthew Wild | 2013-11-12 | 1 | -1/+1 |
| | | | | | | | | network. Also, although obsolete, SSLv3 isn't documented to have any weaknesses that TLS 1.0 (the most common version used today) doesn't also have. Get your act together clients! |