Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | core.certmanager: Presets based on Mozilla SSL Configuration Generator | Kim Alvefur | 2019-12-22 | 1 | -0/+60 |
| | | | | ssl_preset = "modern" | ||||
* | core.certmanager: Support 'use_dane' setting to enable DANE support | Kim Alvefur | 2021-07-18 | 1 | -0/+2 |
| | | | | | | Removes the need to enable DANE with two separate settings. Previously you had to also set `ssl = { dane = true }` to activate DANE support in LuaSec and OpenSSL. | ||||
* | core.certmanager: Skip service certificate lookup for https client | Kim Alvefur | 2021-05-27 | 1 | -1/+2 |
| | | | | | | Quick Fix\u{2122} to stop prevent certmanager from automatically adding a client certificate for net.http.request, since this normally does not require such. | ||||
* | Merge 0.11->trunk | Matthew Wild | 2021-05-13 | 1 | -9/+12 |
|\ | |||||
| * | certmanager: Disable renegotiation by default | Matthew Wild | 2021-05-11 | 1 | -0/+2 |
| | | | | | | | | This requires LuaSec 0.7+ and OpenSSL 1.1.1+ | ||||
| * | core.certmanager: Test for SSL options in absence of LuaSec config | Kim Alvefur | 2021-04-26 | 1 | -5/+9 |
| | | |||||
| * | core.certmanager: Attempt to directly access LuaSec config table | Kim Alvefur | 2021-04-26 | 1 | -1/+1 |
| | | | | | | | | | | Due to a bug this field was not properly exported before See https://github.com/brunoos/luasec/issues/149 | ||||
| * | core.certmanager: Move EECDH ciphers before EDH in default cipherstring ↵ | Kim Alvefur | 2019-08-25 | 1 | -1/+1 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (fixes #1513) Backport of 94e341dee51c The original intent of having kEDH before kEECDH was that if a `dhparam` file was specified, this would be interpreted as a preference by the admin for old and well-tested Diffie-Hellman key agreement over newer elliptic curve ones. Otherwise the faster elliptic curve ciphersuites would be preferred. This didn't really work as intended since this affects the ClientHello on outgoing s2s connections, leading to some servers using poorly configured kEDH. With Debian shipping OpenSSL settings that enforce a higher security level, this caused interoperability problems with servers that use DH params smaller than 2048 bits. E.g. jabber.org at the time of this writing has 1024 bit DH params. MattJ says > Curves have won, and OpenSSL is less weird about them now | ||||
* | | core.certmanager: Catch error from lfs | Kim Alvefur | 2021-05-07 | 1 | -1/+11 |
| | | | | | | | | | | | | | | lfs.dir() throws a hard error if there's a problem, e.g. no such directory or permission issues. This also gets called early enough that the main loop error protection hasn't been brought up yet, causing a proper crash. | ||||
* | | core.certmanager: Resolve certs path relative to config dir | Kim Alvefur | 2021-05-07 | 1 | -3/+3 |
| | | | | | | | | | | | | | | | | | | Otherwise the default "certs" would be relative to $PWD, which works when testing from a source checkout, but not on installed systems where it usually points to the data directory. Also, the LuaFileSystem dir() iterator throws a hard error, which may cause a crash or other problems. | ||||
* | | core.certmanager: Skip directly to guessing of key from cert filename | Kim Alvefur | 2021-05-05 | 1 | -2/+17 |
| | | | | | | | | Cuts down on a ton of debug logs | ||||
* | | core.certmanager: Join paths with OS-aware util.paths function | Kim Alvefur | 2021-05-05 | 1 | -2/+3 |
| | | | | | | | | Right thing to do, rather than hardcoding '/' | ||||
* | | core.certmanager: Build an index over certificates | Kim Alvefur | 2021-04-10 | 1 | -0/+79 |
| | | |||||
* | | core.certmanager: Check for complete filename | Kim Alvefur | 2021-04-10 | 1 | -1/+1 |
| | | | | | | | | Prevents a false positive match on files with fullchain.pem as suffix | ||||
* | | core.certmanager: Add comments explaining the 'verifyext' TLS settings | Kim Alvefur | 2021-02-06 | 1 | -1/+4 |
| | | | | | | | | | | | | | | Thanks to debacle for reminding me, in the context of mod_auth_ccert I wonder if we still need lsec_ignore_purpose, Let's Encrypt seems to include both client and server purposes in certs. | ||||
* | | core.certmanager: Add TODO about LuaSec issue | Kim Alvefur | 2020-06-07 | 1 | -0/+3 |
| | | |||||
* | | Merge 0.11->trunk | Kim Alvefur | 2020-04-10 | 1 | -6/+8 |
|\| | |||||
| * | core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) | Kim Alvefur | 2020-04-10 | 1 | -6/+8 |
| | | | | | | | | | | | | | | This makes `prosodyctl cert import example.com /path/to/example.com/fullchain.pem` work. This was never intended to, yet users commonly tried this and got problems. | ||||
* | | core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI ↵ | Kim Alvefur | 2019-11-29 | 1 | -0/+1 |
| | | | | | | | | support) | ||||
* | | core.certmanager: Lower severity for tls config not having cert | Kim Alvefur | 2019-09-07 | 1 | -2/+4 |
| | | | | | | | | | | | | | | This is needed for SNI where certificates are in separate per-hostname contexts, not the main one. If there is a cert, it will still require a corresponding key. | ||||
* | | core.certmanager: Remove unused import [luacheck] | Kim Alvefur | 2019-08-25 | 1 | -1/+0 |
| | | |||||
* | | Remove COMPAT with temporary luasec fork | Kim Alvefur | 2019-08-25 | 1 | -7/+0 |
| | | | | | | | | | | The changes in the temporary fork were merged into mainline luasec ca 2013 and included in the 0.5 release in 2014. | ||||
* | | core.certmanager: Move EECDH ciphers before EDH in default cipherstring | Kim Alvefur | 2019-08-25 | 1 | -1/+1 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The original intent of having kEDH before kEECDH was that if a `dhparam` file was specified, this would be interpreted as a preference by the admin for old and well-tested Diffie-Hellman key agreement over newer elliptic curve ones. Otherwise the faster elliptic curve ciphersuites would be preferred. This didn't really work as intended since this affects the ClientHello on outgoing s2s connections, leading to some servers using poorly configured kEDH. With Debian shipping OpenSSL settings that enforce a higher security level, this caused interoperability problems with servers that use DH params smaller than 2048 bits. E.g. jabber.org at the time of this writing has 1024 bit DH params. MattJ says > Curves have won, and OpenSSL is less weird about them now | ||||
* | | core.certmanager: Do not ask for client certificates by default | Kim Alvefur | 2019-03-10 | 1 | -1/+1 |
|/ | | | | | | Since it's mostly only mod_s2s that needs to request client certificates it makes some sense to have mod_s2s ask for this, instead of having eg mod_http ask to disable it. | ||||
* | Merge 0.10->trunk | Kim Alvefur | 2018-05-25 | 1 | -1/+1 |
|\ | |||||
| * | core.certmanager: Allow all non-whitespace in service name (fixes #1019) | Kim Alvefur | 2018-05-25 | 1 | -1/+1 |
| | | |||||
* | | vairious: Add annotation when an empty environment is set [luacheck] | Kim Alvefur | 2018-02-28 | 1 | -0/+1 |
|/ | |||||
* | certmanager: Check for missing certificate before key in configuration ↵ | Kim Alvefur | 2017-12-28 | 1 | -1/+1 |
| | | | | (should be marginally less confusing) | ||||
* | certmanager: Set single curve conditioned on LuaSec advertising EC crypto ↵ | Kim Alvefur | 2017-11-20 | 1 | -1/+1 |
| | | | | support | ||||
* | certmanager: Filter out curves not supported by LuaSec | Kim Alvefur | 2017-11-20 | 1 | -0/+12 |
| | |||||
* | certmanager: Change table representing LuaSec capabilities to match ↵ | Kim Alvefur | 2017-11-20 | 1 | -13/+20 |
| | | | | capabilities table exposed in LuaSec 0.7 | ||||
* | core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if ↵ | Kim Alvefur | 2017-09-27 | 1 | -0/+6 |
| | | | | used along with luasec 0.7 and openssl 1.1 | ||||
* | prosodyctl: cert import: Reuse function from certmanager for locating ↵ | Kim Alvefur | 2017-09-27 | 1 | -0/+1 |
| | | | | certificates and keys | ||||
* | certmanager: Add debug logging (thanks av6) | Matthew Wild | 2017-09-23 | 1 | -0/+4 |
| | |||||
* | certmanager: Update the 'certificates' option after the config has been ↵ | Kim Alvefur | 2017-06-01 | 1 | -0/+1 |
| | | | | reloaded (fixes #929) | ||||
* | core.certmanager: Translate "no start line" to something friendlier (thanks ↵ | Kim Alvefur | 2016-11-26 | 1 | -0/+5 |
| | | | | santiago) | ||||
* | core.certmanager: Split cipher list into array with comments explaining each ↵ | Kim Alvefur | 2016-09-12 | 1 | -1/+10 |
| | | | | part | ||||
* | certmanager: Assume default config path of '.' (fixes prosodyctl check certs ↵ | Kim Alvefur | 2016-07-29 | 1 | -1/+1 |
| | | | | when not installed) | ||||
* | certmanager: Explicitly tonumber() version number segments before doing ↵ | Matthew Wild | 2016-03-26 | 1 | -1/+1 |
| | | | | arithmetic and avoid relying on implicit coercion (thanks David Favro) | ||||
* | certmanager: Localize tonumber | Matthew Wild | 2016-02-18 | 1 | -1/+1 |
| | |||||
* | certmanager: Try filename.key if certificate is set to a full filename ↵ | Kim Alvefur | 2016-02-05 | 1 | -3/+2 |
| | | | | ending with .crt | ||||
* | certmanager: Apply global ssl config later so certificate/key is not ↵ | Kim Alvefur | 2016-02-05 | 1 | -1/+1 |
| | | | | overwritten by magic | ||||
* | certmanager: Support new certificate configuration for non-XMPP services too ↵ | Matthew Wild | 2016-02-05 | 1 | -6/+23 |
| | | | | (fixes #614) | ||||
* | core.certmanager: Look for certificate and key in a few different places | Kim Alvefur | 2016-02-03 | 1 | -0/+28 |
| | |||||
* | core.certmanager: Remove non-string filenames (allows setting eg capath to ↵ | Kim Alvefur | 2015-10-11 | 1 | -0/+2 |
| | | | | false to disable the built in default) | ||||
* | core.*: Remove use of module() function | Kim Alvefur | 2015-02-21 | 1 | -4/+7 |
| | |||||
* | certmanager: Fix compat for MattJs old LuaSec fork | Kim Alvefur | 2015-02-05 | 1 | -1/+1 |
| | |||||
* | certmanager: Fix previous commit | Kim Alvefur | 2015-02-05 | 1 | -1/+1 |
| | |||||
* | certmanager: Limit certificate chain depth to 9 | Kim Alvefur | 2015-02-05 | 1 | -0/+1 |
| | |||||
* | certmanager: Options that appear to be available since LuaSec 0.2 | Kim Alvefur | 2015-02-05 | 1 | -3/+3 |
| |