aboutsummaryrefslogtreecommitdiffstats
path: root/core/certmanager.lua
Commit message (Collapse)AuthorAgeFilesLines
* core.certmanager: Include ffdhe2048 from RFC 7919 as default DH paramKim Alvefur2024-07-121-1/+13
| | | | | | | | | | | | This removes one manual (yet undocumented) step that was supposed to be done to get a complete 'intermediate' configuration. This file can be found on the Internet by searching for "ffdhe2048" and can be verified by comparing the hexadecimal representation of p from the RFC with the output of `openssl asn1parse`. Given the preference and prevalence of ECDHE, it seems likely that few would have noticed this.
* core.certmanager: Handle dane context setting same way on reload as on ↵Kim Alvefur2023-11-041-1/+7
| | | | initialization
* core.certmanager: Tweak log level of message about SNI being requiredKim Alvefur2023-10-291-1/+1
| | | | Everything supports SNI today, so this is not useful information.
* Merge 0.12->trunkKim Alvefur2023-10-271-1/+4
|\
| * core.certmanager: Validate that 'tls_profile' is one of the valid valuesKim Alvefur2023-10-271-1/+4
| | | | | | | | A typo should not result in ending up with "legacy"
* | Merge 0.12->trunkKim Alvefur2023-07-101-1/+2
|\|
| * core.certmanager: Update Mozilla TLS config to version 5.7Kim Alvefur2023-07-091-1/+2
| | | | | | | | Ref https://github.com/mozilla/server-side-tls/issues/285
* | net.tls_luasec: Expose method for loading a certificateKim Alvefur2023-05-271-2/+1
| | | | | | | | | | Further isolates LuaSec from Prosody core, with the ultimate goal of allowing LuaSec to be replaced more easily.
* | net.certmanager: Move LuaSec feature detection to net.tls_luasecKim Alvefur2023-05-271-35/+12
| | | | | | | | | | Further isolates LuaSec from Prosody core, with the ultimate goal of allowing LuaSec to be replaced more easily.
* | core: Prefix module imports with prosody namespaceKim Alvefur2023-03-171-5/+5
| |
* | Merge 0.12->trunkKim Alvefur2022-05-161-2/+2
|\|
| * core.certmanager: Expand debug messages about cert lookups in indexKim Alvefur2022-05-161-2/+2
| | | | | | | | | | | | Answers my recurring question of > Using cert "certs/example.com.crt" from index ... for what?
* | net: refactor sslconfig to not depend on LuaSecJonas Schäfer2022-04-021-1/+1
| | | | | | | | | | | | | | | | | | | | | | This now requires that the network backend exposes a tls_builder function, which essentially wraps the former util.sslconfig.new() function, passing a factory to create the eventual SSL context. That allows a net.server backend to pick whatever it likes as SSL context factory, as long as it understands the config table passed by the SSL config builder. Heck, a backend could even mock and replace the entire SSL config builder API.
* | net: isolate LuaSec-specificsJonas Schäfer2022-04-271-33/+1
|/ | | | | | | | | | | | | | For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
* Merge config-updates+check-turn from timberMatthew Wild2022-03-041-13/+3
|\
| * core.certmanager: Turn soft dependency on LuaSec into a hardKim Alvefur2022-02-101-13/+3
| | | | | | | | | | | | The default network backend server_epoll already requires LuaSec so Prosody won't even start without it, so we can get rid of these lines here too.
* | core.certmanager: Ensure key exists for fullchainKim Alvefur2022-02-211-1/+1
|/ | | | | | | | | | Since 5cd075ed4fd3 any file matching "fullchain" would be considered for use. Dehydrated stores fullchain certs in e.g, fullchain-1641171024.pem and a symlink fullchain.pem pointing at the latest one. However the current rule for finding a corresponding private key would try privkey-1641171024.pem in the same directory, which may not exist.
* core.certmanager: Relax certificate filename check #1713Kim Alvefur2022-02-141-8/+2
| | | | | After a survey of ACME clients it seems *.crt and *fullchain* should work for the majority. The rest get to manually copy their files.
* core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match ↵Kim Alvefur2022-01-181-3/+3
| | | | | | | | documentation Confusion! Thanks Martin
* core.certmanager: Apply TLS preset before global settings (thanks Menel)Kim Alvefur2022-01-181-1/+1
| | | | | | Allows overriding settings via the global 'ssl' settings as before. This order was probably accidental. That said, 'ssl' is a giant footgun we will want to discourage use of.
* core.certmanager: Disable DANE name checks (not needed for XMPP)Kim Alvefur2021-09-161-1/+1
| | | | | | | Pending https://github.com/brunoos/luasec/pull/179 Should not be done globally, but rather only for s2sout, but that would have to be in mod_tls then.
* core.certmanager: Add curveslist to 'old' Mozilla TLS presetKim Alvefur2021-12-261-1/+2
| | | | | | | Unsure if this was overlooked before or a recent addition. Reproduced the data from JSON file available. Would be nice to have a tool that does that.
* core.certmanager: Check index for wildcard certsKim Alvefur2021-12-221-1/+2
|
* prosodyctl cert: use the indexing functions for better UXJonas Schäfer2021-12-211-6/+14
| | | | | | These provide (a) a way to deal with random assortments of certs and (b) avoid unnecessary error messages and warnings, according to #1669 anyway, which this fixes.
* core.certmanager: Rename preset option to 'tls_preset'Kim Alvefur2021-12-221-1/+1
| | | | TLS good, SSL bad.
* core.certmanager: Add "legacy" preset for keeping previous default settingsKim Alvefur2021-12-221-1/+3
| | | | If anyone wants that.
* core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presetsKim Alvefur2021-11-031-1/+7
|
* core.certmanager: Presets based on Mozilla SSL Configuration GeneratorKim Alvefur2019-12-221-0/+60
| | | | ssl_preset = "modern"
* core.certmanager: Support 'use_dane' setting to enable DANE supportKim Alvefur2021-07-181-0/+2
| | | | | | Removes the need to enable DANE with two separate settings. Previously you had to also set `ssl = { dane = true }` to activate DANE support in LuaSec and OpenSSL.
* core.certmanager: Skip service certificate lookup for https clientKim Alvefur2021-05-271-1/+2
| | | | | | Quick Fix\u{2122} to stop prevent certmanager from automatically adding a client certificate for net.http.request, since this normally does not require such.
* Merge 0.11->trunkMatthew Wild2021-05-131-9/+12
|\
| * certmanager: Disable renegotiation by defaultMatthew Wild2021-05-111-0/+2
| | | | | | | | This requires LuaSec 0.7+ and OpenSSL 1.1.1+
| * core.certmanager: Test for SSL options in absence of LuaSec configKim Alvefur2021-04-261-5/+9
| |
| * core.certmanager: Attempt to directly access LuaSec config tableKim Alvefur2021-04-261-1/+1
| | | | | | | | | | Due to a bug this field was not properly exported before See https://github.com/brunoos/luasec/issues/149
| * core.certmanager: Move EECDH ciphers before EDH in default cipherstring ↵Kim Alvefur2019-08-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (fixes #1513) Backport of 94e341dee51c The original intent of having kEDH before kEECDH was that if a `dhparam` file was specified, this would be interpreted as a preference by the admin for old and well-tested Diffie-Hellman key agreement over newer elliptic curve ones. Otherwise the faster elliptic curve ciphersuites would be preferred. This didn't really work as intended since this affects the ClientHello on outgoing s2s connections, leading to some servers using poorly configured kEDH. With Debian shipping OpenSSL settings that enforce a higher security level, this caused interoperability problems with servers that use DH params smaller than 2048 bits. E.g. jabber.org at the time of this writing has 1024 bit DH params. MattJ says > Curves have won, and OpenSSL is less weird about them now
* | core.certmanager: Catch error from lfsKim Alvefur2021-05-071-1/+11
| | | | | | | | | | | | | | lfs.dir() throws a hard error if there's a problem, e.g. no such directory or permission issues. This also gets called early enough that the main loop error protection hasn't been brought up yet, causing a proper crash.
* | core.certmanager: Resolve certs path relative to config dirKim Alvefur2021-05-071-3/+3
| | | | | | | | | | | | | | | | | | Otherwise the default "certs" would be relative to $PWD, which works when testing from a source checkout, but not on installed systems where it usually points to the data directory. Also, the LuaFileSystem dir() iterator throws a hard error, which may cause a crash or other problems.
* | core.certmanager: Skip directly to guessing of key from cert filenameKim Alvefur2021-05-051-2/+17
| | | | | | | | Cuts down on a ton of debug logs
* | core.certmanager: Join paths with OS-aware util.paths functionKim Alvefur2021-05-051-2/+3
| | | | | | | | Right thing to do, rather than hardcoding '/'
* | core.certmanager: Build an index over certificatesKim Alvefur2021-04-101-0/+79
| |
* | core.certmanager: Check for complete filenameKim Alvefur2021-04-101-1/+1
| | | | | | | | Prevents a false positive match on files with fullchain.pem as suffix
* | core.certmanager: Add comments explaining the 'verifyext' TLS settingsKim Alvefur2021-02-061-1/+4
| | | | | | | | | | | | | | Thanks to debacle for reminding me, in the context of mod_auth_ccert I wonder if we still need lsec_ignore_purpose, Let's Encrypt seems to include both client and server purposes in certs.
* | core.certmanager: Add TODO about LuaSec issueKim Alvefur2020-06-071-0/+3
| |
* | Merge 0.11->trunkKim Alvefur2020-04-101-6/+8
|\|
| * core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)Kim Alvefur2020-04-101-6/+8
| | | | | | | | | | | | | | This makes `prosodyctl cert import example.com /path/to/example.com/fullchain.pem` work. This was never intended to, yet users commonly tried this and got problems.
* | core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI ↵Kim Alvefur2019-11-291-0/+1
| | | | | | | | support)
* | core.certmanager: Lower severity for tls config not having certKim Alvefur2019-09-071-2/+4
| | | | | | | | | | | | | | This is needed for SNI where certificates are in separate per-hostname contexts, not the main one. If there is a cert, it will still require a corresponding key.
* | core.certmanager: Remove unused import [luacheck]Kim Alvefur2019-08-251-1/+0
| |
* | Remove COMPAT with temporary luasec forkKim Alvefur2019-08-251-7/+0
| | | | | | | | | | The changes in the temporary fork were merged into mainline luasec ca 2013 and included in the 0.5 release in 2014.
* | core.certmanager: Move EECDH ciphers before EDH in default cipherstringKim Alvefur2019-08-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The original intent of having kEDH before kEECDH was that if a `dhparam` file was specified, this would be interpreted as a preference by the admin for old and well-tested Diffie-Hellman key agreement over newer elliptic curve ones. Otherwise the faster elliptic curve ciphersuites would be preferred. This didn't really work as intended since this affects the ClientHello on outgoing s2s connections, leading to some servers using poorly configured kEDH. With Debian shipping OpenSSL settings that enforce a higher security level, this caused interoperability problems with servers that use DH params smaller than 2048 bits. E.g. jabber.org at the time of this writing has 1024 bit DH params. MattJ says > Curves have won, and OpenSSL is less weird about them now