| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
This isn't actually used in Prosody, so no value in complicating the
real main loop because of it
|
|
|
|
| |
Will be useful even later...
|
|
|
|
| |
Will be useful later.
|
|
|
|
|
|
|
|
|
| |
The order of checks led to Bogus results being reported with a generic
"unable to resolve service". This had no practical effects as such
results are simply empty and the process would stop there.
Tested by attempting to establish s2s with dnssec-bogus.sg and observing
the error reply.
|
| |
|
|
|
|
| |
Thanks MattJ
|
|
|
|
| |
Gotta have the DOAP references!
|
|
|
|
|
|
| |
See https://www.ietf.org/blog/finalizing-ietf-tools-transition/
Already done in various other places.
|
|
|
|
|
|
|
| |
This makes explicit which lookups can accept an unsigned response.
Insecure (unsigned, as before DNSSEC) A and AAAA records can be used as
security would come from TLS, but an insecure TLSA record is worthless.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Brings back SCRAM-SHA-*-PLUS from its hiatus brought on by the earlier
channel binding method being undefined for TLS 1.3, and the increasing
deployment of TLS 1.3.
See 1bfd238e05ad and #1542
Requires future version of LuaSec, once support for this key material
export method is merged.
See https://github.com/brunoos/luasec/pull/187
|
| |
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(fixes #1763) (thanks rgd)
add_defaults() is supposed to merge 3 tables, the defaults in
luaunbound, the defaults from prosody and any config from the prosody
config file. In the case where no `unbound={}` has been in the config,
it skips over the merge and returns only the prosody built-in defaults.
This results in libunbound skipping reading resolv.conf and uses its
default behavior of full recursive resolution.
Prior to #1737 there were only two tables, the luaunbound defaults and
the prosody config, where bypassing the merge and returning the former
did the right thing.
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
return foo and foo() crops multiple return values to a single one, so
any second return values etc were last, mostly error details.
Introduced in 7e9ebdc75ce4
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is a Linux(?) socket option that delays the accept signal until
there is data available to read. E.g. with HTTP this might mean that a
whole request can be handled without going back trough another turn of
the main loop, and an initial client <stream> can be responded to.
This may have effects on latency and resource use, as the server does
not need to allocate resources until really needed.
|
| |
| |
| |
| |
| | |
Since it provides some protection and error handling in the form of
logging.
|
| |
| |
| |
| | |
Reduces the side effects of wrapsocket()
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Requires a patch to LuaSocket adding this socket option,
https://github.com/lunarmodules/luasocket/pull/378
sysctl tweaks
net.ipv4.tcp_fastopen=3
net.ipv4.tcp_fastopen_blackhole_timeout_sec = 0
net.ipv4.tcp_fastopen_key=$(</proc/sys/kernel/random/uuid)
Disabled by default since it an advanced performance tweak unlikely to
be needed by most servers.
|
|\| |
|
| |
| |
| |
| | |
This error is an error, therefore it should be at the error level
|
| |
| |
| |
| |
| | |
This mirrors the behaviour with net.dns and avoids the initialization
issue in #1737
|
| |
| |
| |
| |
| | |
server_select is used in e.g. storagemanager tests, and some of the CI
runners are lacking LuaSec, which resulted in failures.
|
| |
| |
| |
| |
| |
| | |
We at some point decided that it was okay to have a hard dependency the
TLS library. Especially here since this module is meant to contain all
LuaSec specifics.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This now requires that the network backend exposes a tls_builder
function, which essentially wraps the former util.sslconfig.new()
function, passing a factory to create the eventual SSL context.
That allows a net.server backend to pick whatever it likes as SSL
context factory, as long as it understands the config table passed by
the SSL config builder. Heck, a backend could even mock and replace the
entire SSL config builder API.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For this, various accessor functions are now provided directly on the
sockets, which reach down into the LuaSec implementation to obtain the
information.
While this may seem of little gain at first, it hides the implementation
detail of the LuaSec+LuaSocket combination that the actual socket and
the TLS layer are separate objects.
The net gain here is that an alternative implementation does not have to
emulate that specific implementation detail and "only" has to expose
LuaSec-compatible data structures on the new functions.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Connection attempts that failed the Happy Eyeballs race were not
unreferenced and would accumulate.
Tested by inspecting the 'pending_connections_map' after establishing
s2s with a s2s target where the IPv6 port has a -j DROP rule causing it
to time out and the IPv4 attempt wins the race.
Expected is that the losing connection stays around until net.server
timeouts kick in where it should be removed. The map table should tend
towards being empty during idle times.
|
| | |
|
| |
| |
| |
| |
| | |
This could lead to failure being reported too early, even if some connections
have not yet failed.
|
| | |
|
| |
| |
| |
| | |
RFC 8305
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
...and prepare for Happy Eyeballs
|
|/
|
|
| |
#NotHappyEyeballs
|
|
|
|
|
|
| |
Words, sometimes I wonder how they even work
Maybe I missed something.
|
|
|
|
|
|
| |
Fallback code for not having either the string.pack and string.unpack
functions available in Lua 5.4 or the struct lib is no longer needed
since the struct lib was imported as util.struct in 3ce3633527af
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
versions
|
|
|
|
| |
Improves performance since the whole procedure is done in C
|
| |
|
| |
|
|
|
|
| |
Dare to enable by default?
|
|
|
|
|
|
| |
Only allowing it to be passed directly makes it hard to combine plain
(i.e. starttls) and Direct TLS connections in the same connection
resolution procedure. But now we can, using chained resolvers!
|