aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_tls.lua
Commit message (Collapse)AuthorAgeFilesLines
* plugins: Use boolean config method in some placesKim Alvefur2023-07-181-4/+4
| | | | Because it makes sense and improves feedback via logging
* mod_tls: Drop request for client certificates on outgoing connectionsKim Alvefur2023-04-191-1/+1
| | | | | | It is the other end who should request client certificates for these connections, we only need to send ours. Hopefully this was treated as a noop, so probably no harm in keeping it. But hey, spring cleaning? :)
* plugins: Prefix module imports with prosody namespaceKim Alvefur2023-03-241-3/+3
|
* mod_tls: Record STARTTLS state so it can be shown in ShellKim Alvefur2022-08-021-0/+3
| | | | | | | This field can be viewed using s2s:show(nil, "... starttls") even without any special support in mod_admin_shell, which can be added later to make it nicer. One can then assume that a TLS connection with an empty / nil starttls field means Direct TLS.
* mod_tls: pass target hostname to starttlsJonas Schäfer2021-09-171-1/+1
| | | | In case the network backend needs it for outgoing SNI or something.
* mod_tls: tell network backend to stop reading while preparing TLSJonas Schäfer2022-04-021-0/+7
|
* mod_tls: Do not offer TLS if the connection is considered secureJonas Schäfer2021-09-171-0/+3
| | | | | | | | | | This may be necessary if the session.conn object is not exchanged by the network backend when establishing TLS. In that case, the starttls method will always exist and thus that is not a good indicator for offering TLS. However, the secure bit already tells us that TLS has been established or is not to be established on the connection, so we use that instead.
* various: Require encryption by default for realKim Alvefur2021-12-251-2/+2
| | | | | | | | | These options have been specified (and enabled) in the default config file for a long time. However if unspecified in the config, they were not enabled. Now they are. This may result in a change of behaviour for people using very old config files that lack the require_encryption options. But that's what we want.
* mod_tls: Set ALPN on outgoing connectionsKim Alvefur2022-01-251-1/+2
| | | | | | | | | Relevant and sometimes needed for Direct TLS which mod_s2s uses this context for. Primarily when e.g. mod_net_multiplex or equivalent ALPN based dispatch is used. All these contexts should likely move away from mod_tls and into either mod_s2s or portmanager. The later already duplicates some of this work.
* mod_s2s: Retrieve TLS context for outgoing Direct TLS connections from mod_tlsKim Alvefur2022-01-211-1/+6
| | | | | | | | | | So that the same TLS context is used for both Direct TLS and starttls, since they are supposed to be functionally identical apart from the few extra round trips. A new event is added because the 's2s-created' event fires much later, after a connection has already been established, where we need the TLS context before that.
* mod_tls: Attempt STARTTLS on outgoing unencrypted legacy s2s connectionsKim Alvefur2021-09-011-0/+8
| | | | As suggested by RFC 7590
* Fix various spelling errors (thanks codespell)Kim Alvefur2021-07-271-1/+1
| | | | | Also special thanks to timeless, for wordlessly reminding me to check for typos.
* mod_tls: Add "support" for <failure> by closing gracefullyKim Alvefur2021-05-211-0/+6
| | | | Nicer than the "unsupported stanza type" error we get otherwise.
* mod_tls: Fix order of debug messages and tls context creationKim Alvefur2021-05-051-2/+2
| | | | | Originally added in 5b048ccd106f Merged wrong in ca01c449357f
* mod_tls: Bail out if session got destroyed while sending <proceed/>Kim Alvefur2021-04-151-0/+1
| | | | | | | Can happen in case opportunistic_writes is enabled and the session got destroyed while writing that tag. Thanks Ge0rG
* mod_tls: Ignore lack of STARTTLS offer only when s2s_require_encryption setKim Alvefur2021-01-291-1/+4
|
* mod_tls: Attempt STARTTLS even if not advertised as per RFC 7590Kim Alvefur2021-01-291-2/+6
|
* Merge 0.11->trunkKim Alvefur2020-04-261-1/+7
|\
| * mod_tls: Log when certificates are (re)loadedKim Alvefur2020-04-261-1/+7
| | | | | | | | Meant to reduce user confusion over what's reloaded and not.
* | Merge 0.11->trunkKim Alvefur2019-04-241-0/+3
|\|
| * mod_tls: Log debug message for each kind of TLS context createdKim Alvefur2019-04-231-0/+3
| | | | | | | | | | | | Creating TLS contexts triggers a lot of messages from certmanager that don't really describe their purpose. This is meant to provide hints about that.
* | mod_tls: Restore querying for certificates on s2sKim Alvefur2019-03-111-2/+6
| | | | | | | | | | The 'ssl_config' setting in the mod_s2s network service is not used. Only direct TLS ports use this currently.
* | mod_tls: Keep TLS context errors and repeat them again for each sessionKim Alvefur2018-12-281-7/+17
|/
* mod_tls: Rebuild SSL context objects on configuration reload - #701Kim Alvefur2017-04-251-1/+4
|
* mod_tls: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77Kim Alvefur2017-03-061-2/+2
|
* mod_tls: Suppress debug message if already using encryptionKim Alvefur2017-02-251-1/+3
|
* mod_tls: Log reasons for not being able to do TLSKim Alvefur2017-02-151-0/+2
|
* mod_tls: Check that connection has starttls method first to prevent offering ↵Kim Alvefur2017-01-271-3/+3
| | | | starttls over tls (thanks Remko and Tobias)
* mod_tls: Return session.ssl_ctx if not nil, like when doing the full session ↵Kim Alvefur2017-01-251-3/+3
| | | | type check
* mod_tls: Add debug logging for when TLS should be doable but no ssl context ↵Kim Alvefur2017-01-251-0/+4
| | | | was set
* mod_tls: Verify that TLS is available before proceedingKim Alvefur2017-01-231-1/+1
|
* mod_tls: Only accept <proceed> on outgoing s2s connectionsKim Alvefur2017-01-231-5/+7
|
* mod_tls: Ignore unused argument [luacheck]Kim Alvefur2016-11-021-1/+1
|
* mod_tls: Fix ssl option fallback to a "parent" host if current host does not ↵Kim Alvefur2015-11-091-2/+2
| | | | have ssl options set (thanks 70b1)
* mod_tls: Remove unused reference to global ssl config option (certmanager ↵Kim Alvefur2015-11-091-1/+0
| | | | adds that to the context)
* mod_tls: Fix inhertinance of 'ssl' option from "parent" host to subdomain ↵Kim Alvefur2015-09-151-10/+12
| | | | (fixes #511)
* mod_tls: Treat session.ssl_ctx being false as a signal that TLS is disabledKim Alvefur2015-05-181-1/+1
|
* mod_tls: Build <starttls/> as a stanza instead of with string concatenationKim Alvefur2015-05-181-1/+2
|
* certmanager, mod_tls: Return final ssl config as third return value (fix for ↵Kim Alvefur2014-11-221-7/+7
| | | | c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)
* mod_tls: Keep ssl config around and attach them to sessionsKim Alvefur2014-11-191-6/+12
|
* mod_legacyauth, mod_saslauth, mod_tls: Pass require_encryption as default ↵Kim Alvefur2014-10-211-1/+1
| | | | option to s2s_require_encryption so the later overrides the former
* mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use ↵Kim Alvefur2014-07-041-1/+1
| | | | the newer stanza:get_child APIs and optimize away some table lookups
* mod_tls: Simplify and use new ssl config merging in certmanagerKim Alvefur2014-07-031-15/+17
|
* Merge 0.9->0.10Matthew Wild2014-01-181-4/+10
|\
| * mod_tls: Let s2s_secure_auth override s2s_require_encryption and warn if ↵Kim Alvefur2014-01-151-0/+6
| | | | | | | | they differ
| * mod_tls: Rename variables to be less confusingKim Alvefur2014-01-151-4/+4
| |
| * mod_tls: Log error when TLS initialization fails0.9.3Matthew Wild2014-01-121-2/+9
| |
* | Remove all trailing whitespaceFlorian Zeitz2013-08-091-1/+1
| |
* | mod_tls: Remove debug statementKim Alvefur2013-06-161-1/+0
| |
* | mod_tls: Refactor to allow separate SSL configuration for c2s and s2s ↵Kim Alvefur2013-06-131-26/+36
|/ | | | connections