Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | mod_tls: Drop request for client certificates on outgoing connections | Kim Alvefur | 2023-04-19 | 1 | -1/+1 |
| | | | | | | It is the other end who should request client certificates for these connections, we only need to send ours. Hopefully this was treated as a noop, so probably no harm in keeping it. But hey, spring cleaning? :) | ||||
* | plugins: Prefix module imports with prosody namespace | Kim Alvefur | 2023-03-24 | 1 | -3/+3 |
| | |||||
* | mod_tls: Record STARTTLS state so it can be shown in Shell | Kim Alvefur | 2022-08-02 | 1 | -0/+3 |
| | | | | | | | This field can be viewed using s2s:show(nil, "... starttls") even without any special support in mod_admin_shell, which can be added later to make it nicer. One can then assume that a TLS connection with an empty / nil starttls field means Direct TLS. | ||||
* | mod_tls: pass target hostname to starttls | Jonas Schäfer | 2021-09-17 | 1 | -1/+1 |
| | | | | In case the network backend needs it for outgoing SNI or something. | ||||
* | mod_tls: tell network backend to stop reading while preparing TLS | Jonas Schäfer | 2022-04-02 | 1 | -0/+7 |
| | |||||
* | mod_tls: Do not offer TLS if the connection is considered secure | Jonas Schäfer | 2021-09-17 | 1 | -0/+3 |
| | | | | | | | | | | This may be necessary if the session.conn object is not exchanged by the network backend when establishing TLS. In that case, the starttls method will always exist and thus that is not a good indicator for offering TLS. However, the secure bit already tells us that TLS has been established or is not to be established on the connection, so we use that instead. | ||||
* | various: Require encryption by default for real | Kim Alvefur | 2021-12-25 | 1 | -2/+2 |
| | | | | | | | | | These options have been specified (and enabled) in the default config file for a long time. However if unspecified in the config, they were not enabled. Now they are. This may result in a change of behaviour for people using very old config files that lack the require_encryption options. But that's what we want. | ||||
* | mod_tls: Set ALPN on outgoing connections | Kim Alvefur | 2022-01-25 | 1 | -1/+2 |
| | | | | | | | | | Relevant and sometimes needed for Direct TLS which mod_s2s uses this context for. Primarily when e.g. mod_net_multiplex or equivalent ALPN based dispatch is used. All these contexts should likely move away from mod_tls and into either mod_s2s or portmanager. The later already duplicates some of this work. | ||||
* | mod_s2s: Retrieve TLS context for outgoing Direct TLS connections from mod_tls | Kim Alvefur | 2022-01-21 | 1 | -1/+6 |
| | | | | | | | | | | So that the same TLS context is used for both Direct TLS and starttls, since they are supposed to be functionally identical apart from the few extra round trips. A new event is added because the 's2s-created' event fires much later, after a connection has already been established, where we need the TLS context before that. | ||||
* | mod_tls: Attempt STARTTLS on outgoing unencrypted legacy s2s connections | Kim Alvefur | 2021-09-01 | 1 | -0/+8 |
| | | | | As suggested by RFC 7590 | ||||
* | Fix various spelling errors (thanks codespell) | Kim Alvefur | 2021-07-27 | 1 | -1/+1 |
| | | | | | Also special thanks to timeless, for wordlessly reminding me to check for typos. | ||||
* | mod_tls: Add "support" for <failure> by closing gracefully | Kim Alvefur | 2021-05-21 | 1 | -0/+6 |
| | | | | Nicer than the "unsupported stanza type" error we get otherwise. | ||||
* | mod_tls: Fix order of debug messages and tls context creation | Kim Alvefur | 2021-05-05 | 1 | -2/+2 |
| | | | | | Originally added in 5b048ccd106f Merged wrong in ca01c449357f | ||||
* | mod_tls: Bail out if session got destroyed while sending <proceed/> | Kim Alvefur | 2021-04-15 | 1 | -0/+1 |
| | | | | | | | Can happen in case opportunistic_writes is enabled and the session got destroyed while writing that tag. Thanks Ge0rG | ||||
* | mod_tls: Ignore lack of STARTTLS offer only when s2s_require_encryption set | Kim Alvefur | 2021-01-29 | 1 | -1/+4 |
| | |||||
* | mod_tls: Attempt STARTTLS even if not advertised as per RFC 7590 | Kim Alvefur | 2021-01-29 | 1 | -2/+6 |
| | |||||
* | Merge 0.11->trunk | Kim Alvefur | 2020-04-26 | 1 | -1/+7 |
|\ | |||||
| * | mod_tls: Log when certificates are (re)loaded | Kim Alvefur | 2020-04-26 | 1 | -1/+7 |
| | | | | | | | | Meant to reduce user confusion over what's reloaded and not. | ||||
* | | Merge 0.11->trunk | Kim Alvefur | 2019-04-24 | 1 | -0/+3 |
|\| | |||||
| * | mod_tls: Log debug message for each kind of TLS context created | Kim Alvefur | 2019-04-23 | 1 | -0/+3 |
| | | | | | | | | | | | | Creating TLS contexts triggers a lot of messages from certmanager that don't really describe their purpose. This is meant to provide hints about that. | ||||
* | | mod_tls: Restore querying for certificates on s2s | Kim Alvefur | 2019-03-11 | 1 | -2/+6 |
| | | | | | | | | | | The 'ssl_config' setting in the mod_s2s network service is not used. Only direct TLS ports use this currently. | ||||
* | | mod_tls: Keep TLS context errors and repeat them again for each session | Kim Alvefur | 2018-12-28 | 1 | -7/+17 |
|/ | |||||
* | mod_tls: Rebuild SSL context objects on configuration reload - #701 | Kim Alvefur | 2017-04-25 | 1 | -1/+4 |
| | |||||
* | mod_tls: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77 | Kim Alvefur | 2017-03-06 | 1 | -2/+2 |
| | |||||
* | mod_tls: Suppress debug message if already using encryption | Kim Alvefur | 2017-02-25 | 1 | -1/+3 |
| | |||||
* | mod_tls: Log reasons for not being able to do TLS | Kim Alvefur | 2017-02-15 | 1 | -0/+2 |
| | |||||
* | mod_tls: Check that connection has starttls method first to prevent offering ↵ | Kim Alvefur | 2017-01-27 | 1 | -3/+3 |
| | | | | starttls over tls (thanks Remko and Tobias) | ||||
* | mod_tls: Return session.ssl_ctx if not nil, like when doing the full session ↵ | Kim Alvefur | 2017-01-25 | 1 | -3/+3 |
| | | | | type check | ||||
* | mod_tls: Add debug logging for when TLS should be doable but no ssl context ↵ | Kim Alvefur | 2017-01-25 | 1 | -0/+4 |
| | | | | was set | ||||
* | mod_tls: Verify that TLS is available before proceeding | Kim Alvefur | 2017-01-23 | 1 | -1/+1 |
| | |||||
* | mod_tls: Only accept <proceed> on outgoing s2s connections | Kim Alvefur | 2017-01-23 | 1 | -5/+7 |
| | |||||
* | mod_tls: Ignore unused argument [luacheck] | Kim Alvefur | 2016-11-02 | 1 | -1/+1 |
| | |||||
* | mod_tls: Fix ssl option fallback to a "parent" host if current host does not ↵ | Kim Alvefur | 2015-11-09 | 1 | -2/+2 |
| | | | | have ssl options set (thanks 70b1) | ||||
* | mod_tls: Remove unused reference to global ssl config option (certmanager ↵ | Kim Alvefur | 2015-11-09 | 1 | -1/+0 |
| | | | | adds that to the context) | ||||
* | mod_tls: Fix inhertinance of 'ssl' option from "parent" host to subdomain ↵ | Kim Alvefur | 2015-09-15 | 1 | -10/+12 |
| | | | | (fixes #511) | ||||
* | mod_tls: Treat session.ssl_ctx being false as a signal that TLS is disabled | Kim Alvefur | 2015-05-18 | 1 | -1/+1 |
| | |||||
* | mod_tls: Build <starttls/> as a stanza instead of with string concatenation | Kim Alvefur | 2015-05-18 | 1 | -1/+2 |
| | |||||
* | certmanager, mod_tls: Return final ssl config as third return value (fix for ↵ | Kim Alvefur | 2014-11-22 | 1 | -7/+7 |
| | | | | c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren) | ||||
* | mod_tls: Keep ssl config around and attach them to sessions | Kim Alvefur | 2014-11-19 | 1 | -6/+12 |
| | |||||
* | mod_legacyauth, mod_saslauth, mod_tls: Pass require_encryption as default ↵ | Kim Alvefur | 2014-10-21 | 1 | -1/+1 |
| | | | | option to s2s_require_encryption so the later overrides the former | ||||
* | mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use ↵ | Kim Alvefur | 2014-07-04 | 1 | -1/+1 |
| | | | | the newer stanza:get_child APIs and optimize away some table lookups | ||||
* | mod_tls: Simplify and use new ssl config merging in certmanager | Kim Alvefur | 2014-07-03 | 1 | -15/+17 |
| | |||||
* | Merge 0.9->0.10 | Matthew Wild | 2014-01-18 | 1 | -4/+10 |
|\ | |||||
| * | mod_tls: Let s2s_secure_auth override s2s_require_encryption and warn if ↵ | Kim Alvefur | 2014-01-15 | 1 | -0/+6 |
| | | | | | | | | they differ | ||||
| * | mod_tls: Rename variables to be less confusing | Kim Alvefur | 2014-01-15 | 1 | -4/+4 |
| | | |||||
| * | mod_tls: Log error when TLS initialization fails0.9.3 | Matthew Wild | 2014-01-12 | 1 | -2/+9 |
| | | |||||
* | | Remove all trailing whitespace | Florian Zeitz | 2013-08-09 | 1 | -1/+1 |
| | | |||||
* | | mod_tls: Remove debug statement | Kim Alvefur | 2013-06-16 | 1 | -1/+0 |
| | | |||||
* | | mod_tls: Refactor to allow separate SSL configuration for c2s and s2s ↵ | Kim Alvefur | 2013-06-13 | 1 | -26/+36 |
|/ | | | | connections | ||||
* | mod_tls: More use of config sections removed | Kim Alvefur | 2013-03-23 | 1 | -2/+2 |
| |