From 5dc9451f0eaf11fb38b52c0ad9bcd4aaa17b05e2 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 14 Apr 2014 23:00:44 +0200 Subject: certmanager: Check for non-nil values instead of true-ish values, allows removing defaults --- core/certmanager.lua | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/core/certmanager.lua b/core/certmanager.lua index 9dfb8f3a..957923f5 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -69,13 +69,14 @@ function create_context(host, mode, user_ssl_config) if global_ssl_config then for option,default_value in pairs(global_ssl_config) do - if not user_ssl_config[option] then + if user_ssl_config[option] == nil then user_ssl_config[option] = default_value; end end end + for option,default_value in pairs(core_defaults) do - if not user_ssl_config[option] then + if user_ssl_config[option] == nil then user_ssl_config[option] = default_value; end end -- cgit v1.2.3 From a43c400bf861e176a460d9d374328fa0f30cdfc5 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 14 Apr 2014 23:09:28 +0200 Subject: certmanager: Allow non-server contexts to be without certificate and key --- core/certmanager.lua | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/core/certmanager.lua b/core/certmanager.lua index 957923f5..6a53f5b2 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -87,8 +87,10 @@ function create_context(host, mode, user_ssl_config) end end - if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end - if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end + if mode == "server" then + if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end + if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end + end -- LuaSec expects dhparam to be a callback that takes two arguments. -- We ignore those because it is mostly used for having a separate -- cgit v1.2.3 From 6031d2cdfac34ae1dba3907ca36dd4a6293d4218 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 14 Apr 2014 23:34:35 +0200 Subject: certmanager: Concatenate cipher list if given as a table --- core/certmanager.lua | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/core/certmanager.lua b/core/certmanager.lua index 6a53f5b2..879d6131 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -15,6 +15,7 @@ local tostring = tostring; local pairs = pairs; local type = type; local io_open = io.open; +local t_concat = table.concat; local prosody = prosody; local resolve_path = configmanager.resolve_relative_path; @@ -87,6 +88,11 @@ function create_context(host, mode, user_ssl_config) end end + -- Allow the cipher list to be a table + if type(user_ssl_config.ciphers) == "table" then + user_ssl_config.ciphers = t_concat(user_ssl_config.ciphers, ":") + end + if mode == "server" then if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end -- cgit v1.2.3 From ff3d811e6a6f2ec5bce62683be48fe5121245ef3 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 14 Apr 2014 23:41:26 +0200 Subject: certmanager: Wrap long line and add comment --- core/certmanager.lua | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/core/certmanager.lua b/core/certmanager.lua index 879d6131..5cbec241 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -81,7 +81,11 @@ function create_context(host, mode, user_ssl_config) user_ssl_config[option] = default_value; end end - user_ssl_config.password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; + + -- We can't read the password interactively when daemonized + user_ssl_config.password = user_ssl_config.password or + function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; + for option in pairs(path_options) do if type(user_ssl_config[option]) == "string" then user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]); -- cgit v1.2.3 From 01c2957f0296cee49cca7af4d6fedc13ffbb7cbd Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 15 Apr 2014 00:32:11 +0200 Subject: certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost --- core/certmanager.lua | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/core/certmanager.lua b/core/certmanager.lua index 5cbec241..cf745ad2 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -46,6 +46,9 @@ local core_defaults = { local path_options = { -- These we pass through resolve_path() key = true, certificate = true, cafile = true, capath = true, dhparam = true } +local set_options = { + options = true, verify = true, verifyext = true +} if ssl and not luasec_has_verifyext and ssl.x509 then -- COMPAT mw/luasec-hg @@ -62,6 +65,18 @@ if luasec_has_no_compression then -- Has no_compression? Then it has these too.. end end +local function merge_set(t, o) + if type(t) ~= "table" then t = { t } end + for k,v in pairs(t) do + if v == true or v == false then + o[k] = v; + else + o[v] = true; + end + end + return o; +end + function create_context(host, mode, user_ssl_config) user_ssl_config = user_ssl_config or {} user_ssl_config.mode = mode; @@ -82,6 +97,20 @@ function create_context(host, mode, user_ssl_config) end end + for option in pairs(set_options) do + local merged = {}; + merge_set(core_defaults[option], merged); + merge_set(global_ssl_config[option], merged); + merge_set(user_ssl_config[option], merged); + local final_array = {}; + for opt, enable in pairs(merged) do + if enable then + final_array[#final_array+1] = opt; + end + end + user_ssl_config[option] = final_array; + end + -- We can't read the password interactively when daemonized user_ssl_config.password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; -- cgit v1.2.3 From 7229a760a41d22e002e82f2f8d00aec8cc271f30 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 15 Apr 2014 00:45:07 +0200 Subject: certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols --- core/certmanager.lua | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/core/certmanager.lua b/core/certmanager.lua index cf745ad2..3741145d 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -36,9 +36,9 @@ local global_ssl_config = configmanager.get("*", "ssl"); local core_defaults = { capath = "/etc/ssl/certs"; - protocol = "sslv23"; + protocol = "tlsv1+"; verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; - options = { "no_sslv2", "no_sslv3", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; + options = { "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; verifyext = { "lsec_continue", "lsec_ignore_purpose" }; curve = "secp384r1"; ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; @@ -77,6 +77,9 @@ local function merge_set(t, o) return o; end +local protocols = { "sslv2", "sslv3", "tlsv1", "tlsv1_1", "tlsv1_2" }; +for i = 1, #protocols do protocols[protocols[i] .. "+"] = i - 1; end + function create_context(host, mode, user_ssl_config) user_ssl_config = user_ssl_config or {} user_ssl_config.mode = mode; @@ -97,6 +100,14 @@ function create_context(host, mode, user_ssl_config) end end + local min_protocol = protocols[user_ssl_config.protocol]; + if min_protocol then + user_ssl_config.protocol = "sslv23"; + for i = min_protocol, 1, -1 do + user_ssl_config.options["no_"..protocols[i]] = true; + end + end + for option in pairs(set_options) do local merged = {}; merge_set(core_defaults[option], merged); -- cgit v1.2.3 From 0f3d96bb858e159322c4bca5d919629a82d6cb09 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 15 Apr 2014 00:49:17 +0200 Subject: certmanager: Reformat core ssl defaults --- core/certmanager.lua | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/core/certmanager.lua b/core/certmanager.lua index 3741145d..012eb933 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -34,11 +34,19 @@ module "certmanager" -- Global SSL options if not overridden per-host local global_ssl_config = configmanager.get("*", "ssl"); +-- Built-in defaults local core_defaults = { capath = "/etc/ssl/certs"; protocol = "tlsv1+"; verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; - options = { "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; + options = { + cipher_server_preference = true; + no_ticket = luasec_has_noticket; + no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true; + -- Has no_compression? Then it has these too... + single_dh_use = luasec_has_no_compression; + single_ecdh_use = luasec_has_no_compression; + }; verifyext = { "lsec_continue", "lsec_ignore_purpose" }; curve = "secp384r1"; ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; @@ -57,14 +65,6 @@ if ssl and not luasec_has_verifyext and ssl.x509 then end end -if luasec_has_no_compression then -- Has no_compression? Then it has these too... - core_defaults.options[#core_defaults.options+1] = "single_dh_use"; - core_defaults.options[#core_defaults.options+1] = "single_ecdh_use"; - if configmanager.get("*", "ssl_compression") ~= true then - core_defaults.options[#core_defaults.options+1] = "no_compression"; - end -end - local function merge_set(t, o) if type(t) ~= "table" then t = { t } end for k,v in pairs(t) do -- cgit v1.2.3 From c8e173e9c9c639cca54c25f3707de3b9ff58c788 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 15 Apr 2014 01:02:56 +0200 Subject: certmanager: Update ssl_compression when config is reloaded --- core/certmanager.lua | 3 +++ 1 file changed, 3 insertions(+) diff --git a/core/certmanager.lua b/core/certmanager.lua index 012eb933..8f1e1520 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -194,6 +194,9 @@ end function reload_ssl_config() global_ssl_config = configmanager.get("*", "ssl"); + if luasec_has_no_compression then + core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; + end end prosody.events.add_handler("config-reloaded", reload_ssl_config); -- cgit v1.2.3