From 9f65ce71893ef10485442ee209472a38865da081 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sun, 10 Mar 2019 19:58:28 +0100 Subject: core.certmanager: Do not ask for client certificates by default Since it's mostly only mod_s2s that needs to request client certificates it makes some sense to have mod_s2s ask for this, instead of having eg mod_http ask to disable it. --- core/certmanager.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'core/certmanager.lua') diff --git a/core/certmanager.lua b/core/certmanager.lua index 5282a6f5..63f314f8 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -106,7 +106,7 @@ local core_defaults = { capath = "/etc/ssl/certs"; depth = 9; protocol = "tlsv1+"; - verify = (ssl_x509 and { "peer", "client_once", }) or "none"; + verify = "none"; options = { cipher_server_preference = luasec_has.options.cipher_server_preference; no_ticket = luasec_has.options.no_ticket; -- cgit v1.2.3 From df3f84ce546ea55074a11a69aab473012369af8f Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sun, 25 Aug 2019 20:22:35 +0200 Subject: core.certmanager: Move EECDH ciphers before EDH in default cipherstring The original intent of having kEDH before kEECDH was that if a `dhparam` file was specified, this would be interpreted as a preference by the admin for old and well-tested Diffie-Hellman key agreement over newer elliptic curve ones. Otherwise the faster elliptic curve ciphersuites would be preferred. This didn't really work as intended since this affects the ClientHello on outgoing s2s connections, leading to some servers using poorly configured kEDH. With Debian shipping OpenSSL settings that enforce a higher security level, this caused interoperability problems with servers that use DH params smaller than 2048 bits. E.g. jabber.org at the time of this writing has 1024 bit DH params. MattJ says > Curves have won, and OpenSSL is less weird about them now --- core/certmanager.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'core/certmanager.lua') diff --git a/core/certmanager.lua b/core/certmanager.lua index 63f314f8..5d3cc2c1 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -123,8 +123,8 @@ local core_defaults = { "P-521", }; ciphers = { -- Enabled ciphers in order of preference: - "HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set "HIGH+kEECDH", -- Ephemeral Elliptic curve Diffie-Hellman key exchange + "HIGH+kEDH", -- Ephemeral Diffie-Hellman key exchange, if a 'dhparam' file is set "HIGH", -- Other "High strength" ciphers -- Disabled cipher suites: "!PSK", -- Pre-Shared Key - not used for XMPP -- cgit v1.2.3 From b16782257d441196d7fbab2823ba8fa878c4c056 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sun, 25 Aug 2019 23:12:55 +0200 Subject: Remove COMPAT with temporary luasec fork The changes in the temporary fork were merged into mainline luasec ca 2013 and included in the 0.5 release in 2014. --- core/certmanager.lua | 7 ------- 1 file changed, 7 deletions(-) (limited to 'core/certmanager.lua') diff --git a/core/certmanager.lua b/core/certmanager.lua index 5d3cc2c1..f81429ee 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -148,13 +148,6 @@ local path_options = { -- These we pass through resolve_path() key = true, certificate = true, cafile = true, capath = true, dhparam = true } -if luasec_version < 5 and ssl_x509 then - -- COMPAT mw/luasec-hg - for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix - core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6); - end -end - local function create_context(host, mode, ...) local cfg = new_config(); cfg:apply(core_defaults); -- cgit v1.2.3 From f39535cfd039d481457c27cee5154bdfb1ff3621 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sun, 25 Aug 2019 23:25:42 +0200 Subject: core.certmanager: Remove unused import [luacheck] --- core/certmanager.lua | 1 - 1 file changed, 1 deletion(-) (limited to 'core/certmanager.lua') diff --git a/core/certmanager.lua b/core/certmanager.lua index f81429ee..64528c34 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -20,7 +20,6 @@ end local configmanager = require "core.configmanager"; local log = require "util.logger".init("certmanager"); local ssl_context = ssl.context or softreq"ssl.context"; -local ssl_x509 = ssl.x509 or softreq"ssl.x509"; local ssl_newcontext = ssl.newcontext; local new_config = require"util.sslconfig".new; local stat = require "lfs".attributes; -- cgit v1.2.3 From 5bba716be9cf3b7e345164023dc89b84e7542ea1 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sat, 7 Sep 2019 00:00:40 +0200 Subject: core.certmanager: Lower severity for tls config not having cert This is needed for SNI where certificates are in separate per-hostname contexts, not the main one. If there is a cert, it will still require a corresponding key. --- core/certmanager.lua | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'core/certmanager.lua') diff --git a/core/certmanager.lua b/core/certmanager.lua index 64528c34..b20a0cdb 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -169,8 +169,10 @@ local function create_context(host, mode, ...) local user_ssl_config = cfg:final(); if mode == "server" then - if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end - if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end + if not user_ssl_config.certificate then + log("info", "No certificate present in SSL/TLS configuration for %s. SNI will be required.", host); + end + if user_ssl_config.certificate and not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end end for option in pairs(path_options) do -- cgit v1.2.3 From 1f33d9c6bb1310ba153580cfdb8d1d36a838f2b7 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 29 Nov 2019 23:24:14 +0100 Subject: core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support) --- core/certmanager.lua | 1 + 1 file changed, 1 insertion(+) (limited to 'core/certmanager.lua') diff --git a/core/certmanager.lua b/core/certmanager.lua index b20a0cdb..663cebb4 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -252,4 +252,5 @@ return { create_context = create_context; reload_ssl_config = reload_ssl_config; find_cert = find_cert; + find_host_cert = find_host_cert; }; -- cgit v1.2.3 From fb5e6faad6782d9b034e7b19656c944529d5d538 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sun, 7 Jun 2020 02:12:50 +0200 Subject: core.certmanager: Add TODO about LuaSec issue --- core/certmanager.lua | 3 +++ 1 file changed, 3 insertions(+) (limited to 'core/certmanager.lua') diff --git a/core/certmanager.lua b/core/certmanager.lua index 91475467..023218fa 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -37,6 +37,9 @@ local config_path = prosody.paths.config or "."; local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor); +-- TODO Use ssl.config instead of require here once we are sure that the fix +-- in LuaSec has been widely distributed +-- https://github.com/brunoos/luasec/issues/149 local luasec_has = softreq"ssl.config" or { algorithms = { ec = luasec_version >= 5; -- cgit v1.2.3