From 781d8a4868990c95aca244c18335555fabaec85b Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Thu, 13 Sep 2018 21:17:37 +0200 Subject: core.portmanager: Use server.listen API --- core/portmanager.lua | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'core/portmanager.lua') diff --git a/core/portmanager.lua b/core/portmanager.lua index 1ed37da0..cf836634 100644 --- a/core/portmanager.lua +++ b/core/portmanager.lua @@ -126,7 +126,11 @@ local function activate(service_name) end if not err then -- Start listening on interface+port - local handler, err = server.addserver(interface, port_number, listener, mode, ssl); + local handler, err = server.listen(interface, port_number, listener, { + read_size = mode, + tls_ctx = ssl, + tls_direct = service_info.encryption == "ssl"; + }); if not handler then log("error", "Failed to open server port %d on %s, %s", port_number, interface, error_to_friendly_message(service_name, port_number, err)); -- cgit v1.2.3 From 59f517457b5542d8533d43734f99036451d16d8b Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Wed, 10 Oct 2018 17:22:08 +0200 Subject: core.portmanager: Reduce scope of variable Not sure why it was all the way out there, seems like there would have been unexpected behaviour from that --- core/portmanager.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'core/portmanager.lua') diff --git a/core/portmanager.lua b/core/portmanager.lua index cf836634..db41e1ea 100644 --- a/core/portmanager.lua +++ b/core/portmanager.lua @@ -95,7 +95,7 @@ local function activate(service_name) } bind_ports = set.new(type(bind_ports) ~= "table" and { bind_ports } or bind_ports ); - local mode, ssl = listener.default_mode or default_mode; + local mode = listener.default_mode or default_mode; local hooked_ports = {}; for interface in bind_interfaces do @@ -107,7 +107,7 @@ local function activate(service_name) log("error", "Multiple services configured to listen on the same port ([%s]:%d): %s, %s", interface, port, active_services:search(nil, interface, port)[1][1].service.name or "", service_name or ""); else - local err; + local ssl, err; -- Create SSL context for this service/port if service_info.encryption == "ssl" then local global_ssl_config = config.get("*", "ssl") or {}; -- cgit v1.2.3 From 5313a0c5c608dccdee0b663f2072be05203980c0 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Wed, 10 Oct 2018 17:23:03 +0200 Subject: core.portmanager: Record TLS config for each port --- core/portmanager.lua | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'core/portmanager.lua') diff --git a/core/portmanager.lua b/core/portmanager.lua index db41e1ea..17758a36 100644 --- a/core/portmanager.lua +++ b/core/portmanager.lua @@ -107,12 +107,12 @@ local function activate(service_name) log("error", "Multiple services configured to listen on the same port ([%s]:%d): %s, %s", interface, port, active_services:search(nil, interface, port)[1][1].service.name or "", service_name or ""); else - local ssl, err; + local ssl, cfg, err; -- Create SSL context for this service/port if service_info.encryption == "ssl" then local global_ssl_config = config.get("*", "ssl") or {}; local prefix_ssl_config = config.get("*", config_prefix.."ssl") or global_ssl_config; - ssl, err = certmanager.create_context(service_info.name.." port "..port, "server", + ssl, err, cfg = certmanager.create_context(service_info.name.." port "..port, "server", prefix_ssl_config[interface], prefix_ssl_config[port], prefix_ssl_config, @@ -130,6 +130,7 @@ local function activate(service_name) read_size = mode, tls_ctx = ssl, tls_direct = service_info.encryption == "ssl"; + sni_hosts = {}, }); if not handler then log("error", "Failed to open server port %d on %s, %s", port_number, interface, @@ -140,6 +141,7 @@ local function activate(service_name) active_services:add(service_name, interface, port_number, { server = handler; service = service_info; + tls_cfg = cfg; }); end end -- cgit v1.2.3 From 2878ed99a5780d3de6714f1f8141fa6f1661f2cb Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 14 Sep 2018 01:30:56 +0200 Subject: core.portmanager: Collect per-host certificates for SNI --- core/portmanager.lua | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) (limited to 'core/portmanager.lua') diff --git a/core/portmanager.lua b/core/portmanager.lua index 17758a36..5aef07d7 100644 --- a/core/portmanager.lua +++ b/core/portmanager.lua @@ -10,6 +10,7 @@ local set = require "util.set"; local table = table; local setmetatable, rawset, rawget = setmetatable, rawset, rawget; local type, tonumber, tostring, ipairs = type, tonumber, tostring, ipairs; +local pairs = pairs; local prosody = prosody; local fire_event = prosody.events.fire_event; @@ -227,15 +228,55 @@ end -- Event handlers +local function add_sni_host(host, service) + -- local global_ssl_config = config.get(host, "ssl") or {}; + for name, interface, port, n, active_service --luacheck: ignore 213 + in active_services:iter(service, nil, nil, nil) do + if active_service.server.hosts and active_service.tls_cfg then + -- local config_prefix = (active_service.config_prefix or name).."_"; + -- if config_prefix == "_" then + -- config_prefix = ""; + -- end + -- local prefix_ssl_config = config.get(host, config_prefix.."ssl") or global_ssl_config; + -- FIXME only global 'ssl' settings are mixed in here + -- TODO per host and per service settings should be merged in, + -- without overriding the per-host certificate + local ssl, err, cfg = certmanager.create_context(host, "server"); + if ssl then + active_service.server.hosts[host] = ssl; + if not active_service.tls_cfg.certificate then + active_service.server.tls_ctx = ssl; + active_service.tls_cfg = cfg; + end + else + log("error", "err = %q", err); + end + end + end +end + prosody.events.add_handler("item-added/net-provider", function (event) local item = event.item; register_service(item.name, item); + for host in pairs(prosody.hosts) do + add_sni_host(host, item.name); + end end); prosody.events.add_handler("item-removed/net-provider", function (event) local item = event.item; unregister_service(item.name, item); end); +prosody.events.add_handler("host-activated", add_sni_host); +prosody.events.add_handler("host-deactivated", function (host) + for name, interface, port, n, active_service --luacheck: ignore 213 + in active_services:iter(nil, nil, nil, nil) do + if active_service.tls_cfg then + active_service.server.hosts[host] = nil; + end + end +end); + return { activate = activate; deactivate = deactivate; -- cgit v1.2.3 From 73beabd065c7cc08b1da06938e7df166c1f35c69 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 30 Jul 2019 02:19:54 +0200 Subject: core.portmanager: Remove tostring call from logging Taken care of by loggingmanager now --- core/portmanager.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'core/portmanager.lua') diff --git a/core/portmanager.lua b/core/portmanager.lua index 9eb40abf..7ba13dfd 100644 --- a/core/portmanager.lua +++ b/core/portmanager.lua @@ -103,7 +103,7 @@ local function activate(service_name) for port in bind_ports do local port_number = tonumber(port); if not port_number then - log("error", "Invalid port number specified for service '%s': %s", service_info.name, tostring(port)); + log("error", "Invalid port number specified for service '%s': %s", service_info.name, port); elseif #active_services:search(nil, interface, port_number) > 0 then log("error", "Multiple services configured to listen on the same port ([%s]:%d): %s, %s", interface, port, active_services:search(nil, interface, port)[1][1].service.name or "", service_name or ""); -- cgit v1.2.3 From e3276738b31e4afc377b3a8991b9cf771b7d5309 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 30 Jul 2019 02:20:27 +0200 Subject: core.portmanager: Remove unused local [luacheck] --- core/portmanager.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'core/portmanager.lua') diff --git a/core/portmanager.lua b/core/portmanager.lua index 7ba13dfd..55868c34 100644 --- a/core/portmanager.lua +++ b/core/portmanager.lua @@ -9,7 +9,7 @@ local set = require "util.set"; local table = table; local setmetatable, rawset, rawget = setmetatable, rawset, rawget; -local type, tonumber, tostring, ipairs = type, tonumber, tostring, ipairs; +local type, tonumber, ipairs = type, tonumber, ipairs; local pairs = pairs; local prosody = prosody; -- cgit v1.2.3 From b65b591c7a19f17f73097e3120f0d13c7dd49886 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 29 Nov 2019 23:22:29 +0100 Subject: core.portmanager: Don't set the first TLS context with a cert as main context Don't think this works and it's apparently acceptable to require SNI these days. --- core/portmanager.lua | 4 ---- 1 file changed, 4 deletions(-) (limited to 'core/portmanager.lua') diff --git a/core/portmanager.lua b/core/portmanager.lua index 55868c34..e94720dd 100644 --- a/core/portmanager.lua +++ b/core/portmanager.lua @@ -245,10 +245,6 @@ local function add_sni_host(host, service) local ssl, err, cfg = certmanager.create_context(host, "server"); if ssl then active_service.server.hosts[host] = ssl; - if not active_service.tls_cfg.certificate then - active_service.server.tls_ctx = ssl; - active_service.tls_cfg = cfg; - end else log("error", "err = %q", err); end -- cgit v1.2.3 From 1f33d9c6bb1310ba153580cfdb8d1d36a838f2b7 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 29 Nov 2019 23:24:14 +0100 Subject: core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support) --- core/portmanager.lua | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) (limited to 'core/portmanager.lua') diff --git a/core/portmanager.lua b/core/portmanager.lua index e94720dd..fced3f8f 100644 --- a/core/portmanager.lua +++ b/core/portmanager.lua @@ -230,19 +230,14 @@ end -- Event handlers local function add_sni_host(host, service) - -- local global_ssl_config = config.get(host, "ssl") or {}; for name, interface, port, n, active_service --luacheck: ignore 213 in active_services:iter(service, nil, nil, nil) do if active_service.server.hosts and active_service.tls_cfg then - -- local config_prefix = (active_service.config_prefix or name).."_"; - -- if config_prefix == "_" then - -- config_prefix = ""; - -- end - -- local prefix_ssl_config = config.get(host, config_prefix.."ssl") or global_ssl_config; - -- FIXME only global 'ssl' settings are mixed in here - -- TODO per host and per service settings should be merged in, - -- without overriding the per-host certificate - local ssl, err, cfg = certmanager.create_context(host, "server"); + local config_prefix = (active_service.config_prefix or name).."_"; + if config_prefix == "_" then config_prefix = ""; end + local prefix_ssl_config = config.get(host, config_prefix.."ssl"); + local autocert = certmanager.find_host_cert(host); + local ssl, err, cfg = certmanager.create_context(host, "server", prefix_ssl_config, autocert, active_service.tls_cfg); if ssl then active_service.server.hosts[host] = ssl; else -- cgit v1.2.3 From 46142132167a7d73193739ba7a832bec610223b0 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sat, 30 Nov 2019 16:40:04 +0100 Subject: core.portmanager: Complete error message for SNI TLS context problems --- core/portmanager.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'core/portmanager.lua') diff --git a/core/portmanager.lua b/core/portmanager.lua index fced3f8f..99656e3e 100644 --- a/core/portmanager.lua +++ b/core/portmanager.lua @@ -241,7 +241,7 @@ local function add_sni_host(host, service) if ssl then active_service.server.hosts[host] = ssl; else - log("error", "err = %q", err); + log("error", "Error creating TLS context for SNI host %s: %s", host, err); end end end -- cgit v1.2.3 From c4c6a44c3089cafa59bdea640e0a2e90951a9058 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 23 Dec 2019 21:26:51 +0100 Subject: core.portmanager: Ignore unused return variable [luacheck] --- core/portmanager.lua | 1 + 1 file changed, 1 insertion(+) (limited to 'core/portmanager.lua') diff --git a/core/portmanager.lua b/core/portmanager.lua index 99656e3e..0712f5ac 100644 --- a/core/portmanager.lua +++ b/core/portmanager.lua @@ -237,6 +237,7 @@ local function add_sni_host(host, service) if config_prefix == "_" then config_prefix = ""; end local prefix_ssl_config = config.get(host, config_prefix.."ssl"); local autocert = certmanager.find_host_cert(host); + -- luacheck: ignore 211/cfg local ssl, err, cfg = certmanager.create_context(host, "server", prefix_ssl_config, autocert, active_service.tls_cfg); if ssl then active_service.server.hosts[host] = ssl; -- cgit v1.2.3 From e4f830812fe66033ad1344795def93537d159d62 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Wed, 5 Feb 2020 17:41:40 +0000 Subject: portmanager: Don't auto-start network services under prosodyctl --- core/portmanager.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'core/portmanager.lua') diff --git a/core/portmanager.lua b/core/portmanager.lua index 0712f5ac..2f9aa8b2 100644 --- a/core/portmanager.lua +++ b/core/portmanager.lua @@ -170,7 +170,7 @@ end local function register_service(service_name, service_info) table.insert(services[service_name], service_info); - if not active_services:get(service_name) then + if not active_services:get(service_name) and prosody.process_type == "prosody" then log("debug", "No active service for %s, activating...", service_name); local ok, err = activate(service_name); if not ok then -- cgit v1.2.3