From a174420e52cdbc0c80680d76c750d0ac59c01870 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 26 Apr 2021 15:30:13 +0200 Subject: core.certmanager: Attempt to directly access LuaSec config table Due to a bug this field was not properly exported before See https://github.com/brunoos/luasec/issues/149 --- core/certmanager.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'core') diff --git a/core/certmanager.lua b/core/certmanager.lua index 20b91318..85a24d3d 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -38,7 +38,7 @@ local config_path = prosody.paths.config or "."; local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor); -local luasec_has = softreq"ssl.config" or { +local luasec_has = ssl.config or softreq"ssl.config" or { algorithms = { ec = luasec_version >= 5; }; -- cgit v1.2.3 From b369dea3d885a0a5efe882f75f5e90704cb95e87 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 26 Apr 2021 15:32:05 +0200 Subject: core.certmanager: Test for SSL options in absence of LuaSec config --- core/certmanager.lua | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'core') diff --git a/core/certmanager.lua b/core/certmanager.lua index 85a24d3d..b0c7039d 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -36,6 +36,10 @@ local prosody = prosody; local resolve_path = require"util.paths".resolve_relative_path; local config_path = prosody.paths.config or "."; +local function test_option(option) + return not not ssl_newcontext({mode="server",protocol="sslv23",options={ option }}); +end + local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); local luasec_version = tonumber(luasec_major) * 100 + tonumber(luasec_minor); local luasec_has = ssl.config or softreq"ssl.config" or { @@ -46,11 +50,11 @@ local luasec_has = ssl.config or softreq"ssl.config" or { curves_list = luasec_version >= 7; }; options = { - cipher_server_preference = luasec_version >= 2; - no_ticket = luasec_version >= 4; - no_compression = luasec_version >= 5; - single_dh_use = luasec_version >= 2; - single_ecdh_use = luasec_version >= 2; + cipher_server_preference = test_option("cipher_server_preference"); + no_ticket = test_option("no_ticket"); + no_compression = test_option("no_compression"); + single_dh_use = test_option("single_dh_use"); + single_ecdh_use = test_option("single_ecdh_use"); }; }; -- cgit v1.2.3 From f0c2ed120130778f3a6ef59e41d1deb1667e9f3f Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Tue, 11 May 2021 14:14:15 +0100 Subject: certmanager: Disable renegotiation by default This requires LuaSec 0.7+ and OpenSSL 1.1.1+ --- core/certmanager.lua | 2 ++ 1 file changed, 2 insertions(+) (limited to 'core') diff --git a/core/certmanager.lua b/core/certmanager.lua index b0c7039d..d8d07636 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -55,6 +55,7 @@ local luasec_has = ssl.config or softreq"ssl.config" or { no_compression = test_option("no_compression"); single_dh_use = test_option("single_dh_use"); single_ecdh_use = test_option("single_ecdh_use"); + no_renegotiation = test_option("no_renegotiation"); }; }; @@ -119,6 +120,7 @@ local core_defaults = { no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true; single_dh_use = luasec_has.options.single_dh_use; single_ecdh_use = luasec_has.options.single_ecdh_use; + no_renegotiation = luasec_has.options.no_renegotiation; }; verifyext = { "lsec_continue", "lsec_ignore_purpose" }; curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1"; -- cgit v1.2.3