From 05d6f3e7136d1ca40429ccfbd87f664280551af7 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Mon, 14 Apr 2014 23:00:44 +0200
Subject: certmanager: Check for non-nil values instead of true-ish values,
 allows removing defaults

---
 core/certmanager.lua | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'core')

diff --git a/core/certmanager.lua b/core/certmanager.lua
index 9dfb8f3a..957923f5 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -69,13 +69,14 @@ function create_context(host, mode, user_ssl_config)
 
 	if global_ssl_config then
 		for option,default_value in pairs(global_ssl_config) do
-			if not user_ssl_config[option] then
+			if user_ssl_config[option] == nil then
 				user_ssl_config[option] = default_value;
 			end
 		end
 	end
+
 	for option,default_value in pairs(core_defaults) do
-		if not user_ssl_config[option] then
+		if user_ssl_config[option] == nil then
 			user_ssl_config[option] = default_value;
 		end
 	end
-- 
cgit v1.2.3


From cdf5ff917636530444553e297736a7e153ae6909 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Mon, 14 Apr 2014 23:09:28 +0200
Subject: certmanager: Allow non-server contexts to be without certificate and
 key

---
 core/certmanager.lua | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'core')

diff --git a/core/certmanager.lua b/core/certmanager.lua
index 957923f5..6a53f5b2 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -87,8 +87,10 @@ function create_context(host, mode, user_ssl_config)
 		end
 	end
 
-	if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
-	if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end
+	if mode == "server" then
+		if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
+		if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end
+	end
 
 	-- LuaSec expects dhparam to be a callback that takes two arguments.
 	-- We ignore those because it is mostly used for having a separate
-- 
cgit v1.2.3


From c2da2e47e19128f797ddc37c3d1167adef3af875 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Mon, 14 Apr 2014 23:34:35 +0200
Subject: certmanager: Concatenate cipher list if given as a table

---
 core/certmanager.lua | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'core')

diff --git a/core/certmanager.lua b/core/certmanager.lua
index 6a53f5b2..879d6131 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -15,6 +15,7 @@ local tostring = tostring;
 local pairs = pairs;
 local type = type;
 local io_open = io.open;
+local t_concat = table.concat;
 
 local prosody = prosody;
 local resolve_path = configmanager.resolve_relative_path;
@@ -87,6 +88,11 @@ function create_context(host, mode, user_ssl_config)
 		end
 	end
 
+	-- Allow the cipher list to be a table
+	if type(user_ssl_config.ciphers) == "table" then
+		user_ssl_config.ciphers = t_concat(user_ssl_config.ciphers, ":")
+	end
+
 	if mode == "server" then
 		if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
 		if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end
-- 
cgit v1.2.3


From a0daf05646300692a3a3a71b1011f35df32fe01f Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Mon, 14 Apr 2014 23:41:26 +0200
Subject: certmanager: Wrap long line and add comment

---
 core/certmanager.lua | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'core')

diff --git a/core/certmanager.lua b/core/certmanager.lua
index 879d6131..5cbec241 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -81,7 +81,11 @@ function create_context(host, mode, user_ssl_config)
 			user_ssl_config[option] = default_value;
 		end
 	end
-	user_ssl_config.password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
+
+	-- We can't read the password interactively when daemonized
+	user_ssl_config.password = user_ssl_config.password or
+		function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
+
 	for option in pairs(path_options) do
 		if type(user_ssl_config[option]) == "string" then
 			user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]);
-- 
cgit v1.2.3


From 38b74a51ef9af3ce402eb543b55176e44faa37e5 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Tue, 15 Apr 2014 00:32:11 +0200
Subject: certmanager: Merge ssl.options, verify etc from core defaults and
 global ssl settings with inheritance while allowing options to be disabled
 per virtualhost

---
 core/certmanager.lua | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

(limited to 'core')

diff --git a/core/certmanager.lua b/core/certmanager.lua
index 5cbec241..cf745ad2 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -46,6 +46,9 @@ local core_defaults = {
 local path_options = { -- These we pass through resolve_path()
 	key = true, certificate = true, cafile = true, capath = true, dhparam = true
 }
+local set_options = {
+	options = true, verify = true, verifyext = true
+}
 
 if ssl and not luasec_has_verifyext and ssl.x509 then
 	-- COMPAT mw/luasec-hg
@@ -62,6 +65,18 @@ if luasec_has_no_compression then -- Has no_compression? Then it has these too..
 	end
 end
 
+local function merge_set(t, o)
+	if type(t) ~= "table" then t = { t } end
+	for k,v in pairs(t) do
+		if v == true or v == false then
+			o[k] = v;
+		else
+			o[v] = true;
+		end
+	end
+	return o;
+end
+
 function create_context(host, mode, user_ssl_config)
 	user_ssl_config = user_ssl_config or {}
 	user_ssl_config.mode = mode;
@@ -82,6 +97,20 @@ function create_context(host, mode, user_ssl_config)
 		end
 	end
 
+	for option in pairs(set_options) do
+		local merged = {};
+		merge_set(core_defaults[option], merged);
+		merge_set(global_ssl_config[option], merged);
+		merge_set(user_ssl_config[option], merged);
+		local final_array = {};
+		for opt, enable in pairs(merged) do
+			if enable then
+				final_array[#final_array+1] = opt;
+			end
+		end
+		user_ssl_config[option] = final_array;
+	end
+
 	-- We can't read the password interactively when daemonized
 	user_ssl_config.password = user_ssl_config.password or
 		function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
-- 
cgit v1.2.3


From 9f51849d633d5c146e8b755a12c6c0e4d601fb6e Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Tue, 15 Apr 2014 00:45:07 +0200
Subject: certmanager: Support ssl.protocol syntax like "tlsv1+" that disables
 older protocols

---
 core/certmanager.lua | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

(limited to 'core')

diff --git a/core/certmanager.lua b/core/certmanager.lua
index cf745ad2..3741145d 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -36,9 +36,9 @@ local global_ssl_config = configmanager.get("*", "ssl");
 
 local core_defaults = {
 	capath = "/etc/ssl/certs";
-	protocol = "sslv23";
+	protocol = "tlsv1+";
 	verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none";
-	options = { "no_sslv2", "no_sslv3", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil };
+	options = { "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil };
 	verifyext = { "lsec_continue", "lsec_ignore_purpose" };
 	curve = "secp384r1";
 	ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL";
@@ -77,6 +77,9 @@ local function merge_set(t, o)
 	return o;
 end
 
+local protocols = { "sslv2", "sslv3", "tlsv1", "tlsv1_1", "tlsv1_2" };
+for i = 1, #protocols do protocols[protocols[i] .. "+"] = i - 1; end
+
 function create_context(host, mode, user_ssl_config)
 	user_ssl_config = user_ssl_config or {}
 	user_ssl_config.mode = mode;
@@ -97,6 +100,14 @@ function create_context(host, mode, user_ssl_config)
 		end
 	end
 
+	local min_protocol = protocols[user_ssl_config.protocol];
+	if min_protocol then
+		user_ssl_config.protocol = "sslv23";
+		for i = min_protocol, 1, -1 do
+			user_ssl_config.options["no_"..protocols[i]] = true;
+		end
+	end
+
 	for option in pairs(set_options) do
 		local merged = {};
 		merge_set(core_defaults[option], merged);
-- 
cgit v1.2.3


From 1d19874ae8b891a5b1d0e9714af6e126fd86dd4a Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Tue, 15 Apr 2014 00:49:17 +0200
Subject: certmanager: Reformat core ssl defaults

---
 core/certmanager.lua | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

(limited to 'core')

diff --git a/core/certmanager.lua b/core/certmanager.lua
index 3741145d..012eb933 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -34,11 +34,19 @@ module "certmanager"
 -- Global SSL options if not overridden per-host
 local global_ssl_config = configmanager.get("*", "ssl");
 
+-- Built-in defaults
 local core_defaults = {
 	capath = "/etc/ssl/certs";
 	protocol = "tlsv1+";
 	verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none";
-	options = { "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil };
+	options = {
+		cipher_server_preference = true;
+		no_ticket = luasec_has_noticket;
+		no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true;
+		-- Has no_compression? Then it has these too...
+		single_dh_use = luasec_has_no_compression;
+		single_ecdh_use = luasec_has_no_compression;
+	};
 	verifyext = { "lsec_continue", "lsec_ignore_purpose" };
 	curve = "secp384r1";
 	ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL";
@@ -57,14 +65,6 @@ if ssl and not luasec_has_verifyext and ssl.x509 then
 	end
 end
 
-if luasec_has_no_compression then -- Has no_compression? Then it has these too...
-	core_defaults.options[#core_defaults.options+1] = "single_dh_use";
-	core_defaults.options[#core_defaults.options+1] = "single_ecdh_use";
-	if configmanager.get("*", "ssl_compression") ~= true then
-		core_defaults.options[#core_defaults.options+1] = "no_compression";
-	end
-end
-
 local function merge_set(t, o)
 	if type(t) ~= "table" then t = { t } end
 	for k,v in pairs(t) do
-- 
cgit v1.2.3


From 42c69fe33960001f3183582d0fceb57cbae72cb3 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Tue, 15 Apr 2014 01:02:56 +0200
Subject: certmanager: Update ssl_compression when config is reloaded

---
 core/certmanager.lua | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'core')

diff --git a/core/certmanager.lua b/core/certmanager.lua
index 012eb933..8f1e1520 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -194,6 +194,9 @@ end
 
 function reload_ssl_config()
 	global_ssl_config = configmanager.get("*", "ssl");
+	if luasec_has_no_compression then
+		core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
+	end
 end
 
 prosody.events.add_handler("config-reloaded", reload_ssl_config);
-- 
cgit v1.2.3