local luasec_version = luasec_major * 100 + luasec_minor;
local luasec_has = {
-- TODO If LuaSec ever starts exposing these things itself, use that instead
- cipher_server_preference = true;
+ cipher_server_preference = luasec_version >= 2;
no_ticket = luasec_version >= 4;
no_compression = luasec_version >= 5;
- single_dh_use = luasec_version >= 5;
- single_ecdh_use = luasec_version >= 5;
+ single_dh_use = luasec_version >= 2;
+ single_ecdh_use = luasec_version >= 2;
};
-module "certmanager"
+local _ENV = nil;
-- Global SSL options if not overridden per-host
local global_ssl_config = configmanager.get("*", "ssl");
-- Built-in defaults
local core_defaults = {
capath = "/etc/ssl/certs";
+ depth = 9;
protocol = "tlsv1+";
verify = (ssl_x509 and { "peer", "client_once", }) or "none";
options = {
key = true, certificate = true, cafile = true, capath = true, dhparam = true
}
-if not luasec_has_verifyext and ssl_x509 then
+if luasec_version < 5 and ssl_x509 then
-- COMPAT mw/luasec-hg
for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix
core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6);
end
end
-function create_context(host, mode, ...)
+local function create_context(host, mode, ...)
local cfg = new_config();
cfg:apply(core_defaults);
cfg:apply(global_ssl_config);
for option in pairs(path_options) do
if type(user_ssl_config[option]) == "string" then
user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]);
+ else
+ user_ssl_config[option] = nil;
end
end
return ctx, err, user_ssl_config;
end
-function reload_ssl_config()
+local function reload_ssl_config()
global_ssl_config = configmanager.get("*", "ssl");
if luasec_has.no_compression then
core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
prosody.events.add_handler("config-reloaded", reload_ssl_config);
-return _M;
+return {
+ create_context = create_context;
+ reload_ssl_config = reload_ssl_config;
+};