local setmetatable, tostring = setmetatable, tostring;
local prosody = prosody;
-local resolve_path = prosody.resolve_relative_path;
+local resolve_path = configmanager.resolve_relative_path;
local config_path = prosody.paths.config;
module "certmanager"
-- Global SSL options if not overridden per-host
local default_ssl_config = configmanager.get("*", "core", "ssl");
local default_capath = "/etc/ssl/certs";
+local default_verify = (ssl and ssl.x509 and { "peer", "client_once", "continue", "ignore_purpose" }) or "none";
+local default_options = { "no_sslv2" };
-function create_context(host, mode, config)
- local user_ssl_config = config and config.core.ssl or default_ssl_config;
+function create_context(host, mode, user_ssl_config)
+ user_ssl_config = user_ssl_config or default_ssl_config;
if not ssl then return nil, "LuaSec (required for encryption) was not found"; end
if not user_ssl_config then return nil, "No SSL/TLS configuration present for "..host; end
certificate = resolve_path(config_path, user_ssl_config.certificate);
capath = resolve_path(config_path, user_ssl_config.capath or default_capath);
cafile = resolve_path(config_path, user_ssl_config.cafile);
- verify = user_ssl_config.verify or "none";
- options = user_ssl_config.options or "no_sslv2";
+ verify = user_ssl_config.verify or default_verify;
+ options = user_ssl_config.options or default_options;
ciphers = user_ssl_config.ciphers;
depth = user_ssl_config.depth;
};
projects / prosody.git / blobdiff