projects / prosody.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
mod_admin_telnet: Don't rely on getpeerchain returning an empty list
[prosody.git] / core / certmanager.lua
diff --git a/core/certmanager.lua b/core/certmanager.lua
index 1b1615a1aca741fa5e2f5ac1ac1e856d2da688d9..b91f7110b57205be6335a2e047200dc4b597b94c 100644 (file)
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -11,19 +11,34 @@ local log = require "util.logger".init("certmanager");
 local ssl = ssl;
 local ssl_newcontext = ssl and ssl.newcontext;
 
-local setmetatable, tostring = setmetatable, tostring;
+local tostring = tostring;
 
 local prosody = prosody;
 local resolve_path = configmanager.resolve_relative_path;
 local config_path = prosody.paths.config;
 
+local luasec_has_noticket, luasec_has_verifyext;
+if ssl then
+       local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)");
+       luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4;
+       luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5;
+end
+
 module "certmanager"
 
 -- Global SSL options if not overridden per-host
-local default_ssl_config = configmanager.get("*", "core", "ssl");
+local default_ssl_config = configmanager.get("*", "ssl");
 local default_capath = "/etc/ssl/certs";
-local default_verify = (ssl and ssl.x509 and { "peer", "client_once", "continue", "ignore_purpose" }) or "none";
-local default_options = { "no_sslv2", "no_ticket" };
+local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none";
+local default_options = { "no_sslv2", luasec_has_noticket and "no_ticket" or nil };
+local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" };
+
+if ssl and not luasec_has_verifyext and ssl.x509 then
+       -- COMPAT mw/luasec-hg
+       for i=1,#default_verifyext do -- Remove lsec_ prefix
+               default_verify[#default_verify+1] = default_verifyext[i]:sub(6);
+       end
+end
 
 function create_context(host, mode, user_ssl_config)
        user_ssl_config = user_ssl_config or default_ssl_config;
@@ -40,6 +55,7 @@ function create_context(host, mode, user_ssl_config)
                capath = resolve_path(config_path, user_ssl_config.capath or default_capath);
                cafile = resolve_path(config_path, user_ssl_config.cafile);
                verify = user_ssl_config.verify or default_verify;
+               verifyext = user_ssl_config.verifyext or default_verifyext;
                options = user_ssl_config.options or default_options;
                depth = user_ssl_config.depth;
        };
@@ -75,7 +91,7 @@ function create_context(host, mode, user_ssl_config)
                        else
                                reason = "Reason: "..tostring(reason):lower();
                        end
-                       log("error", "SSL/TLS: Failed to load %s: %s (for %s)", file, reason, host);
+                       log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host);
                else
                        log("error", "SSL/TLS: Error initialising for %s: %s", host, err);
                end
@@ -84,7 +100,7 @@ function create_context(host, mode, user_ssl_config)
 end
 
 function reload_ssl_config()
-       default_ssl_config = configmanager.get("*", "core", "ssl");
+       default_ssl_config = configmanager.get("*", "ssl");
 end
 
 prosody.events.add_handler("config-reloaded", reload_ssl_config);