X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=core%2Fcertmanager.lua;h=d6784a968f68d16c2f7f840576df0fcfc7b63913;hb=c005fe20c462800b230a6182766d2e678ae48706;hp=3809265440481752a61650a301f2a342edb65be1;hpb=488475803dd376e953223f92ce196bee8696fc18;p=prosody.git diff --git a/core/certmanager.lua b/core/certmanager.lua index 38092654..d6784a96 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -11,22 +11,45 @@ local log = require "util.logger".init("certmanager"); local ssl = ssl; local ssl_newcontext = ssl and ssl.newcontext; -local setmetatable, tostring = setmetatable, tostring; +local tostring = tostring; +local type = type; +local io_open = io.open; local prosody = prosody; local resolve_path = configmanager.resolve_relative_path; local config_path = prosody.paths.config; -local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); -local luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; +local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression; +if ssl then + local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); + luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; + luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; + luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; +end module "certmanager" -- Global SSL options if not overridden per-host -local default_ssl_config = configmanager.get("*", "core", "ssl"); +local default_ssl_config = configmanager.get("*", "ssl"); local default_capath = "/etc/ssl/certs"; -local default_verify = (ssl and ssl.x509 and { "peer", "client_once", "continue", "ignore_purpose" }) or "none"; -local default_options = { "no_sslv2", luasec_has_noticket and "no_ticket" or nil }; +local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; +local default_options = { "no_sslv2", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil }; +local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" }; + +if ssl and not luasec_has_verifyext and ssl.x509 then + -- COMPAT mw/luasec-hg + for i=1,#default_verifyext do -- Remove lsec_ prefix + default_verify[#default_verify+1] = default_verifyext[i]:sub(6); + end +end +if luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true then + default_options[#default_options+1] = "no_compression"; +end + +if luasec_has_no_compression then -- Has no_compression? Then it has these too... + default_options[#default_options+1] = "single_dh_use"; + default_options[#default_options+1] = "single_ecdh_use"; +end function create_context(host, mode, user_ssl_config) user_ssl_config = user_ssl_config or default_ssl_config; @@ -43,17 +66,32 @@ function create_context(host, mode, user_ssl_config) capath = resolve_path(config_path, user_ssl_config.capath or default_capath); cafile = resolve_path(config_path, user_ssl_config.cafile); verify = user_ssl_config.verify or default_verify; + verifyext = user_ssl_config.verifyext or default_verifyext; options = user_ssl_config.options or default_options; depth = user_ssl_config.depth; + curve = user_ssl_config.curve or "secp384r1"; + ciphers = user_ssl_config.ciphers or "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; + dhparam = user_ssl_config.dhparam; }; + -- LuaSec expects dhparam to be a callback that takes two arguments. + -- We ignore those because it is mostly used for having a separate + -- set of params for EXPORT ciphers, which we don't have by default. + if type(ssl_config.dhparam) == "string" then + local f, err = io_open(resolve_path(config_path, ssl_config.dhparam)); + if not f then return nil, "Could not open DH parameters: "..err end + local dhparam = f:read("*a"); + f:close(); + ssl_config.dhparam = function() return dhparam; end + end + local ctx, err = ssl_newcontext(ssl_config); - -- LuaSec ignores the cipher list from the config, so we have to take care - -- of it ourselves (W/A for #x) - if ctx and user_ssl_config.ciphers then + -- COMPAT: LuaSec 0.4.1 ignores the cipher list from the config, so we have to take + -- care of it ourselves... + if ctx and ssl_config.ciphers then local success; - success, err = ssl.context.setcipher(ctx, user_ssl_config.ciphers); + success, err = ssl.context.setcipher(ctx, ssl_config.ciphers); if not success then ctx = nil; end end @@ -87,7 +125,7 @@ function create_context(host, mode, user_ssl_config) end function reload_ssl_config() - default_ssl_config = configmanager.get("*", "core", "ssl"); + default_ssl_config = configmanager.get("*", "ssl"); end prosody.events.add_handler("config-reloaded", reload_ssl_config);