Mercurial > prosody-hg
comparison core/certmanager.lua @ 11368:0bc3acf37428
core.certmanager: Add comments explaining the 'verifyext' TLS settings
Thanks to debacle for reminding me, in the context of mod_auth_ccert
I wonder if we still need lsec_ignore_purpose, Let's Encrypt seems to
include both client and server purposes in certs.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 06 Feb 2021 22:12:38 +0100 |
| parents | 8cde06b38fdb |
| children | 2bd91d4a0fcf |
comparison
equal
deleted
inserted
replaced
| 11367:9525c4b4e5de | 11368:0bc3acf37428 |
|---|---|
| 116 no_ticket = luasec_has.options.no_ticket; | 116 no_ticket = luasec_has.options.no_ticket; |
| 117 no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true; | 117 no_compression = luasec_has.options.no_compression and configmanager.get("*", "ssl_compression") ~= true; |
| 118 single_dh_use = luasec_has.options.single_dh_use; | 118 single_dh_use = luasec_has.options.single_dh_use; |
| 119 single_ecdh_use = luasec_has.options.single_ecdh_use; | 119 single_ecdh_use = luasec_has.options.single_ecdh_use; |
| 120 }; | 120 }; |
| 121 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; | 121 verifyext = { |
| 122 "lsec_continue", -- Continue past certificate verification errors | |
| 123 "lsec_ignore_purpose", -- Validate client certificates as if they were server certificates | |
| 124 }; | |
| 122 curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1"; | 125 curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1"; |
| 123 curveslist = { | 126 curveslist = { |
| 124 "X25519", | 127 "X25519", |
| 125 "P-384", | 128 "P-384", |
| 126 "P-256", | 129 "P-256", |
