Mercurial > prosody-hg
comparison core/certmanager.lua @ 6566:1f396f0fe832
certmanager: Improve "detection" of features that depend on LuaSec version
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 05 Feb 2015 16:20:50 +0100 |
| parents | ffc0a57889aa |
| children | d4a68d93ad04 |
comparison
equal
deleted
inserted
replaced
| 6565:ffc0a57889aa | 6566:1f396f0fe832 |
|---|---|
| 32 | 32 |
| 33 local prosody = prosody; | 33 local prosody = prosody; |
| 34 local resolve_path = require"util.paths".resolve_relative_path; | 34 local resolve_path = require"util.paths".resolve_relative_path; |
| 35 local config_path = prosody.paths.config; | 35 local config_path = prosody.paths.config; |
| 36 | 36 |
| 37 local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression; | |
| 38 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); | 37 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); |
| 39 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; | 38 local luasec_version = luasec_major * 100 + luasec_minor; |
| 40 luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; | 39 local luasec_has = { |
| 41 luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; | 40 -- TODO If LuaSec ever starts exposing these things itself, use that instead |
| 41 cipher_server_preference = true; | |
| 42 no_ticket = luasec_version >= 4; | |
| 43 no_compression = luasec_version >= 5; | |
| 44 single_dh_use = luasec_version >= 5; | |
| 45 single_ecdh_use = luasec_version >= 5; | |
| 46 }; | |
| 42 | 47 |
| 43 module "certmanager" | 48 module "certmanager" |
| 44 | 49 |
| 45 -- Global SSL options if not overridden per-host | 50 -- Global SSL options if not overridden per-host |
| 46 local global_ssl_config = configmanager.get("*", "ssl"); | 51 local global_ssl_config = configmanager.get("*", "ssl"); |
| 49 local core_defaults = { | 54 local core_defaults = { |
| 50 capath = "/etc/ssl/certs"; | 55 capath = "/etc/ssl/certs"; |
| 51 protocol = "tlsv1+"; | 56 protocol = "tlsv1+"; |
| 52 verify = (ssl_x509 and { "peer", "client_once", }) or "none"; | 57 verify = (ssl_x509 and { "peer", "client_once", }) or "none"; |
| 53 options = { | 58 options = { |
| 54 cipher_server_preference = true; | 59 cipher_server_preference = luasec_has.cipher_server_preference; |
| 55 no_ticket = luasec_has_noticket; | 60 no_ticket = luasec_has.no_ticket; |
| 56 no_compression = luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true; | 61 no_compression = luasec_has.no_compression and configmanager.get("*", "ssl_compression") ~= true; |
| 57 -- Has no_compression? Then it has these too... | 62 single_dh_use = luasec_has.single_dh_use; |
| 58 single_dh_use = luasec_has_no_compression; | 63 single_ecdh_use = luasec_has.single_ecdh_use; |
| 59 single_ecdh_use = luasec_has_no_compression; | |
| 60 }; | 64 }; |
| 61 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; | 65 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; |
| 62 curve = "secp384r1"; | 66 curve = "secp384r1"; |
| 63 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; | 67 ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL"; |
| 64 } | 68 } |
| 149 return ctx, err, user_ssl_config; | 153 return ctx, err, user_ssl_config; |
| 150 end | 154 end |
| 151 | 155 |
| 152 function reload_ssl_config() | 156 function reload_ssl_config() |
| 153 global_ssl_config = configmanager.get("*", "ssl"); | 157 global_ssl_config = configmanager.get("*", "ssl"); |
| 154 if luasec_has_no_compression then | 158 if luasec_has.no_compression then |
| 155 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; | 159 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; |
| 156 end | 160 end |
| 157 end | 161 end |
| 158 | 162 |
| 159 prosody.events.add_handler("config-reloaded", reload_ssl_config); | 163 prosody.events.add_handler("config-reloaded", reload_ssl_config); |
