Mercurial > prosody-hg
comparison core/certmanager.lua @ 14216:2ec517d8d43e
net.unbound: Enable DNSSEC by default with option for turning off
You know what they say about opt-in security.
Enabling DNSSEC in libunbound without a way to turn it off would likely
be a problem for those whose DNS resolvers do not support, or outright
block DNSSEC. The merge algorithm already in place here doesn't have a
way to unset something, so instead a simpler boolean setting is
introduced, similar to some existing ones like use_ipv6/4 and use_dane.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 07 Jun 2026 20:32:55 +0200 |
| parents | 4aed38a1c971 |
| children | 565debd9c37a |
comparison
equal
deleted
inserted
replaced
| 14215:2719dbb358c8 | 14216:2ec517d8d43e |
|---|---|
| 211 "!PSK", -- Pre-Shared Key - not used for XMPP | 211 "!PSK", -- Pre-Shared Key - not used for XMPP |
| 212 "!SRP", -- Secure Remote Password - not used for XMPP | 212 "!SRP", -- Secure Remote Password - not used for XMPP |
| 213 "!3DES", -- 3DES - slow and of questionable security | 213 "!3DES", -- 3DES - slow and of questionable security |
| 214 "!aNULL", -- Ciphers that does not authenticate the connection | 214 "!aNULL", -- Ciphers that does not authenticate the connection |
| 215 }; | 215 }; |
| 216 dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" }; | 216 dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") ~= false and { "no_ee_namechecks" }; |
| 217 } | 217 } |
| 218 | 218 |
| 219 -- https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1 | 219 -- https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1 |
| 220 local ffdhe2048 = [[ | 220 local ffdhe2048 = [[ |
| 221 -----BEGIN DH PARAMETERS----- | 221 -----BEGIN DH PARAMETERS----- |
| 382 global_ssl_config = configmanager.get("*", "ssl"); | 382 global_ssl_config = configmanager.get("*", "ssl"); |
| 383 global_certificates = configmanager.get("*", "certificates") or "certs"; | 383 global_certificates = configmanager.get("*", "certificates") or "certs"; |
| 384 if tls.features.options.no_compression then | 384 if tls.features.options.no_compression then |
| 385 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; | 385 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; |
| 386 end | 386 end |
| 387 if not configmanager.get("*", "use_dane") then | 387 if configmanager.get("*", "use_dane") == false then |
| 388 core_defaults.dane = false; | 388 core_defaults.dane = false; |
| 389 elseif tls.features.capabilities.dane then | 389 elseif tls.features.capabilities.dane then |
| 390 core_defaults.dane = { "no_ee_namechecks" }; | 390 core_defaults.dane = { "no_ee_namechecks" }; |
| 391 else | 391 else |
| 392 core_defaults.dane = true; | 392 core_defaults.dane = true; |
