Mercurial > prosody-hg
comparison core/certmanager.lua @ 5282:4cd57cb49f99
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 28 Dec 2012 15:00:43 +0100 |
| parents | e79e4d1f75de |
| children | 676a1a032d2f |
comparison
equal
deleted
inserted
replaced
| 5281:815c689f85ad | 5282:4cd57cb49f99 |
|---|---|
| 15 | 15 |
| 16 local prosody = prosody; | 16 local prosody = prosody; |
| 17 local resolve_path = configmanager.resolve_relative_path; | 17 local resolve_path = configmanager.resolve_relative_path; |
| 18 local config_path = prosody.paths.config; | 18 local config_path = prosody.paths.config; |
| 19 | 19 |
| 20 local luasec_has_noticket; | 20 local luasec_has_noticket, luasec_has_verifyext; |
| 21 if ssl then | 21 if ssl then |
| 22 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); | 22 local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)"); |
| 23 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; | 23 luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4; |
| 24 luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5; | |
| 24 end | 25 end |
| 25 | 26 |
| 26 module "certmanager" | 27 module "certmanager" |
| 27 | 28 |
| 28 -- Global SSL options if not overridden per-host | 29 -- Global SSL options if not overridden per-host |
| 29 local default_ssl_config = configmanager.get("*", "core", "ssl"); | 30 local default_ssl_config = configmanager.get("*", "core", "ssl"); |
| 30 local default_capath = "/etc/ssl/certs"; | 31 local default_capath = "/etc/ssl/certs"; |
| 31 local default_verify = (ssl and ssl.x509 and { "peer", "client_once", "continue", "ignore_purpose" }) or "none"; | 32 local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none"; |
| 32 local default_options = { "no_sslv2", luasec_has_noticket and "no_ticket" or nil }; | 33 local default_options = { "no_sslv2", luasec_has_noticket and "no_ticket" or nil }; |
| 34 local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" }; | |
| 35 | |
| 36 if not luasec_has_verifyext and ssl.x509 then | |
| 37 -- COMPAT mw/luasec-hg | |
| 38 for i=1,#default_verifyext do -- Remove lsec_ prefix | |
| 39 default_verify[#default_verify+1] = default_verifyext[i]:sub(6); | |
| 40 end | |
| 41 end | |
| 33 | 42 |
| 34 function create_context(host, mode, user_ssl_config) | 43 function create_context(host, mode, user_ssl_config) |
| 35 user_ssl_config = user_ssl_config or default_ssl_config; | 44 user_ssl_config = user_ssl_config or default_ssl_config; |
| 36 | 45 |
| 37 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end | 46 if not ssl then return nil, "LuaSec (required for encryption) was not found"; end |
| 44 password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; | 53 password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; |
| 45 certificate = resolve_path(config_path, user_ssl_config.certificate); | 54 certificate = resolve_path(config_path, user_ssl_config.certificate); |
| 46 capath = resolve_path(config_path, user_ssl_config.capath or default_capath); | 55 capath = resolve_path(config_path, user_ssl_config.capath or default_capath); |
| 47 cafile = resolve_path(config_path, user_ssl_config.cafile); | 56 cafile = resolve_path(config_path, user_ssl_config.cafile); |
| 48 verify = user_ssl_config.verify or default_verify; | 57 verify = user_ssl_config.verify or default_verify; |
| 58 verifyext = user_ssl_config.verifyext or default_verifyext; | |
| 49 options = user_ssl_config.options or default_options; | 59 options = user_ssl_config.options or default_options; |
| 50 depth = user_ssl_config.depth; | 60 depth = user_ssl_config.depth; |
| 51 }; | 61 }; |
| 52 | 62 |
| 53 local ctx, err = ssl_newcontext(ssl_config); | 63 local ctx, err = ssl_newcontext(ssl_config); |
