Mercurial > prosody-hg
comparison core/certmanager.lua @ 5822:970c666c5586
certmanager: Allow for specifying the dhparam option as a path to a file instead of a callback
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 03 Sep 2013 15:43:59 +0200 |
| parents | 7974683a9bb7 |
| children | 1c3ebd3009fe |
comparison
equal
deleted
inserted
replaced
| 5821:7974683a9bb7 | 5822:970c666c5586 |
|---|---|
| 11 local ssl = ssl; | 11 local ssl = ssl; |
| 12 local ssl_newcontext = ssl and ssl.newcontext; | 12 local ssl_newcontext = ssl and ssl.newcontext; |
| 13 | 13 |
| 14 local tostring = tostring; | 14 local tostring = tostring; |
| 15 local pairs = pairs; | 15 local pairs = pairs; |
| 16 local type = type; | |
| 17 local io_open = io.open; | |
| 16 | 18 |
| 17 local prosody = prosody; | 19 local prosody = prosody; |
| 18 local resolve_path = configmanager.resolve_relative_path; | 20 local resolve_path = configmanager.resolve_relative_path; |
| 19 local config_path = prosody.paths.config; | 21 local config_path = prosody.paths.config; |
| 20 | 22 |
| 39 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; | 41 verifyext = { "lsec_continue", "lsec_ignore_purpose" }; |
| 40 curve = "secp384r1"; | 42 curve = "secp384r1"; |
| 41 ciphers = "HIGH:!DSS:!aNULL@STRENGTH"; | 43 ciphers = "HIGH:!DSS:!aNULL@STRENGTH"; |
| 42 } | 44 } |
| 43 local path_options = { -- These we pass through resolve_path() | 45 local path_options = { -- These we pass through resolve_path() |
| 44 key = true, certificate = true, cafile = true, capath = true | 46 key = true, certificate = true, cafile = true, capath = true, dhparam = true |
| 45 } | 47 } |
| 46 | 48 |
| 47 if ssl and not luasec_has_verifyext and ssl.x509 then | 49 if ssl and not luasec_has_verifyext and ssl.x509 then |
| 48 -- COMPAT mw/luasec-hg | 50 -- COMPAT mw/luasec-hg |
| 49 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix | 51 for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix |
| 73 user_ssl_config[option] = default_value; | 75 user_ssl_config[option] = default_value; |
| 74 end | 76 end |
| 75 end | 77 end |
| 76 user_ssl_config.password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; | 78 user_ssl_config.password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end; |
| 77 for option in pairs(path_options) do | 79 for option in pairs(path_options) do |
| 78 user_ssl_config[option] = user_ssl_config[option] and resolve_path(config_path, user_ssl_config[option]); | 80 if type(user_ssl_config[option]) == "string" then |
| 81 user_ssl_config[option] = resolve_path(config_path, user_ssl_config[option]); | |
| 82 end | |
| 79 end | 83 end |
| 80 | 84 |
| 81 if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end | 85 if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end |
| 82 if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end | 86 if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end |
| 87 | |
| 88 -- LuaSec expects dhparam to be a callback that takes two arguments. | |
| 89 -- We ignore those because it is mostly used for having a separate | |
| 90 -- set of params for EXPORT ciphers, which we don't have by default. | |
| 91 if type(user_ssl_config.dhparam) == "string" then | |
| 92 local f, err = io_open(user_ssl_config.dhparam); | |
| 93 if not f then return nil, "Could not open DH parameters: "..err end | |
| 94 local dhparam = f:read("*a"); | |
| 95 f:close(); | |
| 96 user_ssl_config.dhparam = function() return dhparam; end | |
| 97 end | |
| 83 | 98 |
| 84 local ctx, err = ssl_newcontext(user_ssl_config); | 99 local ctx, err = ssl_newcontext(user_ssl_config); |
| 85 | 100 |
| 86 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care | 101 -- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care |
| 87 -- of it ourselves (W/A for #x) | 102 -- of it ourselves (W/A for #x) |
