Mercurial > prosody-hg
comparison core/certmanager.lua @ 3355:9bb2da325d4d
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 13 Jul 2010 13:56:14 +0100 |
| parents | 7339c2720b39 |
| children | cf6be653c619 |
comparison
equal
deleted
inserted
replaced
| 3354:b4ebda3fd6e9 | 3355:9bb2da325d4d |
|---|---|
| 4 local ssl_newcontext = ssl and ssl.newcontext; | 4 local ssl_newcontext = ssl and ssl.newcontext; |
| 5 | 5 |
| 6 local setmetatable, tostring = setmetatable, tostring; | 6 local setmetatable, tostring = setmetatable, tostring; |
| 7 | 7 |
| 8 local prosody = prosody; | 8 local prosody = prosody; |
| 9 local resolve_path = prosody.resolve_relative_path; | |
| 9 | 10 |
| 10 module "certmanager" | 11 module "certmanager" |
| 11 | |
| 12 -- These are the defaults if not overridden in the config | |
| 13 local default_ssl_ctx = { mode = "client", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none", options = "no_sslv2"; }; | |
| 14 local default_ssl_ctx_in = { mode = "server", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none", options = "no_sslv2"; }; | |
| 15 | |
| 16 local default_ssl_ctx_mt = { __index = default_ssl_ctx }; | |
| 17 local default_ssl_ctx_in_mt = { __index = default_ssl_ctx_in }; | |
| 18 | 12 |
| 19 -- Global SSL options if not overridden per-host | 13 -- Global SSL options if not overridden per-host |
| 20 local default_ssl_config = configmanager.get("*", "core", "ssl"); | 14 local default_ssl_config = configmanager.get("*", "core", "ssl"); |
| 21 | 15 |
| 22 function create_context(host, mode, config) | 16 function create_context(host, mode, config) |
| 23 local ssl_config = config and config.core.ssl or default_ssl_config; | 17 if not ssl then return nil; end |
| 24 if ssl and ssl_config then | 18 |
| 25 local ctx, err = ssl_newcontext(setmetatable(ssl_config, mode == "client" and default_ssl_ctx_mt or default_ssl_ctx_in_mt)); | 19 local user_ssl_config = config and config.core.ssl or default_ssl_config; |
| 26 if not ctx then | 20 |
| 27 err = err or "invalid ssl config" | 21 local ssl_config = { |
| 28 local file = err:match("^error loading (.-) %("); | 22 mode = mode; |
| 29 if file then | 23 protocol = user_ssl_config.protocol or "sslv23"; |
| 30 if file == "private key" then | 24 key = resolve_path(user_ssl_config.key); |
| 31 file = ssl_config.key or "your private key"; | 25 password = user_ssl_config.password; |
| 32 elseif file == "certificate" then | 26 certificate = resolve_path(user_ssl_config.certificate); |
| 33 file = ssl_config.certificate or "your certificate file"; | 27 capath = resolve_path(user_ssl_config.capath or default_capath); |
| 34 end | 28 cafile = resolve_path(user_ssl_config.cafile); |
| 35 local reason = err:match("%((.+)%)$") or "some reason"; | 29 verify = user_ssl_config.verify or "none"; |
| 36 if reason == "Permission denied" then | 30 options = user_ssl_config.options or "no_sslv2"; |
| 37 reason = "Check that the permissions allow Prosody to read this file."; | 31 ciphers = user_ssl_config.ciphers; |
| 38 elseif reason == "No such file or directory" then | 32 depth = user_ssl_config.depth; |
| 39 reason = "Check that the path is correct, and the file exists."; | 33 }; |
| 40 elseif reason == "system lib" then | 34 |
| 41 reason = "Previous error (see logs), or other system error."; | 35 log("warn", "keyfile: %q", ssl_config.key); |
| 42 elseif reason == "(null)" or not reason then | 36 |
| 43 reason = "Check that the file exists and the permissions are correct"; | 37 local ctx, err = ssl_newcontext(ssl_config); |
| 44 else | 38 if not ctx then |
| 45 reason = "Reason: "..tostring(reason):lower(); | 39 err = err or "invalid ssl config" |
| 46 end | 40 local file = err:match("^error loading (.-) %("); |
| 47 log("error", "SSL/TLS: Failed to load %s: %s", file, reason); | 41 if file then |
| 42 if file == "private key" then | |
| 43 file = ssl_config.key or "your private key"; | |
| 44 elseif file == "certificate" then | |
| 45 file = ssl_config.certificate or "your certificate file"; | |
| 46 end | |
| 47 local reason = err:match("%((.+)%)$") or "some reason"; | |
| 48 if reason == "Permission denied" then | |
| 49 reason = "Check that the permissions allow Prosody to read this file."; | |
| 50 elseif reason == "No such file or directory" then | |
| 51 reason = "Check that the path is correct, and the file exists."; | |
| 52 elseif reason == "system lib" then | |
| 53 reason = "Previous error (see logs), or other system error."; | |
| 54 elseif reason == "(null)" or not reason then | |
| 55 reason = "Check that the file exists and the permissions are correct"; | |
| 48 else | 56 else |
| 49 log("error", "SSL/TLS: Error initialising for host %s: %s", host, err ); | 57 reason = "Reason: "..tostring(reason):lower(); |
| 50 end | 58 end |
| 51 ssl = false | 59 log("error", "SSL/TLS: Failed to load %s: %s", file, reason); |
| 52 end | 60 else |
| 53 return ctx, err; | 61 log("error", "SSL/TLS: Error initialising for host %s: %s", host, err ); |
| 54 end | 62 end |
| 55 return nil; | 63 ssl = false |
| 64 end | |
| 65 return ctx, err; | |
| 56 end | 66 end |
| 57 | 67 |
| 58 function reload_ssl_config() | 68 function reload_ssl_config() |
| 59 default_ssl_config = configmanager.get("*", "core", "ssl"); | 69 default_ssl_config = configmanager.get("*", "core", "ssl"); |
| 60 end | 70 end |
