<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
  <channel>
    <link>http://hg.omfa.de/prosody-hg/</link>
    <language>en-us</language>

    <title>prosody-hg: core/certmanager.lua history</title>
    <description>core/certmanager.lua revision history</description>
    <item>
    <title>Merge 13.0-&gt;trunk</title>
    <link>http://hg.omfa.de/prosody-hg/log/565debd9c37a/core/certmanager.lua</link>
    <description><![CDATA[Merge 13.0-&gt;trunk]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Fri, 12 Jun 2026 13:05:10 +0100</pubDate>
</item>
<item>
    <title>certmanager: Drop embedded Mozilla TLSRef data in favour of util.tlsref</title>
    <link>http://hg.omfa.de/prosody-hg/log/7f4fcbb1bbe4/core/certmanager.lua</link>
    <description><![CDATA[certmanager: Drop embedded Mozilla TLSRef data in favour of util.tlsref<br/>
<br/>
This adds a 'tls_profile_version' configuration option. If unspecified, it<br/>
will use the default profile version from util.tlsref. If specified, it must<br/>
be either a valid version (known to util.tlsref) or the value &quot;latest&quot;.<br/>
<br/>
This allows admins to pin to specific versions, go with the default (for the<br/>
best balance between security/stability) or always use the latest available<br/>
profiles.]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Fri, 12 Jun 2026 13:04:23 +0100</pubDate>
</item>
<item>
    <title>net.unbound: Enable DNSSEC by default with option for turning off</title>
    <link>http://hg.omfa.de/prosody-hg/log/2ec517d8d43e/core/certmanager.lua</link>
    <description><![CDATA[net.unbound: Enable DNSSEC by default with option for turning off<br/>
<br/>
You know what they say about opt-in security.<br/>
<br/>
Enabling DNSSEC in libunbound without a way to turn it off would likely<br/>
be a problem for those whose DNS resolvers do not support, or outright<br/>
block DNSSEC. The merge algorithm already in place here doesn't have a<br/>
way to unset something, so instead a simpler boolean setting is<br/>
introduced, similar to some existing ones like use_ipv6/4 and use_dane.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sun, 07 Jun 2026 20:32:55 +0200</pubDate>
</item>
<item>
    <title>certmanager: Remove obsolete index log (replaced by shell command)</title>
    <link>http://hg.omfa.de/prosody-hg/log/4aed38a1c971/core/certmanager.lua</link>
    <description><![CDATA[certmanager: Remove obsolete index log (replaced by shell command)<br/>
<br/>
This information can now be retrieved on-demand using the debug:cert_index()<br/>
command, so we don't need to log it after every scan (it is rather verbose).]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Thu, 03 Apr 2025 19:47:16 +0100</pubDate>
</item>
<item>
    <title>certmanager: Improve logging for all cases where certs are skipped</title>
    <link>http://hg.omfa.de/prosody-hg/log/8a7dbb291b02/core/certmanager.lua</link>
    <description><![CDATA[certmanager: Improve logging for all cases where certs are skipped]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Thu, 03 Apr 2025 16:53:48 +0100</pubDate>
</item>
<item>
    <title>certmanager: Add more debug logging around cert indexing</title>
    <link>http://hg.omfa.de/prosody-hg/log/49bbdc22846d/core/certmanager.lua</link>
    <description><![CDATA[certmanager: Add more debug logging around cert indexing<br/>
<br/>
Currently it's not obvious which directories have been indexed (especially<br/>
when the resulting index is empty), or why certain files have been skipped.]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Mon, 24 Feb 2025 17:48:58 +0000</pubDate>
</item>
<item>
    <title>core.certmanager: Move LuaSec verification tweaks to mod_s2s</title>
    <link>http://hg.omfa.de/prosody-hg/log/99d2100d2918/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Move LuaSec verification tweaks to mod_s2s<br/>
<br/>
These two settings are only really needed for XMPP server-to-server<br/>
connections.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sat, 15 Feb 2025 00:19:01 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param</title>
    <link>http://hg.omfa.de/prosody-hg/log/8b68e8faab52/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param<br/>
<br/>
This removes one manual (yet undocumented) step that was supposed to be<br/>
done to get a complete 'intermediate' configuration.<br/>
<br/>
This file can be found on the Internet by searching for &quot;ffdhe2048&quot; and<br/>
can be verified by comparing the hexadecimal representation of p from<br/>
the RFC with the output of `openssl asn1parse`.<br/>
<br/>
Given the preference and prevalence of ECDHE, it seems likely that few<br/>
would have noticed this.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Fri, 12 Jul 2024 15:06:42 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Handle dane context setting same way on reload as on initialization</title>
    <link>http://hg.omfa.de/prosody-hg/log/05c0ac580552/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Handle dane context setting same way on reload as on initialization]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sat, 04 Nov 2023 15:59:51 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Tweak log level of message about SNI being required</title>
    <link>http://hg.omfa.de/prosody-hg/log/4a05fbda927f/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Tweak log level of message about SNI being required<br/>
<br/>
Everything supports SNI today, so this is not useful information.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sun, 29 Oct 2023 21:31:07 +0100</pubDate>
</item>
<item>
    <title>Merge 0.12-&gt;trunk</title>
    <link>http://hg.omfa.de/prosody-hg/log/8fbdd878fcf6/core/certmanager.lua</link>
    <description><![CDATA[Merge 0.12-&gt;trunk]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Fri, 27 Oct 2023 22:38:00 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Validate that 'tls_profile' is one of the valid values</title>
    <link>http://hg.omfa.de/prosody-hg/log/24070d47a6e7/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Validate that 'tls_profile' is one of the valid values<br/>
<br/>
A typo should not result in ending up with &quot;legacy&quot;]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Fri, 27 Oct 2023 19:03:59 +0200</pubDate>
</item>
<item>
    <title>Merge 0.12-&gt;trunk</title>
    <link>http://hg.omfa.de/prosody-hg/log/1b1ed555f307/core/certmanager.lua</link>
    <description><![CDATA[Merge 0.12-&gt;trunk]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Mon, 10 Jul 2023 00:34:37 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Update Mozilla TLS config to version 5.7</title>
    <link>http://hg.omfa.de/prosody-hg/log/e689d4c45681/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Update Mozilla TLS config to version 5.7<br/>
<br/>
Ref https://github.com/mozilla/server-side-tls/issues/285]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sun, 09 Jul 2023 21:18:47 +0200</pubDate>
</item>
<item>
    <title>net.tls_luasec: Expose method for loading a certificate</title>
    <link>http://hg.omfa.de/prosody-hg/log/58e793288d9c/core/certmanager.lua</link>
    <description><![CDATA[net.tls_luasec: Expose method for loading a certificate<br/>
<br/>
Further isolates LuaSec from Prosody core, with the ultimate goal of<br/>
allowing LuaSec to be replaced more easily.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sat, 27 May 2023 15:40:49 +0200</pubDate>
</item>
<item>
    <title>net.certmanager: Move LuaSec feature detection to net.tls_luasec</title>
    <link>http://hg.omfa.de/prosody-hg/log/749376d75b40/core/certmanager.lua</link>
    <description><![CDATA[net.certmanager: Move LuaSec feature detection to net.tls_luasec<br/>
<br/>
Further isolates LuaSec from Prosody core, with the ultimate goal of<br/>
allowing LuaSec to be replaced more easily.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sat, 27 May 2023 15:39:26 +0200</pubDate>
</item>
<item>
    <title>core: Prefix module imports with prosody namespace</title>
    <link>http://hg.omfa.de/prosody-hg/log/ead41e25ebc0/core/certmanager.lua</link>
    <description><![CDATA[core: Prefix module imports with prosody namespace]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Fri, 17 Mar 2023 16:23:07 +0100</pubDate>
</item>
<item>
    <title>Merge 0.12-&gt;trunk</title>
    <link>http://hg.omfa.de/prosody-hg/log/e6cfd0a6f0da/core/certmanager.lua</link>
    <description><![CDATA[Merge 0.12-&gt;trunk]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Mon, 16 May 2022 11:42:31 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Expand debug messages about cert lookups in index</title>
    <link>http://hg.omfa.de/prosody-hg/log/e242a6e74424/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Expand debug messages about cert lookups in index<br/>
<br/>
Answers my recurring question of<br/>
&gt; Using cert &quot;certs/example.com.crt&quot; from index<br/>
... for what?]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Mon, 16 May 2022 11:39:17 +0200</pubDate>
</item>
<item>
    <title>net: refactor sslconfig to not depend on LuaSec</title>
    <link>http://hg.omfa.de/prosody-hg/log/2ee27587fec7/core/certmanager.lua</link>
    <description><![CDATA[net: refactor sslconfig to not depend on LuaSec<br/>
<br/>
This now requires that the network backend exposes a tls_builder<br/>
function, which essentially wraps the former util.sslconfig.new()<br/>
function, passing a factory to create the eventual SSL context.<br/>
<br/>
That allows a net.server backend to pick whatever it likes as SSL<br/>
context factory, as long as it understands the config table passed by<br/>
the SSL config builder. Heck, a backend could even mock and replace the<br/>
entire SSL config builder API.]]></description>
    <author>&#74;&#111;&#110;&#97;&#115;&#32;&#83;&#99;&#104;&#228;&#102;&#101;&#114;&#32;&#60;&#106;&#111;&#110;&#97;&#115;&#64;&#119;&#105;&#101;&#108;&#105;&#99;&#107;&#105;&#46;&#110;&#97;&#109;&#101;&#62;</author>
    <pubDate>Sat, 02 Apr 2022 11:15:33 +0200</pubDate>
</item>
<item>
    <title>net: isolate LuaSec-specifics</title>
    <link>http://hg.omfa.de/prosody-hg/log/7e9ebdc75ce4/core/certmanager.lua</link>
    <description><![CDATA[net: isolate LuaSec-specifics<br/>
<br/>
For this, various accessor functions are now provided directly on the<br/>
sockets, which reach down into the LuaSec implementation to obtain the<br/>
information.<br/>
<br/>
While this may seem of little gain at first, it hides the implementation<br/>
detail of the LuaSec+LuaSocket combination that the actual socket and<br/>
the TLS layer are separate objects.<br/>
<br/>
The net gain here is that an alternative implementation does not have to<br/>
emulate that specific implementation detail and &quot;only&quot; has to expose<br/>
LuaSec-compatible data structures on the new functions.]]></description>
    <author>&#74;&#111;&#110;&#97;&#115;&#32;&#83;&#99;&#104;&#228;&#102;&#101;&#114;&#32;&#60;&#106;&#111;&#110;&#97;&#115;&#64;&#119;&#105;&#101;&#108;&#105;&#99;&#107;&#105;&#46;&#110;&#97;&#109;&#101;&#62;</author>
    <pubDate>Wed, 27 Apr 2022 17:44:14 +0200</pubDate>
</item>
<item>
    <title>Merge config-updates+check-turn from timber</title>
    <link>http://hg.omfa.de/prosody-hg/log/0fd58f54d653/core/certmanager.lua</link>
    <description><![CDATA[Merge config-updates+check-turn from timber]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Fri, 04 Mar 2022 16:33:41 +0000</pubDate>
</item>
<item>
    <title>core.certmanager: Turn soft dependency on LuaSec into a hard</title>
    <link>http://hg.omfa.de/prosody-hg/log/49739369dcad/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Turn soft dependency on LuaSec into a hard<br/>
<br/>
The default network backend server_epoll already requires LuaSec so<br/>
Prosody won't even start without it, so we can get rid of these lines<br/>
here too.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Thu, 10 Feb 2022 17:15:55 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Ensure key exists for fullchain</title>
    <link>http://hg.omfa.de/prosody-hg/log/f8b8061461e3/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Ensure key exists for fullchain<br/>
<br/>
Since 5cd075ed4fd3 any file matching &quot;fullchain&quot; would be considered for<br/>
use.<br/>
<br/>
Dehydrated stores fullchain certs in e.g, fullchain-1641171024.pem and a<br/>
symlink fullchain.pem pointing at the latest one. However the current<br/>
rule for finding a corresponding private key would try<br/>
privkey-1641171024.pem in the same directory, which may not exist.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Mon, 21 Feb 2022 08:54:39 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Relax certificate filename check #1713</title>
    <link>http://hg.omfa.de/prosody-hg/log/5cd075ed4fd3/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Relax certificate filename check #1713<br/>
<br/>
After a survey of ACME clients it seems *.crt and *fullchain* should<br/>
work for the majority. The rest get to manually copy their files.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Mon, 14 Feb 2022 18:29:31 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation</title>
    <link>http://hg.omfa.de/prosody-hg/log/95d25e620dc2/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Use 'tls_profile' instead of 'tls_preset' to match documentation<br/>
<br/>
Confusion!<br/>
<br/>
Thanks Martin]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Tue, 18 Jan 2022 11:52:35 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Apply TLS preset before global settings (thanks Menel)</title>
    <link>http://hg.omfa.de/prosody-hg/log/b05e0b422ff7/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Apply TLS preset before global settings (thanks Menel)<br/>
<br/>
Allows overriding settings via the global 'ssl' settings as before.<br/>
This order was probably accidental. That said, 'ssl' is a giant footgun<br/>
we will want to discourage use of.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Tue, 18 Jan 2022 08:04:16 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Disable DANE name checks (not needed for XMPP)</title>
    <link>http://hg.omfa.de/prosody-hg/log/653a48b5a25b/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Disable DANE name checks (not needed for XMPP)<br/>
<br/>
Pending https://github.com/brunoos/luasec/pull/179<br/>
<br/>
Should not be done globally, but rather only for s2sout, but that would<br/>
have to be in mod_tls then.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Thu, 16 Sep 2021 09:52:51 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Add curveslist to 'old' Mozilla TLS preset</title>
    <link>http://hg.omfa.de/prosody-hg/log/0fcd80a55f15/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Add curveslist to 'old' Mozilla TLS preset<br/>
<br/>
Unsure if this was overlooked before or a recent addition.<br/>
<br/>
Reproduced the data from JSON file available. Would be nice to have a<br/>
tool that does that.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sun, 26 Dec 2021 00:05:16 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Check index for wildcard certs</title>
    <link>http://hg.omfa.de/prosody-hg/log/47c9a76cce7d/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Check index for wildcard certs]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Wed, 22 Dec 2021 15:13:49 +0100</pubDate>
</item>
<item>
    <title>prosodyctl cert: use the indexing functions for better UX</title>
    <link>http://hg.omfa.de/prosody-hg/log/29765ac7f72f/core/certmanager.lua</link>
    <description><![CDATA[prosodyctl cert: use the indexing functions for better UX<br/>
<br/>
These provide (a) a way to deal with random assortments of certs<br/>
and (b) avoid unnecessary error messages and warnings, according<br/>
to #1669 anyway, which this fixes.]]></description>
    <author>&#74;&#111;&#110;&#97;&#115;&#32;&#83;&#99;&#104;&#228;&#102;&#101;&#114;&#32;&#60;&#106;&#111;&#110;&#97;&#115;&#64;&#119;&#105;&#101;&#108;&#105;&#99;&#107;&#105;&#46;&#110;&#97;&#109;&#101;&#62;</author>
    <pubDate>Tue, 21 Dec 2021 21:20:21 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Rename preset option to 'tls_preset'</title>
    <link>http://hg.omfa.de/prosody-hg/log/b344edad61d3/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Rename preset option to 'tls_preset'<br/>
<br/>
TLS good, SSL bad.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Wed, 22 Dec 2021 14:24:26 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Add &quot;legacy&quot; preset for keeping previous default settings</title>
    <link>http://hg.omfa.de/prosody-hg/log/9591b838e3b0/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Add &quot;legacy&quot; preset for keeping previous default settings<br/>
<br/>
If anyone wants that.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Wed, 22 Dec 2021 14:12:10 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets</title>
    <link>http://hg.omfa.de/prosody-hg/log/9c794d5f6f8d/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Add TLS 1.3 cipher suites to Mozilla TLS presets]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Wed, 03 Nov 2021 12:23:29 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Presets based on Mozilla SSL Configuration Generator</title>
    <link>http://hg.omfa.de/prosody-hg/log/dfb29b5b0a57/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Presets based on Mozilla SSL Configuration Generator<br/>
<br/>
ssl_preset = &quot;modern&quot;]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sun, 22 Dec 2019 02:25:37 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Support 'use_dane' setting to enable DANE support</title>
    <link>http://hg.omfa.de/prosody-hg/log/5810166f35d5/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Support 'use_dane' setting to enable DANE support<br/>
<br/>
Removes the need to enable DANE with two separate settings.<br/>
Previously you had to also set `ssl = { dane = true }` to activate DANE<br/>
support in LuaSec and OpenSSL.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sun, 18 Jul 2021 22:46:57 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Skip service certificate lookup for https client</title>
    <link>http://hg.omfa.de/prosody-hg/log/e7a964572f6b/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Skip service certificate lookup for https client<br/>
<br/>
Quick Fix\u{2122} to stop prevent certmanager from automatically adding<br/>
a client certificate for net.http.request, since this normally does not<br/>
require such.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Thu, 27 May 2021 09:22:07 +0200</pubDate>
</item>
<item>
    <title>Merge 0.11-&gt;trunk</title>
    <link>http://hg.omfa.de/prosody-hg/log/3bbb1af92514/core/certmanager.lua</link>
    <description><![CDATA[Merge 0.11-&gt;trunk]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Thu, 13 May 2021 11:17:13 +0100</pubDate>
</item>
<item>
    <title>certmanager: Disable renegotiation by default</title>
    <link>http://hg.omfa.de/prosody-hg/log/aaf9c6b6d18d/core/certmanager.lua</link>
    <description><![CDATA[certmanager: Disable renegotiation by default<br/>
<br/>
This requires LuaSec 0.7+ and OpenSSL 1.1.1+]]></description>
    <author>&#77;&#97;&#116;&#116;&#104;&#101;&#119;&#32;&#87;&#105;&#108;&#100;&#32;&#60;&#109;&#119;&#105;&#108;&#100;&#49;&#64;&#103;&#109;&#97;&#105;&#108;&#46;&#99;&#111;&#109;&#62;</author>
    <pubDate>Tue, 11 May 2021 14:14:15 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Test for SSL options in absence of LuaSec config</title>
    <link>http://hg.omfa.de/prosody-hg/log/5a484bd050a7/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Test for SSL options in absence of LuaSec config]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Mon, 26 Apr 2021 15:32:05 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Attempt to directly access LuaSec config table</title>
    <link>http://hg.omfa.de/prosody-hg/log/55ef50d6cf65/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Attempt to directly access LuaSec config table<br/>
<br/>
Due to a bug this field was not properly exported before<br/>
See https://github.com/brunoos/luasec/issues/149]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Mon, 26 Apr 2021 15:30:13 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Catch error from lfs</title>
    <link>http://hg.omfa.de/prosody-hg/log/30feeb4d9d0b/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Catch error from lfs<br/>
<br/>
lfs.dir() throws a hard error if there's a problem, e.g. no such<br/>
directory or permission issues. This also gets called early enough that<br/>
the main loop error protection hasn't been brought up yet, causing a<br/>
proper crash.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Fri, 07 May 2021 16:47:58 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Resolve certs path relative to config dir</title>
    <link>http://hg.omfa.de/prosody-hg/log/a09685a7b330/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Resolve certs path relative to config dir<br/>
<br/>
Otherwise the default &quot;certs&quot; would be relative to $PWD, which works<br/>
when testing from a source checkout, but not on installed systems where<br/>
it usually points to the data directory.<br/>
<br/>
Also, the LuaFileSystem dir() iterator throws a hard error, which may<br/>
cause a crash or other problems.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Fri, 07 May 2021 16:35:37 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Skip directly to guessing of key from cert filename</title>
    <link>http://hg.omfa.de/prosody-hg/log/1cef62ca3e03/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Skip directly to guessing of key from cert filename<br/>
<br/>
Cuts down on a ton of debug logs]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Wed, 05 May 2021 15:56:39 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Join paths with OS-aware util.paths function</title>
    <link>http://hg.omfa.de/prosody-hg/log/f97592336399/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Join paths with OS-aware util.paths function<br/>
<br/>
Right thing to do, rather than hardcoding '/']]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Wed, 05 May 2021 15:54:05 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Build an index over certificates</title>
    <link>http://hg.omfa.de/prosody-hg/log/c0c859425c22/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Build an index over certificates]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sat, 10 Apr 2021 14:45:40 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Check for complete filename</title>
    <link>http://hg.omfa.de/prosody-hg/log/2bd91d4a0fcf/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Check for complete filename<br/>
<br/>
Prevents a false positive match on files with fullchain.pem as suffix]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sat, 10 Apr 2021 14:45:03 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Add comments explaining the 'verifyext' TLS settings</title>
    <link>http://hg.omfa.de/prosody-hg/log/0bc3acf37428/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Add comments explaining the 'verifyext' TLS settings<br/>
<br/>
Thanks to debacle for reminding me, in the context of mod_auth_ccert<br/>
<br/>
I wonder if we still need lsec_ignore_purpose, Let's Encrypt seems to<br/>
include both client and server purposes in certs.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sat, 06 Feb 2021 22:12:38 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Add TODO about LuaSec issue</title>
    <link>http://hg.omfa.de/prosody-hg/log/8cde06b38fdb/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Add TODO about LuaSec issue]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sun, 07 Jun 2020 02:12:50 +0200</pubDate>
</item>
<item>
    <title>Merge 0.11-&gt;trunk</title>
    <link>http://hg.omfa.de/prosody-hg/log/3ddc7c9f35dc/core/certmanager.lua</link>
    <description><![CDATA[Merge 0.11-&gt;trunk]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Mon, 13 Apr 2020 16:14:39 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)</title>
    <link>http://hg.omfa.de/prosody-hg/log/3a1b1d3084fb/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513)<br/>
<br/>
Backport of 94e341dee51c<br/>
<br/>
The original intent of having kEDH before kEECDH was that if a `dhparam`<br/>
file was specified, this would be interpreted as a preference by the<br/>
admin for old and well-tested Diffie-Hellman key agreement over newer<br/>
elliptic curve ones. Otherwise the faster elliptic curve ciphersuites<br/>
would be preferred. This didn't really work as intended since this<br/>
affects the ClientHello on outgoing s2s connections, leading to some<br/>
servers using poorly configured kEDH.<br/>
<br/>
With Debian shipping OpenSSL settings that enforce a higher security<br/>
level, this caused interoperability problems with servers that use DH<br/>
params smaller than 2048 bits. E.g. jabber.org at the time of this<br/>
writing has 1024 bit DH params.<br/>
<br/>
MattJ says<br/>
&gt; Curves have won, and OpenSSL is less weird about them now]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sun, 25 Aug 2019 20:22:35 +0200</pubDate>
</item>
<item>
    <title>Merge 0.11-&gt;trunk</title>
    <link>http://hg.omfa.de/prosody-hg/log/549e408bab14/core/certmanager.lua</link>
    <description><![CDATA[Merge 0.11-&gt;trunk]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Fri, 10 Apr 2020 19:03:36 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)</title>
    <link>http://hg.omfa.de/prosody-hg/log/fcf7f50ccdd0/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526)<br/>
<br/>
This makes<br/>
`prosodyctl cert import example.com /path/to/example.com/fullchain.pem`<br/>
work. This was never intended to, yet users commonly tried this and got<br/>
problems.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Fri, 10 Apr 2020 16:11:09 +0200</pubDate>
</item>
<item>
    <title>core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support)</title>
    <link>http://hg.omfa.de/prosody-hg/log/fbeb7a3fc4eb/core/certmanager.lua</link>
    <description><![CDATA[core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support)]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Fri, 29 Nov 2019 23:24:14 +0100</pubDate>
</item>
<item>
    <title>core.certmanager: Lower severity for tls config not having cert</title>
    <link>http://hg.omfa.de/prosody-hg/log/a36af4570b39/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Lower severity for tls config not having cert<br/>
<br/>
This is needed for SNI where certificates are in separate<br/>
per-hostname contexts, not the main one.<br/>
<br/>
If there is a cert, it will still require a corresponding key.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sat, 07 Sep 2019 00:00:40 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Remove unused import [luacheck]</title>
    <link>http://hg.omfa.de/prosody-hg/log/eeb711b92da5/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Remove unused import [luacheck]]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sun, 25 Aug 2019 23:25:42 +0200</pubDate>
</item>
<item>
    <title>Remove COMPAT with temporary luasec fork</title>
    <link>http://hg.omfa.de/prosody-hg/log/77f900bbbf25/core/certmanager.lua</link>
    <description><![CDATA[Remove COMPAT with temporary luasec fork<br/>
<br/>
The changes in the temporary fork were merged into mainline luasec ca<br/>
2013 and included in the 0.5 release in 2014.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sun, 25 Aug 2019 23:12:55 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Move EECDH ciphers before EDH in default cipherstring</title>
    <link>http://hg.omfa.de/prosody-hg/log/94e341dee51c/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Move EECDH ciphers before EDH in default cipherstring<br/>
<br/>
The original intent of having kEDH before kEECDH was that if a `dhparam`<br/>
file was specified, this would be interpreted as a preference by the<br/>
admin for old and well-tested Diffie-Hellman key agreement over newer<br/>
elliptic curve ones. Otherwise the faster elliptic curve ciphersuites<br/>
would be preferred. This didn't really work as intended since this<br/>
affects the ClientHello on outgoing s2s connections, leading to some<br/>
servers using poorly configured kEDH.<br/>
<br/>
With Debian shipping OpenSSL settings that enforce a higher security<br/>
level, this caused interoperability problems with servers that use DH<br/>
params smaller than 2048 bits. E.g. jabber.org at the time of this<br/>
writing has 1024 bit DH params.<br/>
<br/>
MattJ says<br/>
&gt; Curves have won, and OpenSSL is less weird about them now]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sun, 25 Aug 2019 20:22:35 +0200</pubDate>
</item>
<item>
    <title>core.certmanager: Do not ask for client certificates by default</title>
    <link>http://hg.omfa.de/prosody-hg/log/6ea3cafb6ac3/core/certmanager.lua</link>
    <description><![CDATA[core.certmanager: Do not ask for client certificates by default<br/>
<br/>
Since it's mostly only mod_s2s that needs to request client<br/>
certificates it makes some sense to have mod_s2s ask for this, instead<br/>
of having eg mod_http ask to disable it.]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Sun, 10 Mar 2019 19:58:28 +0100</pubDate>
</item>
<item>
    <title>Merge 0.10-&gt;trunk</title>
    <link>http://hg.omfa.de/prosody-hg/log/2a0d7fa4c56a/core/certmanager.lua</link>
    <description><![CDATA[Merge 0.10-&gt;trunk]]></description>
    <author>&#75;&#105;&#109;&#32;&#65;&#108;&#118;&#101;&#102;&#117;&#114;&#32;&#60;&#122;&#97;&#115;&#104;&#64;&#122;&#97;&#115;&#104;&#46;&#115;&#101;&#62;</author>
    <pubDate>Fri, 25 May 2018 03:33:13 +0200</pubDate>
</item>

  </channel>
</rss>
