mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 05:07:42 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

core.certmanager: Add comments explaining the 'verifyext' TLS settings

Browse source 
Thanks to debacle for reminding me, in the context of mod_auth_ccert

I wonder if we still need lsec_ignore_purpose, Let's Encrypt seems to
include both client and server purposes in certs.
This commit is contained in:
Kim Alvefur 2021-02-06 22:12:38 +01:00
parent 89064c8cfb
commit 0f16ee66e2
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
core/certmanager.lua
View file

@ -118,7 +118,10 @@ local core_defaults = {
single_dh_use = luasec_has.options.single_dh_use;
single_ecdh_use = luasec_has.options.single_ecdh_use;
};
verifyext = { "lsec_continue", "lsec_ignore_purpose" };
verifyext = {
"lsec_continue", -- Continue past certificate verification errors
"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
};
curve = luasec_has.algorithms.ec and not luasec_has.capabilities.curves_list and "secp384r1";
curveslist = {
"X25519",