mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-01 20:27:39 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

core.certmanager: Move LuaSec verification tweaks to mod_s2s

Browse source 
These two settings are only really needed for XMPP server-to-server
connections.
This commit is contained in:
Kim Alvefur 2025-02-15 00:19:01 +01:00
parent f5f2755b63
commit 346f58c9d9
2 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
core/certmanager.lua
View file

@ -189,10 +189,6 @@ local core_defaults = {
single_ecdh_use = tls.features.options.single_ecdh_use;
no_renegotiation = tls.features.options.no_renegotiation;
};
verifyext = {
"lsec_continue", -- Continue past certificate verification errors
"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
};
curve = tls.features.algorithms.ec and not tls.features.capabilities.curves_list and "secp384r1";
curveslist = {
"X25519",

8
plugins/mod_s2s.lua
View file

@ -1097,6 +1097,10 @@ module:provides("net", {
-- FIXME This only applies to Direct TLS, which we don't use yet.
-- This gets applied for real in mod_tls
verify = { "peer", "client_once", };
verifyext = {
"lsec_continue", -- Continue past certificate verification errors
"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
};
};
multiplex = {
protocol = "xmpp-server";
@ -1111,6 +1115,10 @@ module:provides("net", {
encryption = "ssl";
ssl_config = {
verify = { "peer", "client_once", };
verifyext = {
"lsec_continue", -- Continue past certificate verification errors
"lsec_ignore_purpose", -- Validate client certificates as if they were server certificates
};
};
multiplex = {
protocol = "xmpp-server";