mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 21:27:38 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

net.http: fail open if surrounding code does not configure TLS

Browse source 
Previously, if surrounding code was not configuring the TLS context
used default in net.http, it would not validate certificates at all.

This is not a security issue with prosody, because prosody updates the
context with `verify = "peer"` as well as paths to CA certificates in
util.startup.init_http_client.

Nevertheless... Let's not leave this pitfall out there in the open.
This commit is contained in:
Jonas Schäfer 2021-08-29 15:04:47 +02:00
parent 43345d4169
commit 52a9ddd22a
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
net/http.lua
View file

@ -332,7 +332,7 @@ local function new(options)
end
local default_http = new({
sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" }, alpn = "http/1.1" };
sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" }, alpn = "http/1.1", verify = "peer" };
suppress_errors = true;
});