mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-06 14:47:37 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

core.portmanager: Restore use of per-host 'ssl' for SNI hosts. Fixes .

Browse source 
This was an unintentional regression, as per-host 'ssl' options became valid
in 0.12 when SNI support was added for direct TLS ports. While we encourage
most people to use the simpler automatic certificate selection (and it seems
most do, given the overlooking of this bug), there are likely always going to
be use cases for manually-configured certificates.

The issue was introduced in commit 7e9ebdc75ce4 which inadvertently removed
the per-host option checking for SNI.
This commit is contained in:
Kim Alvefur 2025-03-29 22:25:19 +01:00
parent be51e54c68
commit 96aadab60b
1 changed files with 14 additions and 10 deletions

24
core/portmanager.lua
View file

@ -245,22 +245,26 @@ local function add_sni_host(host, service)
for name, interface, port, n, active_service --luacheck: ignore 213
in active_services:iter(service, nil, nil, nil) do
if active_service.server and active_service.tls_cfg then
local config_prefix = (active_service.config_prefix or name).."_";
if config_prefix == "_" then config_prefix = ""; end
local prefix_ssl_config = config.get(host, config_prefix.."ssl");
local alternate_host = name and config.get(host, name.."_host");
if not alternate_host and name == "https" then
-- TODO should this be some generic thing? e.g. in the service definition
alternate_host = config.get(host, "http_host");
end
local autocert = certmanager.find_host_cert(alternate_host or host);
local manualcert = active_service.tls_cfg;
local certificate = (autocert and autocert.certificate) or manualcert.certificate;
local key = (autocert and autocert.key) or manualcert.key;
local ok, err = active_service.server:sslctx():set_sni_host(
host,
certificate,
key
);
if not ok then
local ssl, err, cfg = certmanager.create_context(alternate_host or host, "server", prefix_ssl_config, active_service.tls_cfg);
if not ssl then
log("error", "Error creating TLS context for SNI host %s: %s", host, err);
else
local ok, err = active_service.server:sslctx():set_sni_host(
host,
cfg.certificate,
cfg.key
);
if not ok then
log("error", "Error creating TLS context for SNI host %s: %s", host, err);
end
end
end
end