mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-05 06:07:37 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions
11121 commits 12 branches 101 tags 40 MiB
Commit graph

121 commits

Author SHA1 Message Date
Kim Alvefur
fb5e6faad6 core.certmanager: Add TODO about LuaSec issue 2020-06-07 02:12:50 +02:00
Kim Alvefur
64ea805d66 Merge 0.11->trunk 2020-04-10 19:03:36 +02:00
Kim Alvefur
96620cafe5 core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526) 
This makes
`prosodyctl cert import example.com /path/to/example.com/fullchain.pem`
work. This was never intended to, yet users commonly tried this and got
problems.
 2020-04-10 16:11:09 +02:00
Kim Alvefur
1f33d9c6bb core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support) 2019-11-29 23:24:14 +01:00
Kim Alvefur
5bba716be9 core.certmanager: Lower severity for tls config not having cert 
This is needed for SNI where certificates are in separate
per-hostname contexts, not the main one.

If there is a cert, it will still require a corresponding key.
 2019-09-07 00:00:40 +02:00
Kim Alvefur
f39535cfd0 core.certmanager: Remove unused import [luacheck] 2019-08-25 23:25:42 +02:00
Kim Alvefur
b16782257d Remove COMPAT with temporary luasec fork 
The changes in the temporary fork were merged into mainline luasec ca
2013 and included in the 0.5 release in 2014.
 2019-08-25 23:12:55 +02:00
Kim Alvefur
df3f84ce54 core.certmanager: Move EECDH ciphers before EDH in default cipherstring 
The original intent of having kEDH before kEECDH was that if a `dhparam`
file was specified, this would be interpreted as a preference by the
admin for old and well-tested Diffie-Hellman key agreement over newer
elliptic curve ones. Otherwise the faster elliptic curve ciphersuites
would be preferred. This didn't really work as intended since this
affects the ClientHello on outgoing s2s connections, leading to some
servers using poorly configured kEDH.

With Debian shipping OpenSSL settings that enforce a higher security
level, this caused interoperability problems with servers that use DH
params smaller than 2048 bits. E.g. jabber.org at the time of this
writing has 1024 bit DH params.

MattJ says
> Curves have won, and OpenSSL is less weird about them now
 2019-08-25 20:22:35 +02:00
Kim Alvefur
dedba5658e Merge 0.10->trunk 2018-05-25 03:33:13 +02:00
Kim Alvefur
400d3337aa core.certmanager: Allow all non-whitespace in service name (fixes #1019) 2018-05-25 03:30:16 +02:00
Kim Alvefur
43b814a83b vairious: Add annotation when an empty environment is set [luacheck] 2018-02-28 20:06:26 +01:00
Kim Alvefur
b8915c9db4 certmanager: Check for missing certificate before key in configuration (should be marginally less confusing) 2017-12-28 17:32:56 +01:00
Kim Alvefur
0158bad7ad certmanager: Set single curve conditioned on LuaSec advertising EC crypto support 2017-11-20 00:27:26 +01:00
Kim Alvefur
b9005e7b8a certmanager: Filter out curves not supported by LuaSec 2017-11-20 00:26:41 +01:00
Kim Alvefur
0315d775b2 certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7 2017-11-20 00:25:18 +01:00
Kim Alvefur
e1a94acbb9 core.certmanager: Set a default curveslist [sic], fixes #879, #943, #951 if used along with luasec 0.7 and openssl 1.1 2017-09-27 15:45:07 +02:00
Kim Alvefur
296e430244 prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys 2017-09-27 15:21:20 +02:00
Matthew Wild
2ae9801ba6 certmanager: Add debug logging (thanks av6) 2017-09-23 17:13:29 +01:00
Kim Alvefur
f65858dd27 certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929) 2017-06-01 14:03:50 +02:00
Kim Alvefur
269b993aee core.certmanager: Translate "no start line" to something friendlier (thanks santiago) 2016-11-26 20:08:48 +01:00
Kim Alvefur
b421c1992e core.certmanager: Split cipher list into array with comments explaining each part 2016-09-12 15:49:24 +02:00
Kim Alvefur
0e989e1401 certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed) 2016-07-29 11:24:28 +02:00
Matthew Wild
71b31dde25 certmanager: Explicitly tonumber() version number segments before doing arithmetic and avoid relying on implicit coercion (thanks David Favro) 2016-03-26 19:55:08 +00:00
Matthew Wild
68d19b7be1 certmanager: Localize tonumber 2016-02-18 13:48:45 +00:00
Kim Alvefur
ef1ad262f7 certmanager: Try filename.key if certificate is set to a full filename ending with .crt 2016-02-05 16:12:01 +01:00
Kim Alvefur
439a62a853 certmanager: Apply global ssl config later so certificate/key is not overwritten by magic 2016-02-05 15:03:39 +01:00
Matthew Wild
e2b370c6bf certmanager: Support new certificate configuration for non-XMPP services too (fixes #614) 2016-02-05 00:03:41 +00:00
Kim Alvefur
c32b0e36d6 core.certmanager: Look for certificate and key in a few different places 2016-02-03 22:44:29 +01:00
Kim Alvefur
14d22d84e4 core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default) 2015-10-11 19:44:15 +02:00
Kim Alvefur
27265c20e2 core.*: Remove use of module() function 2015-02-21 10:42:19 +01:00
Kim Alvefur
b7a38c8c93 certmanager: Fix compat for MattJs old LuaSec fork 2015-02-05 17:23:53 +01:00
Kim Alvefur
f715115939 certmanager: Fix previous commit 2015-02-05 17:21:05 +01:00
Kim Alvefur
664c92cdde certmanager: Limit certificate chain depth to 9 2015-02-05 16:59:34 +01:00
Kim Alvefur
3581c71067 certmanager: Options that appear to be available since LuaSec 0.2 2015-02-05 16:56:28 +01:00
Kim Alvefur
bf57457852 certmanager: Improve "detection" of features that depend on LuaSec version 2015-02-05 16:20:50 +01:00
Kim Alvefur
fb96020a96 certmanager: Add locals for ssl.context and ssl.x509 2015-02-05 15:14:35 +01:00
Kim Alvefur
7565573fec certmanager: Early return from the entire module if LuaSec is unavailable 2015-02-05 15:10:23 +01:00
Matthew Wild
186f9ee295 certmanager: Make global variable access explicit 2015-01-20 11:29:38 +00:00
Kim Alvefur
49ba0ce08d certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren) 2014-11-22 11:51:54 +01:00
Kim Alvefur
843afaf372 certmanager: Return final ssl config along with ssl context on success 2014-11-19 14:47:03 +01:00
Kim Alvefur
349d03f965 core.certmanager: Make create_context() support an arbitrary number of option sets, merging all 2014-07-03 15:32:26 +02:00
Kim Alvefur
40cbe58541 core.certmanager: Use util.sslconfig 2014-07-03 15:31:12 +02:00
Kim Alvefur
36b77bca8b core.certmanager, core.moduleapi, mod_storage_sql, mod_storage_sql2: Import from util.paths 2014-05-09 19:35:29 +02:00
Kim Alvefur
2b09f7cffb certmanager: Move ssl.protocol handling to after ssl.options is a table (thanks Ralph) 2014-04-21 02:43:09 +02:00
Kim Alvefur
aa3344731d certmanager: Fix traceback if no global 'ssl' section set (thanks albert) 2014-04-20 21:25:26 +02:00
Kim Alvefur
42c69fe339 certmanager: Update ssl_compression when config is reloaded 2014-04-15 01:02:56 +02:00
Kim Alvefur
1d19874ae8 certmanager: Reformat core ssl defaults 2014-04-15 00:49:17 +02:00
Kim Alvefur
9f51849d63 certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols 2014-04-15 00:45:07 +02:00
Kim Alvefur
38b74a51ef certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost 2014-04-15 00:32:11 +02:00
Kim Alvefur
a0daf05646 certmanager: Wrap long line and add comment 2014-04-14 23:41:26 +02:00