prosody/core/certmanager.lua

-- Prosody IM
-- Copyright (C) 2008-2010 Matthew Wild
-- Copyright (C) 2008-2010 Waqas Hussain
--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--

local configmanager = require "core.configmanager";
local log = require "util.logger".init("certmanager");
local ssl = ssl;
local ssl_newcontext = ssl and ssl.newcontext;

local tostring = tostring;
local pairs = pairs;

local prosody = prosody;
local resolve_path = configmanager.resolve_relative_path;
local config_path = prosody.paths.config;

local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression;
if ssl then
	local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)");
	luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4;
	luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5;
	luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5;
end

module "certmanager"

-- Global SSL options if not overridden per-host
local global_ssl_config = configmanager.get("*", "ssl");

local core_defaults = {
	capath = "/etc/ssl/certs";
	protocol = "sslv23";
	verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none";
	options = { "no_sslv2", luasec_has_noticket and "no_ticket" or nil };
	verifyext = { "lsec_continue", "lsec_ignore_purpose" };
	curve = "secp384r1";
	ciphers = "HIGH:!DSS:!aNULL@STRENGTH";
}
local path_options = { -- These we pass through resolve_path()
	key = true, certificate = true, cafile = true, capath = true
}

if ssl and not luasec_has_verifyext and ssl.x509 then
	-- COMPAT mw/luasec-hg
	for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix
		core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6);
	end
end

if luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true then
	core_defaults.options[#core_defaults.options+1] = "no_compression";
end

function create_context(host, mode, user_ssl_config)
	user_ssl_config = user_ssl_config or {}
	user_ssl_config.mode = mode;

	if not ssl then return nil, "LuaSec (required for encryption) was not found"; end

	if global_ssl_config then
		for option,default_value in pairs(global_ssl_config) do
			if not user_ssl_config[option] then
				user_ssl_config[option] = default_value;
			end
		end
	end
	for option,default_value in pairs(core_defaults) do
		if not user_ssl_config[option] then
			user_ssl_config[option] = default_value;
		end
	end
	user_ssl_config.password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
	for option in pairs(path_options) do
		user_ssl_config[option] = user_ssl_config[option] and resolve_path(config_path, user_ssl_config[option]);
	end

	if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end
	if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end

	local ctx, err = ssl_newcontext(user_ssl_config);

	-- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care
	-- of it ourselves (W/A for #x)
	if ctx and user_ssl_config.ciphers then
		local success;
		success, err = ssl.context.setcipher(ctx, user_ssl_config.ciphers);
		if not success then ctx = nil; end
	end

	if not ctx then
		err = err or "invalid ssl config"
		local file = err:match("^error loading (.-) %(");
		if file then
			if file == "private key" then
				file = user_ssl_config.key or "your private key";
			elseif file == "certificate" then
				file = user_ssl_config.certificate or "your certificate file";
			end
			local reason = err:match("%((.+)%)$") or "some reason";
			if reason == "Permission denied" then
				reason = "Check that the permissions allow Prosody to read this file.";
			elseif reason == "No such file or directory" then
				reason = "Check that the path is correct, and the file exists.";
			elseif reason == "system lib" then
				reason = "Previous error (see logs), or other system error.";
			elseif reason == "(null)" or not reason then
				reason = "Check that the file exists and the permissions are correct";
			else
				reason = "Reason: "..tostring(reason):lower();
			end
			log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host);
		else
			log("error", "SSL/TLS: Error initialising for %s: %s", host, err);
		end
	end
	return ctx, err;
end

function reload_ssl_config()
	global_ssl_config = configmanager.get("*", "ssl");
end

prosody.events.add_handler("config-reloaded", reload_ssl_config);

return _M;
certmanager: Added copyright header. 16 years ago			`-- Prosody IM`
			`-- Copyright (C) 2008-2010 Matthew Wild`
			`-- Copyright (C) 2008-2010 Waqas Hussain`
Remove all trailing whitespace 13 years ago			`--`
certmanager: Added copyright header. 16 years ago			`-- This project is MIT/X11 licensed. Please see the`
			`-- COPYING file in the source package for more information.`
			`--`

certmanager: Hello world, I'm come to manage your SSL contexts 16 years ago			`local configmanager = require "core.configmanager";`
certmanager: Bring back the friendly errors when failing to load the key/certificate file 16 years ago			`local log = require "util.logger".init("certmanager");`
certmanager: Hello world, I'm come to manage your SSL contexts 16 years ago			`local ssl = ssl;`
certmanager: Fix traceback with no LuaSec 16 years ago			`local ssl_newcontext = ssl and ssl.newcontext;`
certmanager: Hello world, I'm come to manage your SSL contexts 16 years ago
certmanager: Remove unused import of setmetatable 14 years ago			`local tostring = tostring;`
certmanager: Overhaul of how ssl configs are built. 13 years ago			`local pairs = pairs;`
certmanager: Hello world, I'm come to manage your SSL contexts 16 years ago
			`local prosody = prosody;`
prosody, configmanager, certmanager: Relocate prosody.resolve_relative_path() to configmanager, and update certmanager (the only user of this function) 15 years ago			`local resolve_path = configmanager.resolve_relative_path;`
prosody.resolve_relative_path: Updated to take a parent path to resolve against. 16 years ago			`local config_path = prosody.paths.config;`
certmanager: Hello world, I'm come to manage your SSL contexts 16 years ago
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x) 13 years ago			`local luasec_has_noticket, luasec_has_verifyext, luasec_has_no_compression;`
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON) 14 years ago			`if ssl then`
			`local luasec_major, luasec_minor = ssl._VERSION:match("^(%d+)%.(%d+)");`
			`luasec_has_noticket = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=4;`
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg 13 years ago			`luasec_has_verifyext = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5;`
certmanager: Disable SSL compression if possible (LuaSec 0.5 or 0.4.1+OpenSSL 1.x) 13 years ago			`luasec_has_no_compression = tonumber(luasec_major)>0 or tonumber(luasec_minor)>=5;`
certmanager: Fix for traceback WITH LuaSec... (!) (thanks IRON) 14 years ago			`end`
certmanager: Don't use no_ticket option before LuaSec 0.4 14 years ago
certmanager: Hello world, I'm come to manage your SSL contexts 16 years ago			`module "certmanager"`

			`-- Global SSL options if not overridden per-host`
certmanager: Overhaul of how ssl configs are built. 13 years ago			`local global_ssl_config = configmanager.get("*", "ssl");`

			`local core_defaults = {`
			`capath = "/etc/ssl/certs";`
			`protocol = "sslv23";`
			`verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none";`
			`options = { "no_sslv2", luasec_has_noticket and "no_ticket" or nil };`
			`verifyext = { "lsec_continue", "lsec_ignore_purpose" };`
			`curve = "secp384r1";`
Merge 0.9->trunk 13 years ago			`ciphers = "HIGH:!DSS:!aNULL@STRENGTH";`
certmanager: Overhaul of how ssl configs are built. 13 years ago			`}`
			`local path_options = { -- These we pass through resolve_path()`
			`key = true, certificate = true, cafile = true, capath = true`
			`}`
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg 13 years ago
certmanager: Fix nil index if no LuaSec available 13 years ago			`if ssl and not luasec_has_verifyext and ssl.x509 then`
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg 13 years ago			`-- COMPAT mw/luasec-hg`
certmanager: Overhaul of how ssl configs are built. 13 years ago			`for i=1,#core_defaults.verifyext do -- Remove lsec_ prefix`
			`core_defaults.verify[#core_defaults.verify+1] = core_defaults.verifyext[i]:sub(6);`
core.certmanager: Add support for LuaSec 0.5. Also compat with MattJs luasec-hg 13 years ago			`end`
			`end`
certmanager: Hello world, I'm come to manage your SSL contexts 16 years ago
certmanager: Overhaul of how ssl configs are built. 13 years ago			`if luasec_has_no_compression and configmanager.get("*", "ssl_compression") ~= true then`
			`core_defaults.options[#core_defaults.options+1] = "no_compression";`
certmanager: Add single_dh_use and single_ecdh_use to default options 13 years ago			`end`

certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls 15 years ago			`function create_context(host, mode, user_ssl_config)`
certmanager: Overhaul of how ssl configs are built. 13 years ago			`user_ssl_config = user_ssl_config or {}`
			`user_ssl_config.mode = mode;`
certmanager: Fix to handle the case of no SSL configuration at all 16 years ago
Merge 0.7->trunk 16 years ago			`if not ssl then return nil, "LuaSec (required for encryption) was not found"; end`
certmanager: Overhaul of how ssl configs are built. 13 years ago
			`if global_ssl_config then`
			`for option,default_value in pairs(global_ssl_config) do`
			`if not user_ssl_config[option] then`
			`user_ssl_config[option] = default_value;`
			`end`
			`end`
			`end`
			`for option,default_value in pairs(core_defaults) do`
			`if not user_ssl_config[option] then`
			`user_ssl_config[option] = default_value;`
			`end`
			`end`
			`user_ssl_config.password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;`
			`for option in pairs(path_options) do`
			`user_ssl_config[option] = user_ssl_config[option] and resolve_path(config_path, user_ssl_config[option]);`
			`end`

certmanager: Complain if key or certificate is missing from SSL config. 13 years ago			`if not user_ssl_config.key then return nil, "No key present in SSL/TLS configuration for "..host; end`
			`if not user_ssl_config.certificate then return nil, "No certificate present in SSL/TLS configuration for "..host; end`
certmanager: Overhaul of how ssl configs are built. 13 years ago
			`local ctx, err = ssl_newcontext(user_ssl_config);`

			`-- COMPAT Older LuaSec ignores the cipher list from the config, so we have to take care`
certmanager: Support setting ciphers in SSL config. LuaSec apparently ignores the documented ciphers option. 15 years ago			`-- of it ourselves (W/A for #x)`
			`if ctx and user_ssl_config.ciphers then`
			`local success;`
			`success, err = ssl.context.setcipher(ctx, user_ssl_config.ciphers);`
			`if not success then ctx = nil; end`
			`end`

certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 16 years ago			`if not ctx then`
			`err = err or "invalid ssl config"`
			`local file = err:match("^error loading (.-) %(");`
			`if file then`
			`if file == "private key" then`
certmanager: Overhaul of how ssl configs are built. 13 years ago			`file = user_ssl_config.key or "your private key";`
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 16 years ago			`elseif file == "certificate" then`
certmanager: Overhaul of how ssl configs are built. 13 years ago			`file = user_ssl_config.certificate or "your certificate file";`
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 16 years ago			`end`
			`local reason = err:match("%((.+)%)$") or "some reason";`
			`if reason == "Permission denied" then`
			`reason = "Check that the permissions allow Prosody to read this file.";`
			`elseif reason == "No such file or directory" then`
			`reason = "Check that the path is correct, and the file exists.";`
			`elseif reason == "system lib" then`
			`reason = "Previous error (see logs), or other system error.";`
			`elseif reason == "(null)" or not reason then`
			`reason = "Check that the file exists and the permissions are correct";`
certmanager: Bring back the friendly errors when failing to load the key/certificate file 16 years ago			`else`
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 16 years ago			`reason = "Reason: "..tostring(reason):lower();`
certmanager: Bring back the friendly errors when failing to load the key/certificate file 16 years ago			`end`
certmanager: Add quotes around cert file path when logging. 14 years ago			`log("error", "SSL/TLS: Failed to load '%s': %s (for %s)", file, reason, host);`
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 16 years ago			`else`
certmanager: Adjust error messages to be non-specific about 'host' (so we can specify a service name instead ffor SSL) 14 years ago			`log("error", "SSL/TLS: Error initialising for %s: %s", host, err);`
certmanager: Adjust paths of SSL key/certs to be relative to the config file, fixes #147 16 years ago			`end`
Monster whitespace commit (beware the whitespace monster). 15 years ago			`end`
			`return ctx, err;`
certmanager: Hello world, I'm come to manage your SSL contexts 16 years ago			`end`

			`function reload_ssl_config()`
certmanager: Overhaul of how ssl configs are built. 13 years ago			`global_ssl_config = configmanager.get("*", "ssl");`
certmanager: Hello world, I'm come to manage your SSL contexts 16 years ago			`end`

			`prosody.events.add_handler("config-reloaded", reload_ssl_config);`

			`return _M;`