prosody

Commit Graph

Author	SHA1	Message	Date
Kim Alvefur	5291ea4c7c	core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513 ) Backport of 94e341dee51c The original intent of having kEDH before kEECDH was that if a `dhparam` file was specified, this would be interpreted as a preference by the admin for old and well-tested Diffie-Hellman key agreement over newer elliptic curve ones. Otherwise the faster elliptic curve ciphersuites would be preferred. This didn't really work as intended since this affects the ClientHello on outgoing s2s connections, leading to some servers using poorly configured kEDH. With Debian shipping OpenSSL settings that enforce a higher security level, this caused interoperability problems with servers that use DH params smaller than 2048 bits. E.g. jabber.org at the time of this writing has 1024 bit DH params. MattJ says > Curves have won, and OpenSSL is less weird about them now	6 years ago
Kim Alvefur	96620cafe5	core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526 ) This makes `prosodyctl cert import example.com /path/to/example.com/fullchain.pem` work. This was never intended to, yet users commonly tried this and got problems.	6 years ago
Kim Alvefur	fb5e6faad6	core.certmanager: Add TODO about LuaSec issue	6 years ago
Kim Alvefur	1f33d9c6bb	core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support)	6 years ago
Kim Alvefur	5bba716be9	core.certmanager: Lower severity for tls config not having cert This is needed for SNI where certificates are in separate per-hostname contexts, not the main one. If there is a cert, it will still require a corresponding key.	6 years ago
Kim Alvefur	f39535cfd0	core.certmanager: Remove unused import [luacheck]	6 years ago
Kim Alvefur	b16782257d	Remove COMPAT with temporary luasec fork The changes in the temporary fork were merged into mainline luasec ca 2013 and included in the 0.5 release in 2014.	6 years ago
Kim Alvefur	df3f84ce54	core.certmanager: Move EECDH ciphers before EDH in default cipherstring The original intent of having kEDH before kEECDH was that if a `dhparam` file was specified, this would be interpreted as a preference by the admin for old and well-tested Diffie-Hellman key agreement over newer elliptic curve ones. Otherwise the faster elliptic curve ciphersuites would be preferred. This didn't really work as intended since this affects the ClientHello on outgoing s2s connections, leading to some servers using poorly configured kEDH. With Debian shipping OpenSSL settings that enforce a higher security level, this caused interoperability problems with servers that use DH params smaller than 2048 bits. E.g. jabber.org at the time of this writing has 1024 bit DH params. MattJ says > Curves have won, and OpenSSL is less weird about them now	6 years ago
Kim Alvefur	400d3337aa	core.certmanager: Allow all non-whitespace in service name (fixes #1019 )	8 years ago
Kim Alvefur	b8915c9db4	certmanager: Check for missing certificate before key in configuration (should be marginally less confusing)	8 years ago
Kim Alvefur	0158bad7ad	certmanager: Set single curve conditioned on LuaSec advertising EC crypto support	8 years ago
Kim Alvefur	b9005e7b8a	certmanager: Filter out curves not supported by LuaSec	8 years ago
Kim Alvefur	0315d775b2	certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7	8 years ago
Kim Alvefur	e1a94acbb9	core.certmanager: Set a default curveslist [sic], fixes #879 , #943 , #951 if used along with luasec 0.7 and openssl 1.1	8 years ago
Kim Alvefur	296e430244	prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys	8 years ago
Matthew Wild	2ae9801ba6	certmanager: Add debug logging (thanks av6)	8 years ago
Kim Alvefur	f65858dd27	certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929 )	9 years ago
Kim Alvefur	43b814a83b	vairious: Add annotation when an empty environment is set [luacheck]	8 years ago
Kim Alvefur	269b993aee	core.certmanager: Translate "no start line" to something friendlier (thanks santiago)	9 years ago
Kim Alvefur	b421c1992e	core.certmanager: Split cipher list into array with comments explaining each part	9 years ago
Kim Alvefur	0e989e1401	certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed)	10 years ago
Matthew Wild	71b31dde25	certmanager: Explicitly tonumber() version number segments before doing arithmetic and avoid relying on implicit coercion (thanks David Favro)	10 years ago
Matthew Wild	68d19b7be1	certmanager: Localize tonumber	10 years ago
Kim Alvefur	ef1ad262f7	certmanager: Try filename.key if certificate is set to a full filename ending with .crt	10 years ago
Kim Alvefur	439a62a853	certmanager: Apply global ssl config later so certificate/key is not overwritten by magic	10 years ago
Matthew Wild	e2b370c6bf	certmanager: Support new certificate configuration for non-XMPP services too (fixes #614 )	10 years ago
Kim Alvefur	c32b0e36d6	core.certmanager: Look for certificate and key in a few different places	10 years ago
Kim Alvefur	14d22d84e4	core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default)	10 years ago
Kim Alvefur	27265c20e2	core.*: Remove use of module() function	11 years ago
Kim Alvefur	b7a38c8c93	certmanager: Fix compat for MattJs old LuaSec fork	11 years ago
Kim Alvefur	f715115939	certmanager: Fix previous commit	11 years ago
Kim Alvefur	664c92cdde	certmanager: Limit certificate chain depth to 9	11 years ago
Kim Alvefur	3581c71067	certmanager: Options that appear to be available since LuaSec 0.2	11 years ago
Kim Alvefur	bf57457852	certmanager: Improve "detection" of features that depend on LuaSec version	11 years ago
Kim Alvefur	fb96020a96	certmanager: Add locals for ssl.context and ssl.x509	11 years ago
Kim Alvefur	7565573fec	certmanager: Early return from the entire module if LuaSec is unavailable	11 years ago
Matthew Wild	186f9ee295	certmanager: Make global variable access explicit	11 years ago
Kim Alvefur	49ba0ce08d	certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)	11 years ago
Kim Alvefur	843afaf372	certmanager: Return final ssl config along with ssl context on success	11 years ago
Matthew Wild	26cd63e77f	certmanager, net.http: Disable SSLv3 by default	11 years ago
Kim Alvefur	349d03f965	core.certmanager: Make create_context() support an arbitrary number of option sets, merging all	12 years ago
Kim Alvefur	40cbe58541	core.certmanager: Use util.sslconfig	12 years ago
Kim Alvefur	36b77bca8b	core.certmanager, core.moduleapi, mod_storage_sql, mod_storage_sql2: Import from util.paths	12 years ago
Kim Alvefur	2b09f7cffb	certmanager: Move ssl.protocol handling to after ssl.options is a table (thanks Ralph)	12 years ago
Kim Alvefur	aa3344731d	certmanager: Fix traceback if no global 'ssl' section set (thanks albert)	12 years ago
Kim Alvefur	42c69fe339	certmanager: Update ssl_compression when config is reloaded	12 years ago
Kim Alvefur	1d19874ae8	certmanager: Reformat core ssl defaults	12 years ago
Kim Alvefur	9f51849d63	certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols	12 years ago
Kim Alvefur	38b74a51ef	certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost	12 years ago
Kim Alvefur	a0daf05646	certmanager: Wrap long line and add comment	12 years ago

1 2 3

121 Commits (020cd46f0341663d71ebdbd02f67032ddcb4a677)