prosody

Commit Graph

Author	SHA1	Message	Date
Matthew Wild	f0c2ed1201	certmanager: Disable renegotiation by default This requires LuaSec 0.7+ and OpenSSL 1.1.1+	5 years ago
Kim Alvefur	b369dea3d8	core.certmanager: Test for SSL options in absence of LuaSec config	5 years ago
Kim Alvefur	a174420e52	core.certmanager: Attempt to directly access LuaSec config table Due to a bug this field was not properly exported before See https://github.com/brunoos/luasec/issues/149	5 years ago
Kim Alvefur	5291ea4c7c	core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513 ) Backport of 94e341dee51c The original intent of having kEDH before kEECDH was that if a `dhparam` file was specified, this would be interpreted as a preference by the admin for old and well-tested Diffie-Hellman key agreement over newer elliptic curve ones. Otherwise the faster elliptic curve ciphersuites would be preferred. This didn't really work as intended since this affects the ClientHello on outgoing s2s connections, leading to some servers using poorly configured kEDH. With Debian shipping OpenSSL settings that enforce a higher security level, this caused interoperability problems with servers that use DH params smaller than 2048 bits. E.g. jabber.org at the time of this writing has 1024 bit DH params. MattJ says > Curves have won, and OpenSSL is less weird about them now	6 years ago
Kim Alvefur	96620cafe5	core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526 ) This makes `prosodyctl cert import example.com /path/to/example.com/fullchain.pem` work. This was never intended to, yet users commonly tried this and got problems.	6 years ago
Kim Alvefur	4d26d4cb15	core.certmanager: Support 'use_dane' setting to enable DANE support Removes the need to enable DANE with two separate settings. Previously you had to also set `ssl = { dane = true }` to activate DANE support in LuaSec and OpenSSL.	5 years ago
Kim Alvefur	8df4b320f4	core.certmanager: Skip service certificate lookup for https client Quick Fix\u{2122} to stop prevent certmanager from automatically adding a client certificate for net.http.request, since this normally does not require such.	5 years ago
Kim Alvefur	37ad3b8fb2	core.certmanager: Catch error from lfs lfs.dir() throws a hard error if there's a problem, e.g. no such directory or permission issues. This also gets called early enough that the main loop error protection hasn't been brought up yet, causing a proper crash.	5 years ago
Kim Alvefur	2c902f163f	core.certmanager: Resolve certs path relative to config dir Otherwise the default "certs" would be relative to $PWD, which works when testing from a source checkout, but not on installed systems where it usually points to the data directory. Also, the LuaFileSystem dir() iterator throws a hard error, which may cause a crash or other problems.	5 years ago
Kim Alvefur	f2a8b90b30	core.certmanager: Skip directly to guessing of key from cert filename Cuts down on a ton of debug logs	5 years ago
Kim Alvefur	2d707a905f	core.certmanager: Join paths with OS-aware util.paths function Right thing to do, rather than hardcoding '/'	5 years ago
Kim Alvefur	c372b19359	core.certmanager: Build an index over certificates	5 years ago
Kim Alvefur	003e8f633a	core.certmanager: Check for complete filename Prevents a false positive match on files with fullchain.pem as suffix	5 years ago
Kim Alvefur	3fd016e66a	core.certmanager: Add comments explaining the 'verifyext' TLS settings Thanks to debacle for reminding me, in the context of mod_auth_ccert I wonder if we still need lsec_ignore_purpose, Let's Encrypt seems to include both client and server purposes in certs.	5 years ago
Kim Alvefur	fb5e6faad6	core.certmanager: Add TODO about LuaSec issue	6 years ago
Kim Alvefur	1f33d9c6bb	core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support)	6 years ago
Kim Alvefur	5bba716be9	core.certmanager: Lower severity for tls config not having cert This is needed for SNI where certificates are in separate per-hostname contexts, not the main one. If there is a cert, it will still require a corresponding key.	6 years ago
Kim Alvefur	f39535cfd0	core.certmanager: Remove unused import [luacheck]	6 years ago
Kim Alvefur	b16782257d	Remove COMPAT with temporary luasec fork The changes in the temporary fork were merged into mainline luasec ca 2013 and included in the 0.5 release in 2014.	6 years ago
Kim Alvefur	df3f84ce54	core.certmanager: Move EECDH ciphers before EDH in default cipherstring The original intent of having kEDH before kEECDH was that if a `dhparam` file was specified, this would be interpreted as a preference by the admin for old and well-tested Diffie-Hellman key agreement over newer elliptic curve ones. Otherwise the faster elliptic curve ciphersuites would be preferred. This didn't really work as intended since this affects the ClientHello on outgoing s2s connections, leading to some servers using poorly configured kEDH. With Debian shipping OpenSSL settings that enforce a higher security level, this caused interoperability problems with servers that use DH params smaller than 2048 bits. E.g. jabber.org at the time of this writing has 1024 bit DH params. MattJ says > Curves have won, and OpenSSL is less weird about them now	6 years ago
Kim Alvefur	400d3337aa	core.certmanager: Allow all non-whitespace in service name (fixes #1019 )	8 years ago
Kim Alvefur	b8915c9db4	certmanager: Check for missing certificate before key in configuration (should be marginally less confusing)	8 years ago
Kim Alvefur	0158bad7ad	certmanager: Set single curve conditioned on LuaSec advertising EC crypto support	8 years ago
Kim Alvefur	b9005e7b8a	certmanager: Filter out curves not supported by LuaSec	8 years ago
Kim Alvefur	0315d775b2	certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7	8 years ago
Kim Alvefur	e1a94acbb9	core.certmanager: Set a default curveslist [sic], fixes #879 , #943 , #951 if used along with luasec 0.7 and openssl 1.1	8 years ago
Kim Alvefur	296e430244	prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys	8 years ago
Matthew Wild	2ae9801ba6	certmanager: Add debug logging (thanks av6)	8 years ago
Kim Alvefur	f65858dd27	certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929 )	9 years ago
Kim Alvefur	43b814a83b	vairious: Add annotation when an empty environment is set [luacheck]	8 years ago
Kim Alvefur	269b993aee	core.certmanager: Translate "no start line" to something friendlier (thanks santiago)	9 years ago
Kim Alvefur	b421c1992e	core.certmanager: Split cipher list into array with comments explaining each part	9 years ago
Kim Alvefur	0e989e1401	certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed)	10 years ago
Matthew Wild	71b31dde25	certmanager: Explicitly tonumber() version number segments before doing arithmetic and avoid relying on implicit coercion (thanks David Favro)	10 years ago
Matthew Wild	68d19b7be1	certmanager: Localize tonumber	10 years ago
Kim Alvefur	ef1ad262f7	certmanager: Try filename.key if certificate is set to a full filename ending with .crt	10 years ago
Kim Alvefur	439a62a853	certmanager: Apply global ssl config later so certificate/key is not overwritten by magic	10 years ago
Matthew Wild	e2b370c6bf	certmanager: Support new certificate configuration for non-XMPP services too (fixes #614 )	10 years ago
Kim Alvefur	c32b0e36d6	core.certmanager: Look for certificate and key in a few different places	10 years ago
Kim Alvefur	14d22d84e4	core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default)	10 years ago
Kim Alvefur	27265c20e2	core.*: Remove use of module() function	11 years ago
Kim Alvefur	b7a38c8c93	certmanager: Fix compat for MattJs old LuaSec fork	11 years ago
Kim Alvefur	f715115939	certmanager: Fix previous commit	11 years ago
Kim Alvefur	664c92cdde	certmanager: Limit certificate chain depth to 9	11 years ago
Kim Alvefur	3581c71067	certmanager: Options that appear to be available since LuaSec 0.2	11 years ago
Kim Alvefur	bf57457852	certmanager: Improve "detection" of features that depend on LuaSec version	11 years ago
Kim Alvefur	fb96020a96	certmanager: Add locals for ssl.context and ssl.x509	11 years ago
Kim Alvefur	7565573fec	certmanager: Early return from the entire module if LuaSec is unavailable	11 years ago
Matthew Wild	186f9ee295	certmanager: Make global variable access explicit	11 years ago
Kim Alvefur	49ba0ce08d	certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)	11 years ago

1 2 3

135 Commits (21eeadecc7c94a07ea1ebdb1666dd40fa2ea8a9d)