prosody

Commit Graph

Author	SHA1	Message	Date
Kim Alvefur	73d1bb1218	various: Require encryption by default for real These options have been specified (and enabled) in the default config file for a long time. However if unspecified in the config, they were not enabled. Now they are. This may result in a change of behaviour for people using very old config files that lack the require_encryption options. But that's what we want.	4 years ago
Kim Alvefur	91d95d4c33	plugins: Use boolean config method in some places Because it makes sense and improves feedback via logging	2 years ago
Kim Alvefur	0d5af426ca	mod_tls: Drop request for client certificates on outgoing connections It is the other end who should request client certificates for these connections, we only need to send ours. Hopefully this was treated as a noop, so probably no harm in keeping it. But hey, spring cleaning? :)	3 years ago
Kim Alvefur	98922d54b1	plugins: Prefix module imports with prosody namespace	3 years ago
Kim Alvefur	a2f8218a63	mod_tls: Record STARTTLS state so it can be shown in Shell This field can be viewed using s2s:show(nil, "... starttls") even without any special support in mod_admin_shell, which can be added later to make it nicer. One can then assume that a TLS connection with an empty / nil starttls field means Direct TLS.	3 years ago
Jonas Schäfer	84d748f94d	mod_tls: pass target hostname to starttls In case the network backend needs it for outgoing SNI or something.	4 years ago
Jonas Schäfer	87d3cb2f33	mod_tls: tell network backend to stop reading while preparing TLS	4 years ago
Jonas Schäfer	85abab1dfd	mod_tls: Do not offer TLS if the connection is considered secure This may be necessary if the session.conn object is not exchanged by the network backend when establishing TLS. In that case, the starttls method will always exist and thus that is not a good indicator for offering TLS. However, the secure bit already tells us that TLS has been established or is not to be established on the connection, so we use that instead.	4 years ago
Kim Alvefur	7c18043404	mod_tls: Log when certificates are (re)loaded Meant to reduce user confusion over what's reloaded and not.	6 years ago
Kim Alvefur	c0be43a098	mod_tls: Set ALPN on outgoing connections Relevant and sometimes needed for Direct TLS which mod_s2s uses this context for. Primarily when e.g. mod_net_multiplex or equivalent ALPN based dispatch is used. All these contexts should likely move away from mod_tls and into either mod_s2s or portmanager. The later already duplicates some of this work.	4 years ago
Kim Alvefur	90215f635b	mod_s2s: Retrieve TLS context for outgoing Direct TLS connections from mod_tls So that the same TLS context is used for both Direct TLS and starttls, since they are supposed to be functionally identical apart from the few extra round trips. A new event is added because the 's2s-created' event fires much later, after a connection has already been established, where we need the TLS context before that.	4 years ago
Kim Alvefur	e3c0a877bf	mod_tls: Attempt STARTTLS on outgoing unencrypted legacy s2s connections As suggested by RFC 7590	4 years ago
Kim Alvefur	c506269ff5	Fix various spelling errors (thanks codespell) Also special thanks to timeless, for wordlessly reminding me to check for typos.	4 years ago
Kim Alvefur	d7b7a25e73	mod_tls: Add "support" for <failure> by closing gracefully Nicer than the "unsupported stanza type" error we get otherwise.	5 years ago
Kim Alvefur	02cead40db	mod_tls: Fix order of debug messages and tls context creation Originally added in 5b048ccd106f Merged wrong in ca01c449357f	5 years ago
Kim Alvefur	03a1ac4f69	mod_tls: Bail out if session got destroyed while sending <proceed/> Can happen in case opportunistic_writes is enabled and the session got destroyed while writing that tag. Thanks Ge0rG	5 years ago
Kim Alvefur	da0482b226	mod_tls: Ignore lack of STARTTLS offer only when s2s_require_encryption set	5 years ago
Kim Alvefur	eb9e818e43	mod_tls: Attempt STARTTLS even if not advertised as per RFC 7590	5 years ago
Kim Alvefur	86ed7cd44e	mod_tls: Log debug message for each kind of TLS context created Creating TLS contexts triggers a lot of messages from certmanager that don't really describe their purpose. This is meant to provide hints about that.	7 years ago
Kim Alvefur	f0abacc215	mod_tls: Rebuild SSL context objects on configuration reload - #701	9 years ago
Kim Alvefur	b1b108de84	mod_tls: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77	9 years ago
Kim Alvefur	3405d89baa	mod_tls: Suppress debug message if already using encryption	9 years ago
Kim Alvefur	a193e1d9f4	mod_tls: Log reasons for not being able to do TLS	9 years ago
Kim Alvefur	c8b213ff4f	mod_tls: Check that connection has starttls method first to prevent offering starttls over tls (thanks Remko and Tobias)	9 years ago
Kim Alvefur	c7da30f634	mod_tls: Return session.ssl_ctx if not nil, like when doing the full session type check	9 years ago
Kim Alvefur	3258500edb	mod_tls: Add debug logging for when TLS should be doable but no ssl context was set	9 years ago
Kim Alvefur	272e5d06b4	mod_tls: Verify that TLS is available before proceeding	9 years ago
Kim Alvefur	a7a8fa91e3	mod_tls: Only accept <proceed> on outgoing s2s connections	9 years ago
Kim Alvefur	1a12e55904	mod_tls: Ignore unused argument [luacheck]	9 years ago
Kim Alvefur	57fe905a8c	mod_tls: Fix ssl option fallback to a "parent" host if current host does not have ssl options set (thanks 70b1)	10 years ago
Kim Alvefur	edc8079032	mod_tls: Remove unused reference to global ssl config option (certmanager adds that to the context)	10 years ago
Kim Alvefur	7b18c25101	mod_tls: Fix inhertinance of 'ssl' option from "parent" host to subdomain (fixes #511 )	10 years ago
Kim Alvefur	72dde1c231	mod_tls: Treat session.ssl_ctx being false as a signal that TLS is disabled	11 years ago
Kim Alvefur	3f9b683457	mod_tls: Build <starttls/> as a stanza instead of with string concatenation	11 years ago
Kim Alvefur	49ba0ce08d	certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)	11 years ago
Kim Alvefur	184d6ce60b	mod_tls: Keep ssl config around and attach them to sessions	11 years ago
Kim Alvefur	ac43c71ec2	mod_legacyauth, mod_saslauth, mod_tls: Pass require_encryption as default option to s2s_require_encryption so the later overrides the former	11 years ago
Kim Alvefur	8003a40b0a	mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups	12 years ago
Kim Alvefur	4e88341951	mod_tls: Simplify and use new ssl config merging in certmanager	12 years ago
Matthew Wild	342de92462	mod_tls: Log error when TLS initialization fails	12 years ago
Florian Zeitz	1d833bb807	Remove all trailing whitespace	13 years ago
Kim Alvefur	7c51e9ec71	mod_tls: Remove debug statement	13 years ago
Kim Alvefur	410ab5d97b	mod_tls: Let s2s_secure_auth override s2s_require_encryption and warn if they differ	12 years ago
Kim Alvefur	573c5bea61	mod_tls: Rename variables to be less confusing	12 years ago
Kim Alvefur	3786afa97f	mod_tls: Refactor to allow separate SSL configuration for c2s and s2s connections	13 years ago
Kim Alvefur	16c7c4e78d	mod_tls: More use of config sections removed	13 years ago
Kim Alvefur	27dc3a5b9a	mod_announce, mod_auth_anonymous, mod_c2s, mod_c2s, mod_component, mod_iq, mod_message, mod_presence, mod_tls: Access prosody.{hosts,bare_sessions,full_sessions} instead of the old globals	13 years ago
Kim Alvefur	b246b00f85	mod_tls: Restore querying for certificates on s2s The 'ssl_config' setting in the mod_s2s network service is not used. Only direct TLS ports use this currently.	7 years ago
Kim Alvefur	e6b7c91ebc	mod_tls: Keep TLS context errors and repeat them again for each session	7 years ago
Matthew Wild	32d3713a7a	mod_tls: Fix log statement (thanks Zash)	14 years ago

1 2 3

120 Commits (780b392d25ff067015f561fcb152bc01ac3ea650)