prosody

Commit Graph

Author	SHA1	Message	Date
Kim Alvefur	385f99cce1	core.certmanager: Look for privkey.pem to go with fullchain.pem (fix #1526 ) This makes `prosodyctl cert import example.com /path/to/example.com/fullchain.pem` work. This was never intended to, yet users commonly tried this and got problems.	6 years ago
Kim Alvefur	b1338d27ac	core.portmanager: Fix TLS context inheritance for SNI hosts (completes SNI support)	7 years ago
Kim Alvefur	371bc77203	core.certmanager: Move EECDH ciphers before EDH in default cipherstring (fixes #1513 ) Backport of 94e341dee51c The original intent of having kEDH before kEECDH was that if a `dhparam` file was specified, this would be interpreted as a preference by the admin for old and well-tested Diffie-Hellman key agreement over newer elliptic curve ones. Otherwise the faster elliptic curve ciphersuites would be preferred. This didn't really work as intended since this affects the ClientHello on outgoing s2s connections, leading to some servers using poorly configured kEDH. With Debian shipping OpenSSL settings that enforce a higher security level, this caused interoperability problems with servers that use DH params smaller than 2048 bits. E.g. jabber.org at the time of this writing has 1024 bit DH params. MattJ says > Curves have won, and OpenSSL is less weird about them now	7 years ago
Kim Alvefur	4e4e344d73	core.certmanager: Lower severity for tls config not having cert This is needed for SNI where certificates are in separate per-hostname contexts, not the main one. If there is a cert, it will still require a corresponding key.	7 years ago
Kim Alvefur	60733a4006	core.certmanager: Remove unused import [luacheck]	7 years ago
Kim Alvefur	47625cfc95	Remove COMPAT with temporary luasec fork The changes in the temporary fork were merged into mainline luasec ca 2013 and included in the 0.5 release in 2014.	7 years ago
Kim Alvefur	7cd3955aa0	core.certmanager: Move EECDH ciphers before EDH in default cipherstring The original intent of having kEDH before kEECDH was that if a `dhparam` file was specified, this would be interpreted as a preference by the admin for old and well-tested Diffie-Hellman key agreement over newer elliptic curve ones. Otherwise the faster elliptic curve ciphersuites would be preferred. This didn't really work as intended since this affects the ClientHello on outgoing s2s connections, leading to some servers using poorly configured kEDH. With Debian shipping OpenSSL settings that enforce a higher security level, this caused interoperability problems with servers that use DH params smaller than 2048 bits. E.g. jabber.org at the time of this writing has 1024 bit DH params. MattJ says > Curves have won, and OpenSSL is less weird about them now	7 years ago
Kim Alvefur	5b0c75379e	core.certmanager: Allow all non-whitespace in service name (fixes #1019 )	8 years ago
Kim Alvefur	fe36378134	certmanager: Check for missing certificate before key in configuration (should be marginally less confusing)	9 years ago
Kim Alvefur	9690a86204	certmanager: Set single curve conditioned on LuaSec advertising EC crypto support	9 years ago
Kim Alvefur	aa6ed63bd8	certmanager: Filter out curves not supported by LuaSec	9 years ago
Kim Alvefur	30ba266c2c	certmanager: Change table representing LuaSec capabilities to match capabilities table exposed in LuaSec 0.7	9 years ago
Kim Alvefur	0e2e10c17d	core.certmanager: Set a default curveslist [sic], fixes #879 , #943 , #951 if used along with luasec 0.7 and openssl 1.1	9 years ago
Kim Alvefur	dc6396df0d	prosodyctl: cert import: Reuse function from certmanager for locating certificates and keys	9 years ago
Matthew Wild	415a8b2e9e	certmanager: Add debug logging (thanks av6)	9 years ago
Kim Alvefur	bdab24d3dc	certmanager: Update the 'certificates' option after the config has been reloaded (fixes #929 )	9 years ago
Kim Alvefur	146acdbd33	vairious: Add annotation when an empty environment is set [luacheck]	8 years ago
Kim Alvefur	710d550957	core.certmanager: Translate "no start line" to something friendlier (thanks santiago)	10 years ago
Kim Alvefur	d854c36fc5	core.certmanager: Split cipher list into array with comments explaining each part	10 years ago
Kim Alvefur	c4d9a997e5	certmanager: Assume default config path of '.' (fixes prosodyctl check certs when not installed)	10 years ago
Matthew Wild	b246855e0a	certmanager: Explicitly tonumber() version number segments before doing arithmetic and avoid relying on implicit coercion (thanks David Favro)	10 years ago
Matthew Wild	e169a3f1c5	certmanager: Localize tonumber	10 years ago
Kim Alvefur	e70cd52ed9	certmanager: Try filename.key if certificate is set to a full filename ending with .crt	10 years ago
Kim Alvefur	c607c09f92	certmanager: Apply global ssl config later so certificate/key is not overwritten by magic	10 years ago
Matthew Wild	7a87ef0b67	certmanager: Support new certificate configuration for non-XMPP services too (fixes #614 )	10 years ago
Kim Alvefur	e1fc04ae01	core.certmanager: Look for certificate and key in a few different places	10 years ago
Kim Alvefur	e0c0cf5743	core.certmanager: Remove non-string filenames (allows setting eg capath to false to disable the built in default)	11 years ago
Kim Alvefur	075278ff98	core.*: Remove use of module() function	11 years ago
Kim Alvefur	7c0ead1c91	certmanager: Fix compat for MattJs old LuaSec fork	11 years ago
Kim Alvefur	4468490bb4	certmanager: Fix previous commit	11 years ago
Kim Alvefur	4e762a6e4d	certmanager: Limit certificate chain depth to 9	11 years ago
Kim Alvefur	74f99c6bde	certmanager: Options that appear to be available since LuaSec 0.2	11 years ago
Kim Alvefur	18250d87df	certmanager: Improve "detection" of features that depend on LuaSec version	11 years ago
Kim Alvefur	ee6f6501bd	certmanager: Add locals for ssl.context and ssl.x509	11 years ago
Kim Alvefur	2b494c1a1c	certmanager: Early return from the entire module if LuaSec is unavailable	11 years ago
Matthew Wild	057e6a9cab	certmanager: Make global variable access explicit	12 years ago
Kim Alvefur	a5fc6e29d9	certmanager, mod_tls: Return final ssl config as third return value (fix for c6caaa440e74, portmanager assumes non-falsy second return value is an error) (thanks deoren)	12 years ago
Kim Alvefur	9dc76115b1	certmanager: Return final ssl config along with ssl context on success	12 years ago
Matthew Wild	c5d0345453	certmanager, net.http: Disable SSLv3 by default	12 years ago
Kim Alvefur	4dbcfd32b3	core.certmanager: Make create_context() support an arbitrary number of option sets, merging all	12 years ago
Kim Alvefur	851f3018e7	core.certmanager: Use util.sslconfig	12 years ago
Kim Alvefur	e31991a773	core.certmanager, core.moduleapi, mod_storage_sql, mod_storage_sql2: Import from util.paths	12 years ago
Kim Alvefur	3674d93277	certmanager: Move ssl.protocol handling to after ssl.options is a table (thanks Ralph)	12 years ago
Kim Alvefur	84ab9b7805	certmanager: Fix traceback if no global 'ssl' section set (thanks albert)	12 years ago
Kim Alvefur	c8e173e9c9	certmanager: Update ssl_compression when config is reloaded	12 years ago
Kim Alvefur	0f3d96bb85	certmanager: Reformat core ssl defaults	12 years ago
Kim Alvefur	7229a760a4	certmanager: Support ssl.protocol syntax like "tlsv1+" that disables older protocols	12 years ago
Kim Alvefur	01c2957f02	certmanager: Merge ssl.options, verify etc from core defaults and global ssl settings with inheritance while allowing options to be disabled per virtualhost	12 years ago
Kim Alvefur	ff3d811e6a	certmanager: Wrap long line and add comment	12 years ago
Kim Alvefur	6031d2cdfa	certmanager: Concatenate cipher list if given as a table	12 years ago

1 2 3

120 Commits (7eadd412eb46fd12eb2fcc81064f205c49beca83)