Mercurial > lxmppd-hg-xmllex / annotate
core/certmanager.lua@3976bad56640 (annotated)
core/certmanager.lua
Fri, 23 Jul 2010 09:17:11 +0100
- author
- Matthew Wild <mwild1@gmail.com>
- date
- Fri, 23 Jul 2010 09:17:11 +0100
- changeset 3399
- 3976bad56640
- parent 2738
- 7339c2720b39
- child 3400
- 502a634f0578
- permissions
- -rw-r--r--
certmanager: Don't disable LuaSec and future cert loading on failure, and add error messages to the no LuaSec/config cases (thanks Jakob)
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 | local configmanager = require "core.configmanager"; |
|
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
2 | local log = require "util.logger".init("certmanager"); |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 | local ssl = ssl; |
|
2564
6b4fe320a6ea
certmanager: Fix traceback with no LuaSec
Matthew Wild <mwild1@gmail.com>
parents:
2563
diff
changeset
|
4 | local ssl_newcontext = ssl and ssl.newcontext; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 | |
|
2737
e253dd4714d5
certmanager: Fix nil global access (thanks Marc)
Matthew Wild <mwild1@gmail.com>
parents:
2733
diff
changeset
|
6 | local setmetatable, tostring = setmetatable, tostring; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 | |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 | local prosody = prosody; |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 | |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 | module "certmanager" |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 | |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 | -- These are the defaults if not overridden in the config |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 | local default_ssl_ctx = { mode = "client", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none", options = "no_sslv2"; }; |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 | local default_ssl_ctx_in = { mode = "server", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none", options = "no_sslv2"; }; |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 | |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 | local default_ssl_ctx_mt = { __index = default_ssl_ctx }; |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 | local default_ssl_ctx_in_mt = { __index = default_ssl_ctx_in }; |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 | |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 | -- Global SSL options if not overridden per-host |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 | local default_ssl_config = configmanager.get("*", "core", "ssl"); |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 | |
|
2628
04958fb28c44
certmanager, hostmanager: Rename get_context() to create_context() to be more explicit about what it does
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
22 | function create_context(host, mode, config) |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 | local ssl_config = config and config.core.ssl or default_ssl_config; |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 | if ssl and ssl_config then |
|
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
25 | local ctx, err = ssl_newcontext(setmetatable(ssl_config, mode == "client" and default_ssl_ctx_mt or default_ssl_ctx_in_mt)); |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
26 | if not ctx then |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
27 | err = err or "invalid ssl config" |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
28 | local file = err:match("^error loading (.-) %("); |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
29 | if file then |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
30 | if file == "private key" then |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
31 | file = ssl_config.key or "your private key"; |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
32 | elseif file == "certificate" then |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
33 | file = ssl_config.certificate or "your certificate file"; |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
34 | end |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
35 | local reason = err:match("%((.+)%)$") or "some reason"; |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
36 | if reason == "Permission denied" then |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
37 | reason = "Check that the permissions allow Prosody to read this file."; |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
38 | elseif reason == "No such file or directory" then |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
39 | reason = "Check that the path is correct, and the file exists."; |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
40 | elseif reason == "system lib" then |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
41 | reason = "Previous error (see logs), or other system error."; |
|
2738
7339c2720b39
certmanager: Friendlier error reporting on OpenWRT and other cases where we don't understand the OpenSSL error
Matthew Wild <mwild1@gmail.com>
parents:
2737
diff
changeset
|
42 | elseif reason == "(null)" or not reason then |
|
7339c2720b39
certmanager: Friendlier error reporting on OpenWRT and other cases where we don't understand the OpenSSL error
Matthew Wild <mwild1@gmail.com>
parents:
2737
diff
changeset
|
43 | reason = "Check that the file exists and the permissions are correct"; |
|
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
44 | else |
|
2738
7339c2720b39
certmanager: Friendlier error reporting on OpenWRT and other cases where we don't understand the OpenSSL error
Matthew Wild <mwild1@gmail.com>
parents:
2737
diff
changeset
|
45 | reason = "Reason: "..tostring(reason):lower(); |
|
2630
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
46 | end |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
47 | log("error", "SSL/TLS: Failed to load %s: %s", file, reason); |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
48 | else |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
49 | log("error", "SSL/TLS: Error initialising for host %s: %s", host, err ); |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
50 | end |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
51 | end |
|
e8fc67b73820
certmanager: Bring back the friendly errors when failing to load the key/certificate file
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
52 | return ctx, err; |
|
3399
3976bad56640
certmanager: Don't disable LuaSec and future cert loading on failure, and add error messages to the no LuaSec/config cases (thanks Jakob)
Matthew Wild <mwild1@gmail.com>
parents:
2738
diff
changeset
|
53 | elseif not ssl then |
|
3976bad56640
certmanager: Don't disable LuaSec and future cert loading on failure, and add error messages to the no LuaSec/config cases (thanks Jakob)
Matthew Wild <mwild1@gmail.com>
parents:
2738
diff
changeset
|
54 | return nil, "LuaSec (required for encryption) was not found"; |
|
2563
1ede33f50ab4
certmanager: Tabs not spaces!
Matthew Wild <mwild1@gmail.com>
parents:
2554
diff
changeset
|
55 | end |
|
3399
3976bad56640
certmanager: Don't disable LuaSec and future cert loading on failure, and add error messages to the no LuaSec/config cases (thanks Jakob)
Matthew Wild <mwild1@gmail.com>
parents:
2738
diff
changeset
|
56 | return nil, "No SSL/TLS configuration present for "..host; |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 | end |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 | |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 | function reload_ssl_config() |
|
2733
65ad0fdb17ba
certmanager: Fix global access
Matthew Wild <mwild1@gmail.com>
parents:
2631
diff
changeset
|
60 | default_ssl_config = configmanager.get("*", "core", "ssl"); |
|
2554
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 | end |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
62 | |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
63 | prosody.events.add_handler("config-reloaded", reload_ssl_config); |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
64 | |
|
b877533d4ec9
certmanager: Hello world, I'm come to manage your SSL contexts
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
65 | return _M; |
