4 local ssl_newcontext = ssl and ssl.newcontext; |
4 local ssl_newcontext = ssl and ssl.newcontext; |
5 |
5 |
6 local setmetatable, tostring = setmetatable, tostring; |
6 local setmetatable, tostring = setmetatable, tostring; |
7 |
7 |
8 local prosody = prosody; |
8 local prosody = prosody; |
|
9 local resolve_path = prosody.resolve_relative_path; |
9 |
10 |
10 module "certmanager" |
11 module "certmanager" |
11 |
|
12 -- These are the defaults if not overridden in the config |
|
13 local default_ssl_ctx = { mode = "client", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none", options = "no_sslv2"; }; |
|
14 local default_ssl_ctx_in = { mode = "server", protocol = "sslv23", capath = "/etc/ssl/certs", verify = "none", options = "no_sslv2"; }; |
|
15 |
|
16 local default_ssl_ctx_mt = { __index = default_ssl_ctx }; |
|
17 local default_ssl_ctx_in_mt = { __index = default_ssl_ctx_in }; |
|
18 |
12 |
19 -- Global SSL options if not overridden per-host |
13 -- Global SSL options if not overridden per-host |
20 local default_ssl_config = configmanager.get("*", "core", "ssl"); |
14 local default_ssl_config = configmanager.get("*", "core", "ssl"); |
21 |
15 |
22 function create_context(host, mode, config) |
16 function create_context(host, mode, config) |
23 local ssl_config = config and config.core.ssl or default_ssl_config; |
17 if not ssl then return nil; end |
24 if ssl and ssl_config then |
18 |
25 local ctx, err = ssl_newcontext(setmetatable(ssl_config, mode == "client" and default_ssl_ctx_mt or default_ssl_ctx_in_mt)); |
19 local user_ssl_config = config and config.core.ssl or default_ssl_config; |
26 if not ctx then |
20 |
27 err = err or "invalid ssl config" |
21 local ssl_config = { |
28 local file = err:match("^error loading (.-) %("); |
22 mode = mode; |
29 if file then |
23 protocol = user_ssl_config.protocol or "sslv23"; |
30 if file == "private key" then |
24 key = resolve_path(user_ssl_config.key); |
31 file = ssl_config.key or "your private key"; |
25 password = user_ssl_config.password; |
32 elseif file == "certificate" then |
26 certificate = resolve_path(user_ssl_config.certificate); |
33 file = ssl_config.certificate or "your certificate file"; |
27 capath = resolve_path(user_ssl_config.capath or default_capath); |
34 end |
28 cafile = resolve_path(user_ssl_config.cafile); |
35 local reason = err:match("%((.+)%)$") or "some reason"; |
29 verify = user_ssl_config.verify or "none"; |
36 if reason == "Permission denied" then |
30 options = user_ssl_config.options or "no_sslv2"; |
37 reason = "Check that the permissions allow Prosody to read this file."; |
31 ciphers = user_ssl_config.ciphers; |
38 elseif reason == "No such file or directory" then |
32 depth = user_ssl_config.depth; |
39 reason = "Check that the path is correct, and the file exists."; |
33 }; |
40 elseif reason == "system lib" then |
34 |
41 reason = "Previous error (see logs), or other system error."; |
35 log("warn", "keyfile: %q", ssl_config.key); |
42 elseif reason == "(null)" or not reason then |
36 |
43 reason = "Check that the file exists and the permissions are correct"; |
37 local ctx, err = ssl_newcontext(ssl_config); |
44 else |
38 if not ctx then |
45 reason = "Reason: "..tostring(reason):lower(); |
39 err = err or "invalid ssl config" |
46 end |
40 local file = err:match("^error loading (.-) %("); |
47 log("error", "SSL/TLS: Failed to load %s: %s", file, reason); |
41 if file then |
|
42 if file == "private key" then |
|
43 file = ssl_config.key or "your private key"; |
|
44 elseif file == "certificate" then |
|
45 file = ssl_config.certificate or "your certificate file"; |
|
46 end |
|
47 local reason = err:match("%((.+)%)$") or "some reason"; |
|
48 if reason == "Permission denied" then |
|
49 reason = "Check that the permissions allow Prosody to read this file."; |
|
50 elseif reason == "No such file or directory" then |
|
51 reason = "Check that the path is correct, and the file exists."; |
|
52 elseif reason == "system lib" then |
|
53 reason = "Previous error (see logs), or other system error."; |
|
54 elseif reason == "(null)" or not reason then |
|
55 reason = "Check that the file exists and the permissions are correct"; |
48 else |
56 else |
49 log("error", "SSL/TLS: Error initialising for host %s: %s", host, err ); |
57 reason = "Reason: "..tostring(reason):lower(); |
50 end |
58 end |
51 ssl = false |
59 log("error", "SSL/TLS: Failed to load %s: %s", file, reason); |
52 end |
60 else |
53 return ctx, err; |
61 log("error", "SSL/TLS: Error initialising for host %s: %s", host, err ); |
54 end |
62 end |
55 return nil; |
63 ssl = false |
|
64 end |
|
65 return ctx, err; |
56 end |
66 end |
57 |
67 |
58 function reload_ssl_config() |
68 function reload_ssl_config() |
59 default_ssl_config = configmanager.get("*", "core", "ssl"); |
69 default_ssl_config = configmanager.get("*", "core", "ssl"); |
60 end |
70 end |