diff options
| author | Evgeniy Khramtsov <ekhramtsov@process-one.net> | 2017-11-01 00:20:27 +0300 |
|---|---|---|
| committer | Evgeniy Khramtsov <ekhramtsov@process-one.net> | 2017-11-01 00:20:27 +0300 |
| commit | 35b7203e01aefbdfe4ea7804ebe20a8667466628 (patch) | |
| tree | e3686b1a359645460b503f632ad477fd27ae67fd /src/ejabberd_c2s.erl | |
| parent | Fix sql query (diff) | |
Introduce 'certfiles' global option
The option is supposed to replace existing options 'c2s_certfile',
's2s_certfile' and 'domain_certfile'. The option accepts a list
of file paths (optionally with wildcards "*") containing either
PEM certificates or PEM private keys. At startup, ejabberd sorts
the certificates, finds matching private keys and rebuilds full
certificates chains which can be used by fast_tls. Example:
certfiles:
- "/etc/letsencrypt/live/example.org/*.pem"
- "/etc/letsencrypt/live/example.com/*.pem"
Diffstat (limited to 'src/ejabberd_c2s.erl')
| -rw-r--r-- | src/ejabberd_c2s.erl | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl index c5af2e03..d8b89f6a 100644 --- a/src/ejabberd_c2s.erl +++ b/src/ejabberd_c2s.erl @@ -302,10 +302,7 @@ tls_options(#{lserver := LServer, tls_options := DefaultOpts, TLSOpts1 = case {Encrypted, proplists:get_value(certfile, DefaultOpts)} of {true, CertFile} when CertFile /= undefined -> DefaultOpts; {_, _} -> - case ejabberd_config:get_option( - {domain_certfile, LServer}, - ejabberd_config:get_option( - {c2s_certfile, LServer})) of + case get_certfile(LServer) of undefined -> DefaultOpts; CertFile -> lists:keystore(certfile, 1, DefaultOpts, {certfile, CertFile}) @@ -928,6 +925,17 @@ format_reason(_, {shutdown, _}) -> format_reason(_, _) -> <<"internal server error">>. +-spec get_certfile(binary()) -> file:filename_all(). +get_certfile(LServer) -> + case ejabberd_pkix:get_certfile(LServer) of + {ok, CertFile} -> + CertFile; + error -> + ejabberd_config:get_option( + {domain_certfile, LServer}, + ejabberd_config:get_option({c2s_certfile, LServer})) + end. + transform_listen_option(Opt, Opts) -> [Opt|Opts]. @@ -941,7 +949,11 @@ transform_listen_option(Opt, Opts) -> (resource_conflict) -> fun((resource_conflict()) -> resource_conflict()); (disable_sasl_mechanisms) -> fun((binary() | [binary()]) -> [binary()]); (atom()) -> [atom()]. -opt_type(c2s_certfile) -> fun misc:try_read_file/1; +opt_type(c2s_certfile = Opt) -> + fun(File) -> + ?WARNING_MSG("option '~s' is deprecated, use 'certfiles' instead", [Opt]), + misc:try_read_file(File) + end; opt_type(c2s_ciphers) -> fun iolist_to_binary/1; opt_type(c2s_dhfile) -> fun misc:try_read_file/1; opt_type(c2s_cafile) -> fun misc:try_read_file/1; |