summaryrefslogtreecommitdiff
path: root/src/ejabberd_pkix.erl (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Update copyright year to 2022Badlop2022-02-111-1/+1
|
* Update newest copyright year to 2021 (#3464)Badlop2021-01-271-1/+1
|
* Fix most EDoc errors, even if that's not used nowadays apparentlyBadlop2020-05-111-1/+1
|
* Update copyright to 2020 (#3149)Badlop2020-01-281-1/+1
|
* Correctly handle unicode in log messagesEvgeny Khramtsov2019-09-231-11/+11
|
* Don't call to xmpp_idnaEvgeny Khramtsov2019-09-221-3/+3
|
* Use round/0 instead of ceil/0Evgeny Khramtsov2019-09-201-8/+8
| | | | Because ceil/0 was introduced in OTP20.0 only
* Improve ACME implementationEvgeny Khramtsov2019-09-201-23/+87
| | | | Fixes #2487, fixes #2590, fixes #2638
* Use new configuration validatorEvgeny Khramtsov2019-06-141-74/+32
|
* Update copyright to 2019 (#2756)Badlop2019-01-081-1/+1
|
* Fix bugs introduced by previous commitEvgeny Khramtsov2018-09-281-25/+27
|
* Move certificates processing code to pkix applicationEvgeny Khramtsov2018-09-271-822/+290
| | | | | | | | ==== WARNING: MUST BE ADDED TO RELEASE NOTES ===== The commit introduces the following incompatibility: - Option 'ca_path' is deprecated and has no effect anymore: option 'ca_file' should be used instead if needed. ==================================================
* Refactor ejabberd_listenerEvgeny Khramtsov2018-09-181-1/+6
|
* Fix some dialyzer warningsEvgeny Khramtsov2018-09-091-3/+3
|
* Move XMPP stream and SASL processing to xmpp repoEvgeniy Khramtsov2018-07-061-1/+1
|
* Work-around against public_key incompatibility introduced in OTP21Evgeniy Khramtsov2018-06-271-51/+67
| | | | | | | | | The commit introduced the incompatility is https://github.com/erlang/otp/commit/304dd8f81e28ed04cde9f6f7ac1f79870da1c2cd Thanks to Stu Tomlinson for spotting the issue. Fixes #2488
* Do not ignore a certificate containing no domain namesEvgeniy Khramtsov2018-06-271-9/+16
| | | | Log a warning instead and assign it to an "empty" domain
* Don't replace valid certificates with invalid onesEvgeniy Khramtsov2018-06-271-37/+88
| | | | | | | | | | | When building the certificates chains, if several certificates are found matching the same domain their validity is checked: * the invalid one is ignored and the valid one is picked * if both are valid or both are invalid, then the one with sooner expiration is ignored. Fixes #2454
* Clear fast_tls cache on configuration reloadEvgeniy Khramtsov2018-04-131-0/+1
|
* Get rid of 'fs' package dependencyEvgeniy Khramtsov2018-03-231-52/+1
| | | | | Certificates auto-reloading will be fixed later. For now to reload certificates call `reload-config` ejabberd command.
* Update copyright datesEvgeniy Khramtsov2018-01-051-1/+1
|
* Repair hosts check during certfiles validationEvgeniy Khramtsov2017-12-281-3/+12
|
* Return default certificate on domain mismatchEvgeniy Khramtsov2017-12-281-3/+17
|
* Rely on Server Name Indication for incoming Direct-TLS connectionsEvgeniy Khramtsov2017-12-241-0/+1
| | | | | This commit also deprecates `certfile` option for ejabberd_http listener.
* Log warning on empty wildcard pathsEvgeniy Khramtsov2017-12-081-1/+14
|
* Don't call pkix_is_self_signed/1 too frequentlyEvgeniy Khramtsov2017-12-071-11/+11
|
* Eat less memory during building certificates graphEvgeniy Khramtsov2017-12-071-14/+19
|
* Speedup certificate chains creation and validationEvgeniy Khramtsov2017-12-071-75/+164
|
* Avoid infinite loop between self-signed certsEvgeniy Khramtsov2017-12-071-3/+8
|
* Introduce option 'ca_file'Evgeniy Khramtsov2017-11-261-9/+54
| | | | | | | | | The option is supposed to be used as a fallback for certificates validation. For instance, the option will be used if 's2s_cafile' option is not set. The value should be a path to a file containing CA certificate(s) in PEM format, e.g.: ca_file: "/etc/ssl/certs/ca-bundle.pem"
* Get rid of unused variable compile warningEvgeniy Khramtsov2017-11-241-1/+1
|
* Fix function clause on filelib:wildcard/1Evgeniy Khramtsov2017-11-241-3/+8
|
* Move 'certfile' based options in a single placeEvgeniy Khramtsov2017-11-231-1/+6
|
* Re-read ACME certificates on config reloadEvgeniy Khramtsov2017-11-191-9/+9
|
* Make ACME code working with ejabberd_pkixEvgeniy Khramtsov2017-11-171-11/+13
|
* Merge branch 'lets_encrypt_acme_support' of ↵Evgeniy Khramtsov2017-11-151-1/+8
|\ | | | | | | | | | | | | | | git://github.com/angelhof/ejabberd into angelhof-lets_encrypt_acme_support Conflicts: rebar.config src/ejabberd_pkix.erl
| * Add acme certificates for all configured hosts in ejabberd_pkixKonstantinos Kallas2017-08-191-9/+18
| |
* | Erase transient certificates on exitEvgeniy Khramtsov2017-11-071-1/+2
| |
* | Fix pkix:validate() return valuePaweł Chmielowski2017-11-021-1/+1
| |
* | Remove -include() directive for unused headerEvgeniy Khramtsov2017-11-011-1/+0
| |
* | Clarify some error/warning messagesEvgeniy Khramtsov2017-11-011-2/+9
| |
* | Avoid using "bag" ETS type for certificate storageEvgeniy Khramtsov2017-11-011-1/+1
| |
* | Start even if there are problems with fs applicationEvgeniy Khramtsov2017-11-011-6/+21
| |
* | Lower log levelEvgeniy Khramtsov2017-11-011-2/+2
| |
* | Introduce 'certfiles' global optionEvgeniy Khramtsov2017-11-011-101/+260
|/ | | | | | | | | | | | | The option is supposed to replace existing options 'c2s_certfile', 's2s_certfile' and 'domain_certfile'. The option accepts a list of file paths (optionally with wildcards "*") containing either PEM certificates or PEM private keys. At startup, ejabberd sorts the certificates, finds matching private keys and rebuilds full certificates chains which can be used by fast_tls. Example: certfiles: - "/etc/letsencrypt/live/example.org/*.pem" - "/etc/letsencrypt/live/example.com/*.pem"
* Validate all certfiles on startupEvgeniy Khramtsov2017-05-231-10/+21
|
* Shut up dialyzer/xref if public_key:short_name_hash/1 is not availableEvgeniy Khramtsov2017-05-131-1/+9
|
* Only validate certfiles if public_key:short_name_hash/1 is availableEvgeniy Khramtsov2017-05-121-1/+4
|
* Introduce Certficate ManagerEvgeniy Khramtsov2017-05-121-0/+513
The major goal is to simplify certificate management in ejabberd. Currently it requires some effort from a user to configure certficates, especially in the situation where a lot of virtual domains are hosted. The task is splitted in several sub-tasks: * Implement basic certificate validator. The validator should check all configured certificates for existence, validity, duration and so on. The validator should not perform any actions in the case of errors except logging an error message. This is actually implemented by this commit. * All certificates should be configured inside a single section (something like 'certfiles') where ejabberd should parse them, check the full-chain, find the corresponding private keys and, if needed, resort chains and split the certficates into separate files for easy to use by fast_tls. * Options like 'domain_certfile', 'c2s_certfile' or 's2s_certfile' should probably be deprecated, since the process of matching certificates with the corresponding virtual hosts should be done automatically and these options only introduce configuration errors without any meaningful purpose.
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-12 22:50:51 +0000