Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Update copyright year to 2022 | Badlop | 2022-02-11 | 1 | -1/+1 |
| | |||||
* | Update newest copyright year to 2021 (#3464) | Badlop | 2021-01-27 | 1 | -1/+1 |
| | |||||
* | Fix most EDoc errors, even if that's not used nowadays apparently | Badlop | 2020-05-11 | 1 | -1/+1 |
| | |||||
* | Update copyright to 2020 (#3149) | Badlop | 2020-01-28 | 1 | -1/+1 |
| | |||||
* | Correctly handle unicode in log messages | Evgeny Khramtsov | 2019-09-23 | 1 | -11/+11 |
| | |||||
* | Don't call to xmpp_idna | Evgeny Khramtsov | 2019-09-22 | 1 | -3/+3 |
| | |||||
* | Use round/0 instead of ceil/0 | Evgeny Khramtsov | 2019-09-20 | 1 | -8/+8 |
| | | | | Because ceil/0 was introduced in OTP20.0 only | ||||
* | Improve ACME implementation | Evgeny Khramtsov | 2019-09-20 | 1 | -23/+87 |
| | | | | Fixes #2487, fixes #2590, fixes #2638 | ||||
* | Use new configuration validator | Evgeny Khramtsov | 2019-06-14 | 1 | -74/+32 |
| | |||||
* | Update copyright to 2019 (#2756) | Badlop | 2019-01-08 | 1 | -1/+1 |
| | |||||
* | Fix bugs introduced by previous commit | Evgeny Khramtsov | 2018-09-28 | 1 | -25/+27 |
| | |||||
* | Move certificates processing code to pkix application | Evgeny Khramtsov | 2018-09-27 | 1 | -822/+290 |
| | | | | | | | | ==== WARNING: MUST BE ADDED TO RELEASE NOTES ===== The commit introduces the following incompatibility: - Option 'ca_path' is deprecated and has no effect anymore: option 'ca_file' should be used instead if needed. ================================================== | ||||
* | Refactor ejabberd_listener | Evgeny Khramtsov | 2018-09-18 | 1 | -1/+6 |
| | |||||
* | Fix some dialyzer warnings | Evgeny Khramtsov | 2018-09-09 | 1 | -3/+3 |
| | |||||
* | Move XMPP stream and SASL processing to xmpp repo | Evgeniy Khramtsov | 2018-07-06 | 1 | -1/+1 |
| | |||||
* | Work-around against public_key incompatibility introduced in OTP21 | Evgeniy Khramtsov | 2018-06-27 | 1 | -51/+67 |
| | | | | | | | | | The commit introduced the incompatility is https://github.com/erlang/otp/commit/304dd8f81e28ed04cde9f6f7ac1f79870da1c2cd Thanks to Stu Tomlinson for spotting the issue. Fixes #2488 | ||||
* | Do not ignore a certificate containing no domain names | Evgeniy Khramtsov | 2018-06-27 | 1 | -9/+16 |
| | | | | Log a warning instead and assign it to an "empty" domain | ||||
* | Don't replace valid certificates with invalid ones | Evgeniy Khramtsov | 2018-06-27 | 1 | -37/+88 |
| | | | | | | | | | | | When building the certificates chains, if several certificates are found matching the same domain their validity is checked: * the invalid one is ignored and the valid one is picked * if both are valid or both are invalid, then the one with sooner expiration is ignored. Fixes #2454 | ||||
* | Clear fast_tls cache on configuration reload | Evgeniy Khramtsov | 2018-04-13 | 1 | -0/+1 |
| | |||||
* | Get rid of 'fs' package dependency | Evgeniy Khramtsov | 2018-03-23 | 1 | -52/+1 |
| | | | | | Certificates auto-reloading will be fixed later. For now to reload certificates call `reload-config` ejabberd command. | ||||
* | Update copyright dates | Evgeniy Khramtsov | 2018-01-05 | 1 | -1/+1 |
| | |||||
* | Repair hosts check during certfiles validation | Evgeniy Khramtsov | 2017-12-28 | 1 | -3/+12 |
| | |||||
* | Return default certificate on domain mismatch | Evgeniy Khramtsov | 2017-12-28 | 1 | -3/+17 |
| | |||||
* | Rely on Server Name Indication for incoming Direct-TLS connections | Evgeniy Khramtsov | 2017-12-24 | 1 | -0/+1 |
| | | | | | This commit also deprecates `certfile` option for ejabberd_http listener. | ||||
* | Log warning on empty wildcard paths | Evgeniy Khramtsov | 2017-12-08 | 1 | -1/+14 |
| | |||||
* | Don't call pkix_is_self_signed/1 too frequently | Evgeniy Khramtsov | 2017-12-07 | 1 | -11/+11 |
| | |||||
* | Eat less memory during building certificates graph | Evgeniy Khramtsov | 2017-12-07 | 1 | -14/+19 |
| | |||||
* | Speedup certificate chains creation and validation | Evgeniy Khramtsov | 2017-12-07 | 1 | -75/+164 |
| | |||||
* | Avoid infinite loop between self-signed certs | Evgeniy Khramtsov | 2017-12-07 | 1 | -3/+8 |
| | |||||
* | Introduce option 'ca_file' | Evgeniy Khramtsov | 2017-11-26 | 1 | -9/+54 |
| | | | | | | | | | The option is supposed to be used as a fallback for certificates validation. For instance, the option will be used if 's2s_cafile' option is not set. The value should be a path to a file containing CA certificate(s) in PEM format, e.g.: ca_file: "/etc/ssl/certs/ca-bundle.pem" | ||||
* | Get rid of unused variable compile warning | Evgeniy Khramtsov | 2017-11-24 | 1 | -1/+1 |
| | |||||
* | Fix function clause on filelib:wildcard/1 | Evgeniy Khramtsov | 2017-11-24 | 1 | -3/+8 |
| | |||||
* | Move 'certfile' based options in a single place | Evgeniy Khramtsov | 2017-11-23 | 1 | -1/+6 |
| | |||||
* | Re-read ACME certificates on config reload | Evgeniy Khramtsov | 2017-11-19 | 1 | -9/+9 |
| | |||||
* | Make ACME code working with ejabberd_pkix | Evgeniy Khramtsov | 2017-11-17 | 1 | -11/+13 |
| | |||||
* | Merge branch 'lets_encrypt_acme_support' of ↵ | Evgeniy Khramtsov | 2017-11-15 | 1 | -1/+8 |
|\ | | | | | | | | | | | | | | | git://github.com/angelhof/ejabberd into angelhof-lets_encrypt_acme_support Conflicts: rebar.config src/ejabberd_pkix.erl | ||||
| * | Add acme certificates for all configured hosts in ejabberd_pkix | Konstantinos Kallas | 2017-08-19 | 1 | -9/+18 |
| | | |||||
* | | Erase transient certificates on exit | Evgeniy Khramtsov | 2017-11-07 | 1 | -1/+2 |
| | | |||||
* | | Fix pkix:validate() return value | Paweł Chmielowski | 2017-11-02 | 1 | -1/+1 |
| | | |||||
* | | Remove -include() directive for unused header | Evgeniy Khramtsov | 2017-11-01 | 1 | -1/+0 |
| | | |||||
* | | Clarify some error/warning messages | Evgeniy Khramtsov | 2017-11-01 | 1 | -2/+9 |
| | | |||||
* | | Avoid using "bag" ETS type for certificate storage | Evgeniy Khramtsov | 2017-11-01 | 1 | -1/+1 |
| | | |||||
* | | Start even if there are problems with fs application | Evgeniy Khramtsov | 2017-11-01 | 1 | -6/+21 |
| | | |||||
* | | Lower log level | Evgeniy Khramtsov | 2017-11-01 | 1 | -2/+2 |
| | | |||||
* | | Introduce 'certfiles' global option | Evgeniy Khramtsov | 2017-11-01 | 1 | -101/+260 |
|/ | | | | | | | | | | | | | The option is supposed to replace existing options 'c2s_certfile', 's2s_certfile' and 'domain_certfile'. The option accepts a list of file paths (optionally with wildcards "*") containing either PEM certificates or PEM private keys. At startup, ejabberd sorts the certificates, finds matching private keys and rebuilds full certificates chains which can be used by fast_tls. Example: certfiles: - "/etc/letsencrypt/live/example.org/*.pem" - "/etc/letsencrypt/live/example.com/*.pem" | ||||
* | Validate all certfiles on startup | Evgeniy Khramtsov | 2017-05-23 | 1 | -10/+21 |
| | |||||
* | Shut up dialyzer/xref if public_key:short_name_hash/1 is not available | Evgeniy Khramtsov | 2017-05-13 | 1 | -1/+9 |
| | |||||
* | Only validate certfiles if public_key:short_name_hash/1 is available | Evgeniy Khramtsov | 2017-05-12 | 1 | -1/+4 |
| | |||||
* | Introduce Certficate Manager | Evgeniy Khramtsov | 2017-05-12 | 1 | -0/+513 |
The major goal is to simplify certificate management in ejabberd. Currently it requires some effort from a user to configure certficates, especially in the situation where a lot of virtual domains are hosted. The task is splitted in several sub-tasks: * Implement basic certificate validator. The validator should check all configured certificates for existence, validity, duration and so on. The validator should not perform any actions in the case of errors except logging an error message. This is actually implemented by this commit. * All certificates should be configured inside a single section (something like 'certfiles') where ejabberd should parse them, check the full-chain, find the corresponding private keys and, if needed, resort chains and split the certficates into separate files for easy to use by fast_tls. * Options like 'domain_certfile', 'c2s_certfile' or 's2s_certfile' should probably be deprecated, since the process of matching certificates with the corresponding virtual hosts should be done automatically and these options only introduce configuration errors without any meaningful purpose. |