diff options
author | Evgeniy Khramtsov <ekhramtsov@process-one.net> | 2017-12-24 12:27:51 +0300 |
---|---|---|
committer | Evgeniy Khramtsov <ekhramtsov@process-one.net> | 2017-12-24 12:27:51 +0300 |
commit | 1698956f34fda67f815c66c26f1e0abe6ad139bc (patch) | |
tree | 1f717a292b6f3b840653104e8fa17481995b964c /src/ejabberd_http.erl | |
parent | Don't let privacy list prevent local roster update (diff) |
Rely on Server Name Indication for incoming Direct-TLS connections
This commit also deprecates `certfile` option for ejabberd_http
listener.
Diffstat (limited to 'src/ejabberd_http.erl')
-rw-r--r-- | src/ejabberd_http.erl | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/src/ejabberd_http.erl b/src/ejabberd_http.erl index f997877d4..9bf7efcfe 100644 --- a/src/ejabberd_http.erl +++ b/src/ejabberd_http.erl @@ -97,8 +97,7 @@ start_link(SockData, Opts) -> init({SockMod, Socket}, Opts) -> TLSEnabled = proplists:get_bool(tls, Opts), - TLSOpts1 = lists:filter(fun ({certfile, _}) -> true; - ({ciphers, _}) -> true; + TLSOpts1 = lists:filter(fun ({ciphers, _}) -> true; ({dhfile, _}) -> true; ({protocol_options, _}) -> true; (_) -> false @@ -108,7 +107,11 @@ init({SockMod, Socket}, Opts) -> false -> [compression_none | TLSOpts1]; true -> TLSOpts1 end, - TLSOpts = [verify_none | TLSOpts2], + TLSOpts3 = case get_certfile(Opts) of + undefined -> TLSOpts2; + CertFile -> [{certfile, CertFile}|TLSOpts2] + end, + TLSOpts = [verify_none | TLSOpts3], {SockMod1, Socket1} = if TLSEnabled -> inet:setopts(Socket, [{recbuf, 8192}]), {ok, TLSSocket} = fast_tls:tcp_to_tls(Socket, @@ -885,6 +888,20 @@ normalize_path([_Parent, <<"..">>|Path], Norm) -> normalize_path([Part | Path], Norm) -> normalize_path(Path, [Part|Norm]). +-spec get_certfile([proplists:property()]) -> binary() | undefined. +get_certfile(Opts) -> + case lists:keyfind(certfile, 1, Opts) of + {_, CertFile} -> + CertFile; + false -> + case ejabberd_pkix:get_certfile(?MYNAME) of + {ok, CertFile} -> + CertFile; + error -> + ejabberd_config:get_option({domain_certfile, ?MYNAME}) + end + end. + transform_listen_option(captcha, Opts) -> [{captcha, true}|Opts]; transform_listen_option(register, Opts) -> @@ -933,8 +950,10 @@ opt_type(_) -> [trusted_proxies]. (atom()) -> [atom()]. listen_opt_type(tls) -> fun(B) when is_boolean(B) -> B end; -listen_opt_type(certfile) -> +listen_opt_type(certfile = Opt) -> fun(S) -> + ?WARNING_MSG("Listening option '~s' for ~s is deprecated, use " + "'certfiles' global option instead", [Opt, ?MODULE]), ejabberd_pkix:add_certfile(S), iolist_to_binary(S) end; |