diff options
author | Evgeniy Khramtsov <ekhramtsov@process-one.net> | 2017-11-01 00:20:27 +0300 |
---|---|---|
committer | Evgeniy Khramtsov <ekhramtsov@process-one.net> | 2017-11-01 00:20:27 +0300 |
commit | 35b7203e01aefbdfe4ea7804ebe20a8667466628 (patch) | |
tree | e3686b1a359645460b503f632ad477fd27ae67fd /src/ejabberd_s2s.erl | |
parent | Fix sql query (diff) |
Introduce 'certfiles' global option
The option is supposed to replace existing options 'c2s_certfile',
's2s_certfile' and 'domain_certfile'. The option accepts a list
of file paths (optionally with wildcards "*") containing either
PEM certificates or PEM private keys. At startup, ejabberd sorts
the certificates, finds matching private keys and rebuilds full
certificates chains which can be used by fast_tls. Example:
certfiles:
- "/etc/letsencrypt/live/example.org/*.pem"
- "/etc/letsencrypt/live/example.com/*.pem"
Diffstat (limited to 'src/ejabberd_s2s.erl')
-rw-r--r-- | src/ejabberd_s2s.erl | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/src/ejabberd_s2s.erl b/src/ejabberd_s2s.erl index 7dd82b804..0626d62fb 100644 --- a/src/ejabberd_s2s.erl +++ b/src/ejabberd_s2s.erl @@ -198,13 +198,11 @@ dirty_get_connections() -> -spec tls_options(binary(), [proplists:property()]) -> [proplists:property()]. tls_options(LServer, DefaultOpts) -> - TLSOpts1 = case ejabberd_config:get_option( - {domain_certfile, LServer}, - ejabberd_config:get_option( - {s2s_certfile, LServer})) of + TLSOpts1 = case get_certfile(LServer) of undefined -> DefaultOpts; - CertFile -> lists:keystore(certfile, 1, DefaultOpts, - {certfile, CertFile}) + CertFile -> + lists:keystore(certfile, 1, DefaultOpts, + {certfile, CertFile}) end, TLSOpts2 = case ejabberd_config:get_option( {s2s_ciphers, LServer}) of @@ -269,6 +267,17 @@ queue_type(LServer) -> {s2s_queue_type, LServer}, ejabberd_config:default_queue_type(LServer)). +-spec get_certfile(binary()) -> file:filename_all(). +get_certfile(LServer) -> + case ejabberd_pkix:get_certfile(LServer) of + {ok, CertFile} -> + CertFile; + error -> + ejabberd_config:get_option( + {domain_certfile, LServer}, + ejabberd_config:get_option({s2s_certfile, LServer})) + end. + %%==================================================================== %% gen_server callbacks %%==================================================================== @@ -711,7 +720,11 @@ opt_type(route_subdomains) -> end; opt_type(s2s_access) -> fun acl:access_rules_validator/1; -opt_type(s2s_certfile) -> fun misc:try_read_file/1; +opt_type(s2s_certfile = Opt) -> + fun(File) -> + ?WARNING_MSG("option '~s' is deprecated, use 'certfiles' instead", [Opt]), + misc:try_read_file(File) + end; opt_type(s2s_ciphers) -> fun iolist_to_binary/1; opt_type(s2s_dhfile) -> fun misc:try_read_file/1; opt_type(s2s_cafile) -> fun misc:try_read_file/1; |