Rely on Server Name Indication for incoming Direct-TLS connections

This commit also deprecates `certfile` option for ejabberd_http listener.
author: Evgeniy Khramtsov <ekhramtsov@process-one.net> 2017-12-24 12:27:51 +0300
committer: Evgeniy Khramtsov <ekhramtsov@process-one.net> 2017-12-24 12:27:51 +0300
commit: 1698956f34fda67f815c66c26f1e0abe6ad139bc (patch)
tree: 1f717a292b6f3b840653104e8fa17481995b964c /src/ejabberd_stun.erl
parent: Don't let privacy list prevent local roster update (diff)
1 files changed, 25 insertions, 3 deletions
diff --git a/src/ejabberd_stun.erl b/src/ejabberd_stun.erl
index 8228a2577..25a55ae90 100644
--- a/src/ejabberd_stun.erl
+++ b/src/ejabberd_stun.erl
@@ -77,7 +77,7 @@ prepare_turn_opts(Opts) ->
     prepare_turn_opts(Opts, UseTurn).
 
 prepare_turn_opts(Opts, _UseTurn = false) ->
-    Opts;
+    set_certfile(Opts);
 prepare_turn_opts(Opts, _UseTurn = true) ->
     NumberOfMyHosts = length(?MYHOSTS),
     case proplists:get_value(turn_ip, Opts) of
@@ -109,8 +109,28 @@ prepare_turn_opts(Opts, _UseTurn = true) ->
 		    []
 	    end,
     MaxRate = shaper:get_max_rate(Shaper),
-    Realm ++ [{auth_fun, AuthFun},{shaper, MaxRate} |
-	      lists:keydelete(shaper, 1, Opts)].
+    Opts1 = Realm ++ [{auth_fun, AuthFun},{shaper, MaxRate} |
+		      lists:keydelete(shaper, 1, Opts)],
+    set_certfile(Opts1).
+
+set_certfile(Opts) ->
+    case lists:keymember(certfile, 1, Opts) of
+	true ->
+	    Opts;
+	false ->
+	    Realm = proplists:get_value(auth_realm, Opts, ?MYNAME),
+	    case ejabberd_pkix:get_certfile(Realm) of
+		{ok, CertFile} ->
+		    [{certfile, CertFile}|Opts];
+		error ->
+		    case ejabberd_config:get_option({domain_certfile, Realm}) of
+			undefined ->
+			    Opts;
+			CertFile ->
+			    [{certfile, CertFile}|Opts]
+		    end
+	    end
+    end.
 
 listen_opt_type(use_turn) ->
     fun(B) when is_boolean(B) -> B end;
@@ -131,6 +151,8 @@ listen_opt_type(tls) ->
     fun(B) when is_boolean(B) -> B end;
 listen_opt_type(certfile) ->
     fun(S) ->
+	    %% We cannot deprecate the option for now:
+	    %% I think STUN/TURN clients are too stupid to set SNI
 	    ejabberd_pkix:add_certfile(S),
 	    iolist_to_binary(S)
     end;
author	Evgeniy Khramtsov <ekhramtsov@process-one.net>	2017-12-24 12:27:51 +0300
committer	Evgeniy Khramtsov <ekhramtsov@process-one.net>	2017-12-24 12:27:51 +0300
commit	1698956f34fda67f815c66c26f1e0abe6ad139bc (patch)
tree	1f717a292b6f3b840653104e8fa17481995b964c /src/ejabberd_stun.erl
parent	Don't let privacy list prevent local roster update (diff)