diff options
author | Evgeniy Khramtsov <ekhramtsov@process-one.net> | 2017-12-24 12:27:51 +0300 |
---|---|---|
committer | Evgeniy Khramtsov <ekhramtsov@process-one.net> | 2017-12-24 12:27:51 +0300 |
commit | 1698956f34fda67f815c66c26f1e0abe6ad139bc (patch) | |
tree | 1f717a292b6f3b840653104e8fa17481995b964c /src/ejabberd_stun.erl | |
parent | Don't let privacy list prevent local roster update (diff) |
Rely on Server Name Indication for incoming Direct-TLS connections
This commit also deprecates `certfile` option for ejabberd_http
listener.
Diffstat (limited to 'src/ejabberd_stun.erl')
-rw-r--r-- | src/ejabberd_stun.erl | 28 |
1 files changed, 25 insertions, 3 deletions
diff --git a/src/ejabberd_stun.erl b/src/ejabberd_stun.erl index 8228a2577..25a55ae90 100644 --- a/src/ejabberd_stun.erl +++ b/src/ejabberd_stun.erl @@ -77,7 +77,7 @@ prepare_turn_opts(Opts) -> prepare_turn_opts(Opts, UseTurn). prepare_turn_opts(Opts, _UseTurn = false) -> - Opts; + set_certfile(Opts); prepare_turn_opts(Opts, _UseTurn = true) -> NumberOfMyHosts = length(?MYHOSTS), case proplists:get_value(turn_ip, Opts) of @@ -109,8 +109,28 @@ prepare_turn_opts(Opts, _UseTurn = true) -> [] end, MaxRate = shaper:get_max_rate(Shaper), - Realm ++ [{auth_fun, AuthFun},{shaper, MaxRate} | - lists:keydelete(shaper, 1, Opts)]. + Opts1 = Realm ++ [{auth_fun, AuthFun},{shaper, MaxRate} | + lists:keydelete(shaper, 1, Opts)], + set_certfile(Opts1). + +set_certfile(Opts) -> + case lists:keymember(certfile, 1, Opts) of + true -> + Opts; + false -> + Realm = proplists:get_value(auth_realm, Opts, ?MYNAME), + case ejabberd_pkix:get_certfile(Realm) of + {ok, CertFile} -> + [{certfile, CertFile}|Opts]; + error -> + case ejabberd_config:get_option({domain_certfile, Realm}) of + undefined -> + Opts; + CertFile -> + [{certfile, CertFile}|Opts] + end + end + end. listen_opt_type(use_turn) -> fun(B) when is_boolean(B) -> B end; @@ -131,6 +151,8 @@ listen_opt_type(tls) -> fun(B) when is_boolean(B) -> B end; listen_opt_type(certfile) -> fun(S) -> + %% We cannot deprecate the option for now: + %% I think STUN/TURN clients are too stupid to set SNI ejabberd_pkix:add_certfile(S), iolist_to_binary(S) end; |