589521bfd8
Update copyright year to 2024 ( #4139 )
2024-01-22 17:29:13 +01:00
243697e25a
Update copyright year to 2023 ( #3967 )
2023-01-10 13:52:04 +01:00
b3211b1f71
Update copyright year to 2022
2022-02-11 09:39:25 +01:00
6e0161470e
Update newest copyright year to 2021 ( #3464 )
2021-01-27 17:02:06 +01:00
d7d8085d3b
Fix most EDoc errors, even if that's not used nowadays apparently
2020-05-11 19:53:13 +02:00
2d32c66fd7
Update copyright to 2020 ( #3149 )
2020-01-28 15:49:23 +01:00
5770946f03
Correctly handle unicode in log messages
2019-09-23 15:17:20 +03:00
b7e296857c
Don't call to xmpp_idna
2019-09-22 13:28:14 +03:00
81ae691738
Use round/0 instead of ceil/0
...
Because ceil/0 was introduced in OTP20.0 only
2019-09-20 15:33:08 +03:00
e227940b85
Improve ACME implementation
...
Fixes #2487 , fixes #2590 , fixes #2638
2019-09-20 12:36:31 +03:00
a02cff0e78
Use new configuration validator
2019-06-14 12:33:26 +03:00
55417dfb37
Update copyright to 2019 ( #2756 )
2019-01-08 22:53:27 +01:00
984a00195a
Fix bugs introduced by previous commit
2018-09-28 00:28:34 +03:00
39fa1a810d
Move certificates processing code to pkix application
...
==== WARNING: MUST BE ADDED TO RELEASE NOTES =====
The commit introduces the following incompatibility:
- Option 'ca_path' is deprecated and has no effect anymore:
option 'ca_file' should be used instead if needed.
==================================================
2018-09-27 20:37:27 +03:00
03de853e4f
Refactor ejabberd_listener
2018-09-18 12:53:36 +03:00
2d246f61dd
Fix some dialyzer warnings
2018-09-09 09:59:08 +03:00
0bb14d16c7
Move XMPP stream and SASL processing to xmpp repo
2018-07-06 01:07:36 +03:00
71ae7e9fd9
Work-around against public_key incompatibility introduced in OTP21
...
The commit introduced the incompatility is
304dd8f81eFixes #2488
2018-06-27 19:40:03 +03:00
87357c700f
Do not ignore a certificate containing no domain names
...
Log a warning instead and assign it to an "empty" domain
2018-06-27 11:27:39 +03:00
7881c5670c
Don't replace valid certificates with invalid ones
...
When building the certificates chains, if several certificates
are found matching the same domain their validity is checked:
* the invalid one is ignored and the valid one is picked
* if both are valid or both are invalid, then the one with
sooner expiration is ignored.
Fixes #2454
2018-06-27 10:55:37 +03:00
d0f36537fb
Clear fast_tls cache on configuration reload
2018-04-13 11:10:20 +03:00
f39dbe6e49
Get rid of 'fs' package dependency
...
Certificates auto-reloading will be fixed later.
For now to reload certificates call `reload-config` ejabberd command.
2018-03-23 16:40:26 +03:00
cdc7c1d1ed
Update copyright dates
2018-01-05 23:18:58 +03:00
240977a0da
Repair hosts check during certfiles validation
2017-12-28 21:36:57 +03:00
529d6d8a93
Return default certificate on domain mismatch
2017-12-28 17:24:23 +03:00
1698956f34
Rely on Server Name Indication for incoming Direct-TLS connections
...
This commit also deprecates `certfile` option for ejabberd_http
listener.
2017-12-24 12:27:51 +03:00
e15a9a2b9e
Log warning on empty wildcard paths
2017-12-08 12:50:10 +03:00
f1ac793d56
Don't call pkix_is_self_signed/1 too frequently
2017-12-07 17:24:34 +03:00
97c9058246
Eat less memory during building certificates graph
2017-12-07 16:41:49 +03:00
a303373b0f
Speedup certificate chains creation and validation
2017-12-07 14:32:12 +03:00
344a2611f2
Avoid infinite loop between self-signed certs
2017-12-07 00:29:19 +03:00
783ebd1080
Introduce option 'ca_file'
...
The option is supposed to be used as a fallback for certificates
validation. For instance, the option will be used if 's2s_cafile'
option is not set. The value should be a path to a file containing
CA certificate(s) in PEM format, e.g.:
ca_file: "/etc/ssl/certs/ca-bundle.pem"
2017-11-26 18:10:25 +03:00
5676adff30
Get rid of unused variable compile warning
2017-11-24 12:11:01 +03:00
e31f6409a6
Fix function clause on filelib:wildcard/1
2017-11-24 12:10:03 +03:00
fbd6ea8a48
Move 'certfile' based options in a single place
2017-11-23 11:04:47 +03:00
e709d6561c
Re-read ACME certificates on config reload
2017-11-19 09:56:05 +03:00
ce98226603
Make ACME code working with ejabberd_pkix
2017-11-17 11:59:40 +03:00
b04c6b7d75
Merge branch 'lets_encrypt_acme_support' of git://github.com/angelhof/ejabberd into angelhof-lets_encrypt_acme_support
...
Conflicts:
rebar.config
src/ejabberd_pkix.erl
2017-11-15 10:01:30 +03:00
fe9b191382
Erase transient certificates on exit
2017-11-07 09:04:20 +03:00
354a710e70
Fix pkix:validate() return value
2017-11-02 11:28:23 +01:00
a22aad0a4b
Remove -include() directive for unused header
2017-11-01 10:59:28 +03:00
ae07fd7f10
Clarify some error/warning messages
2017-11-01 10:14:34 +03:00
86809dff06
Avoid using "bag" ETS type for certificate storage
2017-11-01 08:47:07 +03:00
35dc164233
Start even if there are problems with fs application
2017-11-01 08:34:14 +03:00
170be1fbd5
Lower log level
2017-11-01 00:55:05 +03:00
35b7203e01
Introduce 'certfiles' global option
...
The option is supposed to replace existing options 'c2s_certfile',
's2s_certfile' and 'domain_certfile'. The option accepts a list
of file paths (optionally with wildcards "*") containing either
PEM certificates or PEM private keys. At startup, ejabberd sorts
the certificates, finds matching private keys and rebuilds full
certificates chains which can be used by fast_tls. Example:
certfiles:
- "/etc/letsencrypt/live/example.org/*.pem"
- "/etc/letsencrypt/live/example.com/*.pem"
2017-11-01 00:20:27 +03:00
7cc7b74f1e
Add acme certificates for all configured hosts in ejabberd_pkix
2017-08-19 12:50:40 +03:00
268065e5c4
Validate all certfiles on startup
2017-05-23 09:27:52 +03:00
061d5f2380
Shut up dialyzer/xref if public_key:short_name_hash/1 is not available
2017-05-13 13:11:08 +03:00
2d17a2850c
Only validate certfiles if public_key:short_name_hash/1 is available
2017-05-12 17:51:17 +03:00
Badlop