[pkg-lua-devel] SSL certificate (and virtual host examples) in Prosody package

Matthew Wild mwild1 at gmail.com
Sun May 13 11:15:02 UTC 2012


Hi,

On 13 May 2012 10:16, Sergei Golovan <sgolovan at gmail.com> wrote:
> Hi!
>
> Just a few thoughts on working with the default self-signed
> certificates in Prosody:
>
> 1) Our autogenerated SSL certificate is listed in the main config as
> the default certificate. Do we really want to encourage users to use
> the self-signed certificate for the purpose other than example?

I'm biased towards liking self-signed certs :)

> I'd suggest to comment out the ssl options and add this certificate to
> conf.d/localhost.cfg.lua.

Legacy SSL and HTTPS (the latter is now enabled by default for all
HTTP plugins, such as BOSH) require the global one. I think in some
earlier versions Prosody almost demanded a global SSL cert if one
didn't exist. I think it would be fine to move it to the localhost
config now though.

> 2) Generating our own certificate is error prone (there are already a
> few bugreports on it, see [1], [2]).
>
> I'd suggest to use the snakeoil certificate from ssl-cert package,
> which is a self-signed certificate generated for all programs that
> need one.

I definitely think using the snakeoil cert by default is a good idea -
I didn't even know about it until a few weeks ago.

For what it's worth, we have a new command in 0.9: `prosodyctl cert
generate`. It allows you to generate a proper XMPP certificate or CSR
(or even just OpenSSL config) for one or more hosts in the config
file.

> 3) Also, I'd like to move symlinking to
> /etc/prosody/conf.d/localhost.cfg.lua to a postinst script (and don't
> symlink at all on upgrade) because currently the local admin can't
> remove the symlink permanently (it'll reappears after the update).

Ok.

> 4) Currently, we have virtual host 'example.com' in the main config
> and in an example config in /etc/prosody/conf.avail. Would it be
> better to remove (or comment out) the one in the main config file?
>
> Thoughts?

I think I kept this just to show that you /can/ put host definitions
in the main config file. I won't cry if there's reason to remove it,
but as someone who much prefers the single config to split-config, I
like it there.

Regards,
Matthew



More information about the pkg-lua-devel mailing list