[pkg-lua-devel] SSL certificate (and virtual host examples) in Prosody package

Sergei Golovan sgolovan at gmail.com
Sun May 13 14:46:14 UTC 2012 

Hi!

On Sun, May 13, 2012 at 3:15 PM, Matthew Wild <mwild1 at gmail.com> wrote:
> Hi,
>
> On 13 May 2012 10:16, Sergei Golovan <sgolovan at gmail.com> wrote:
>> Hi!
>>
>> Just a few thoughts on working with the default self-signed
>> certificates in Prosody:
>>
>> 1) Our autogenerated SSL certificate is listed in the main config as
>> the default certificate. Do we really want to encourage users to use
>> the self-signed certificate for the purpose other than example?
>
> I'm biased towards liking self-signed certs :)

They're only useful for someone other than the person who generated it
only if you give it to them personally :)

>
>> I'd suggest to comment out the ssl options and add this certificate to
>> conf.d/localhost.cfg.lua.
>
> Legacy SSL and HTTPS (the latter is now enabled by default for all
> HTTP plugins, such as BOSH) require the global one. I think in some
> earlier versions Prosody almost demanded a global SSL cert if one
> didn't exist. I think it would be fine to move it to the localhost
> config now though.

Aha, I see. I tend to think that legacy SSL shouldn't be enabled in
default configuration, but HTTPS is another story. So, let the ssl
options live in the main config.

>
>> 2) Generating our own certificate is error prone (there are already a
>> few bugreports on it, see [1], [2]).
>>
>> I'd suggest to use the snakeoil certificate from ssl-cert package,
>> which is a self-signed certificate generated for all programs that
>> need one.
>
> I definitely think using the snakeoil cert by default is a good idea -
> I didn't even know about it until a few weeks ago.
>
> For what it's worth, we have a new command in 0.9: `prosodyctl cert
> generate`. It allows you to generate a proper XMPP certificate or CSR
> (or even just OpenSSL config) for one or more hosts in the config
> file.

There's make-ssl-cert in ssl-cert package which creates self-signed
SSL certificate together with private key. Though having prosodyctl
command is nice.

>
>> 3) Also, I'd like to move symlinking to
>> /etc/prosody/conf.d/localhost.cfg.lua to a postinst script (and don't
>> symlink at all on upgrade) because currently the local admin can't
>> remove the symlink permanently (it'll reappears after the update).
>
> Ok.
>
>> 4) Currently, we have virtual host 'example.com' in the main config
>> and in an example config in /etc/prosody/conf.avail. Would it be
>> better to remove (or comment out) the one in the main config file?
>>
>> Thoughts?
>
> I think I kept this just to show that you /can/ put host definitions
> in the main config file. I won't cry if there's reason to remove it,
> but as someone who much prefers the single config to split-config, I
> like it there.

Then maybe it's better to rename example.com hostname to example.org
or something in the included config? (I don't like two virtual hosts
with the same name, what if someone will try yo enable them both?)

Cheers!
-- 
Sergei Golovan

More information about the pkg-lua-devel mailing list