Use newer lua-http derived ephemeralcert generation

author daurnimator <quae@daurnimator.com>

Mon, 19 Dec 2016 04:34:38 +0000 (15:34 +1100)

committer Ondřej Surý <ondrej@sury.org>

Mon, 19 Dec 2016 08:54:06 +0000 (09:54 +0100)
author daurnimator <quae@daurnimator.com>
Mon, 19 Dec 2016 04:34:38 +0000 (15:34 +1100)
committer Ondřej Surý <ondrej@sury.org>
Mon, 19 Dec 2016 08:54:06 +0000 (09:54 +0100)
diff --git a/modules/http/http.lua b/modules/http/http.lua

index f7b6c8f241efaab3d4a922cd0399260515451a33..997258ab9c4ac5d7ae6ce018df093f785b814c9b 100644 (file)
--- a/modules/http/http.lua
+++ b/modules/http/http.lua
@@ -197,14 +197,20 @@ local function ephemeralcert(host)
         -- Import luaossl directly
         local name = require('openssl.x509.name')
         local altname = require('openssl.x509.altname')
+       local openssl_bignum = require('openssl.bignum')
+       local openssl_rand = require('openssl.rand')
         -- Create self-signed certificate
         host = host or hostname()
         local crt = x509.new()
         local now = os.time()
-       crt:setSerial(now)
+       crt:setVersion(3)
+       -- serial needs to be unique or browsers will show uninformative error messages
+       crt:setSerial(openssl_bignum.fromBinary(openssl_rand.bytes(16)))
+       -- use the host we're listening on as canonical name
         local dn = name.new()
         dn:add("CN", host)
         crt:setSubject(dn)
+       crt:setIssuer(dn) -- should match subject for a self-signed
         local alt = altname.new()
         alt:add("DNS", host)
         crt:setSubjectAlt(alt)
author	daurnimator <quae@daurnimator.com>
	Mon, 19 Dec 2016 04:34:38 +0000 (15:34 +1100)
committer	Ondřej Surý <ondrej@sury.org>
	Mon, 19 Dec 2016 08:54:06 +0000 (09:54 +0100)