It also improves error reporting from store:add() call.
Sometimes the error message from lua-ossl is incomplete. This is fixed
by https://github.com/wahern/luaossl/pull/176.
end
-- Fetch over HTTPS
-function kluautil.kr_https_fetch(url, ca_file, file)
+function kluautil.kr_https_fetch(url, out_file, ca_file)
local http_ok, http_request = pcall(require, 'http.request')
+ local httptls_ok, http_tls = pcall(require, 'http.tls')
local openssl_ok, openssl_ctx = pcall(require, 'openssl.ssl.context')
- if not http_ok or not openssl_ok then
+ if not http_ok or not httptls_ok or not openssl_ok then
return nil, 'error: lua-http and luaossl libraries are missing (but required)'
end
assert(string.match(url, '^https://'))
- assert(ca_file)
local req = http_request.new_from_uri(url)
- req.ctx = openssl_ctx.new()
- local store = req.ctx:getStore()
- store:add(ca_file)
+ req.tls = true
+ if ca_file then
+ req.ctx = openssl_ctx.new()
+ local store = req.ctx:getStore()
+ local load_ok, errmsg = pcall(store.add, store, ca_file)
+ if not load_ok then
+ return nil, errmsg
+ end
+ else -- use defaults
+ req.ctx = http_tls.new_client_context()
+ end
req.ctx:setVerify(openssl_ctx.VERIFY_PEER)
- req.tls = true
local headers, stream, errmsg = req:go()
if not headers then
end
local err
- err, errmsg = stream:save_body_to_file(file)
+ err, errmsg = stream:save_body_to_file(out_file)
if err == nil then
return nil, errmsg
end
- file:seek ("set", 0)
+ out_file:seek("set", 0)
return true
end
-- @todo ICANN certificate is verified against current CA
-- this is not ideal, as it should rather verify .xml signature which
-- is signed by ICANN long-lived cert, but luasec has no PKCS7
- local rcode, errmsg = kluautil.kr_https_fetch(url, ca, file)
+ local rcode, errmsg = kluautil.kr_https_fetch(url, file, ca)
if rcode == nil then
file:close()
return false, string.format('[ ta ] fetch of "%s" failed: %s', url, errmsg)
prefill.config({
['.'] = {
url = 'https://www.internic.net/domain/root.zone',
- ca_file = '/etc/pki/tls/certs/ca-bundle.crt',
interval = 86400 -- seconds
+ ca_file = '/etc/pki/tls/certs/ca-bundle.crt', -- optional
}
})
.. csv-table::
:header: "Parameter", "Description"
- "ca_file", "path to CA certificate bundle used to authenticate the HTTPS connection"
+ "ca_file", "path to CA certificate bundle used to authenticate the HTTPS connection (optional, system-wide store will be used if not specified)"
"interval", "number of seconds between zone data refresh attempts"
"url", "URL of a file in :rfc:`1035` zone file format"
end
log("[prefill] downloading root zone to file %s ...", fname)
- rcode, errmsg = kluautil.kr_https_fetch(url, rz_ca_file, file)
+ rcode, errmsg = kluautil.kr_https_fetch(url, file, rz_ca_file)
if rcode == nil then
error(string.format("[prefill] fetch of `%s` failed: %s", url, errmsg))
end
rz_cur_interval = zone_cfg.interval
end
- if not zone_cfg.ca_file then
- error('[prefill] option ca_file must point '
- .. 'to a file with CA certificate(s) in PEM format')
- end
rz_ca_file = zone_cfg.ca_file
if not zone_cfg.url or not string.match(zone_cfg.url, '^https://') then
projects / thirdparty / knot-resolver.git / commitdiff
