prosody-modules
e9e10ec1b91c
mod_firewall/definitions.lib.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Comparison

mod_firewall/definitions.lib.lua @ 4127:e9e10ec1b91c

mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported This provides a balance between security and usability. SNI is supported in Prosody trunk and in Prosody 0.11 from commit 30d3f6f85eb8 (scheduled for 0.11.7).
author Matthew Wild <mwild1@gmail.com>
date Tue, 15 Sep 2020 11:49:55 +0100
parent 4017:015452258952
child 4512:b88f05c878ac
comparison
equal deleted inserted replaced
4126:68ceb7e0cfe6 4127:e9e10ec1b91c
102 self.hash_function = hashes[opts.hash]; 102 self.hash_function = hashes[opts.hash];
103 end 103 end
104 local etag; 104 local etag;
105 local failure_count = 0; 105 local failure_count = 0;
106 local retry_intervals = { 60, 120, 300 }; 106 local retry_intervals = { 60, 120, 300 };
107 -- By default only check the certificate if net.http supports SNI
108 local sni_supported = http.feature and http.features.sni;
109 local insecure = false;
110 if opts.checkcert == "never" then
111 insecure = true;
112 elseif (opts.checkcert == nil or opts.checkcert == "when-sni") and not sni_supported then
113 insecure = false;
114 end
107 local function update_list() 115 local function update_list()
108 http.request(url, { 116 http.request(url, {
117 insecure = insecure;
109 headers = { 118 headers = {
110 ["If-None-Match"] = etag; 119 ["If-None-Match"] = etag;
111 }; 120 };
112 }, function (body, code, response) 121 }, function (body, code, response)
113 local next_poll = poll_interval; 122 local next_poll = poll_interval;