File

mod_checkcerts/mod_checkcerts.lua @ 1130:29dcdea3c2be

mod_s2s_auth_dnssec_srv: Ignore certificates with invalid chains.
author Kim Alvefur <zash@zash.se>
date Sat, 03 Aug 2013 12:38:22 +0200
parent 1098:cbbeac61f1ab
child 1672:d9fcf9d8e787
line wrap: on
line source

local ssl = require"ssl";
local datetime_parse = require"util.datetime".parse;
local load_cert = ssl.x509 and ssl.x509.load;
local st = require"util.stanza"

-- These are in days.
local nag_time = module:get_option_number("checkcerts_notify", 7) * 86400;

if not load_cert then
	module:log("error", "This version of LuaSec (%s) does not support certificate checking", ssl._VERSION);
	return
end

local pat = "^([JFMAONSD][ceupao][glptbvyncr])  ?(%d%d?) (%d%d):(%d%d):(%d%d) (%d%d%d%d) GMT$";
local months = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12};
local function parse_x509_datetime(s)
	local month, day, hour, min, sec, year = s:match(pat); month = months[month];
	return datetime_parse(("%04d-%02d-%02dT%02d:%02d:%02dZ"):format(year, month, day, hour, min, sec));
end

local timeunits = {"minute",60,"hour",3600,"day",86400,"week",604800,"month",2629746,"year",31556952,};
local function humantime(timediff)
	local ret = {};
	for i=#timeunits,2,-2 do
		if timeunits[i] < timediff then
			local n = math.floor(timediff / timeunits[i]);
			if n > 0 and #ret < 2 then
				ret[#ret+1] = ("%d %s%s"):format(n, timeunits[i-1], n ~= 1 and "s" or "");
				timediff = timediff - n*timeunits[i];
			end
		end
	end
	return table.concat(ret, " and ")
end

local function check_certs_validity()
	local now = os.time();

	-- First, let's find out what certificate this host uses.
	local ssl_config = config.rawget(module.host, "ssl");
	if not ssl_config then
		local base_host = module.host:match("%.(.*)");
		ssl_config = config.get(base_host, "ssl");
	end

	if ssl_config and ssl_config.certificate then
		local certfile = ssl_config.certificate;
		local fh = io.open(certfile); -- Load the file.
		cert = fh and fh:read"*a";
		fh = fh and fh:close();
		local cert = cert and load_cert(cert); -- And parse

		if not cert then
			module:log("warn", "No certificate configured for this host, please fix this and reload this module to check expiry");
			return
		end
		local expires_at = parse_x509_datetime(cert:notafter());
		local expires_in = os.difftime(expires_at, now);
		local fmt =  "Certificate %s expires in %s"
		local nag_admin = expires_in < nag_time;
		local log_warn = expires_in < nag_time * 2;
		local timediff = expires_in;
		if expires_in < 0 then
			fmt =  "Certificate %s expired %s ago";
			timediff = -timediff;
		end
		timediff = humantime(timediff);
		module:log(log_warn and "warn" or "info", fmt, certfile, timediff);
		if nag_admin then
			local body = fmt:format("for host ".. module.host, timediff);
			for _,admin in ipairs(module:get_option_array("admins", {})) do
				module:send(st.message({ from = module.host, to = admin, type = "chat" }, body));
			end
		end
		return math.max(86400, expires_in / 3);
	end
end

module:add_timer(1, check_certs_validity);