prosody-modules
d6a695abb33c
mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

File

mod_s2s_keysize_policy/mod_s2s_keysize_policy.lua @ 5979:d6a695abb33c

mod_ping_muc: Delay ping a configurable amount of time If a server is restarting, checking immediately before it has a chance to complete its restart and get ready would often fail, preventing the possibility of transparent restarts as supported by Prosody's mod_muc. Reconnecting immediately when a connection is closed for being idle, or because the remote server is trying to reclaim some resources, is also counter-productive as the connection may fail. Also, if there is some Internet routing problem affecting s2s, it may help to wait a bit before checking, in case the problem resolved itself in the mean time.
author Kim Alvefur <zash@zash.se>
date Sun, 11 Aug 2024 16:10:24 +0200
parent 2424:27ffa6521d4e
line wrap: on
line source

-- mod_s2s_keysize_policy.lua
-- Requires LuaSec with this patch: https://github.com/brunoos/luasec/pull/12

module:set_global();

local datetime_parse = require"util.datetime".parse;
local pat = "^([JFMAONSD][ceupao][glptbvyncr])  ?(%d%d?) (%d%d):(%d%d):(%d%d) (%d%d%d%d) GMT$";
local months = {Jan=1,Feb=2,Mar=3,Apr=4,May=5,Jun=6,Jul=7,Aug=8,Sep=9,Oct=10,Nov=11,Dec=12};
local function parse_x509_datetime(s)
	local month, day, hour, min, sec, year = s:match(pat); month = months[month];
	return datetime_parse(("%04d-%02d-%02dT%02d:%02d:%02dZ"):format(year, month, day, hour, min, sec));
end

local weak_key_cutoff = datetime_parse("2014-01-01T00:00:00Z");

-- From RFC 4492
local weak_key_size = {
	RSA = 2048,
	DSA = 2048,
	DH  = 2048,
	EC  =  233,
}

module:hook("s2s-check-certificate", function(event)
	local host, session, cert = event.host, event.session, event.cert;
	if cert and cert.pubkey then
		local _, key_type, key_size = cert:pubkey();
		if key_size < ( weak_key_size[key_type] or 0 ) then
			local issued = parse_x509_datetime(cert:notbefore());
			if issued > weak_key_cutoff then
				session.log("warn", "%s has a %s-bit %s key issued after 31 December 2013, invalidating trust!", host, key_size, key_type);
				session.cert_chain_status = "invalid";
				session.cert_identity_status = "invalid";
			else
				session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type);
			end
		else
			session.log("info", "%s has a %s-bit %s key", host, key_size, key_type);
		end
	end
end);