# HG changeset patch # User Kim Alvefur # Date 1422616326 -3600 # Node ID 1e90054c3ac5d3a243a17068cd40d119ab542890 # Parent 8e006226e4c58dcfe78289e98cbc9bfb6c4b08a6 mod_tls_policy: New module to enforce per-host TLS parameter policies diff -r 8e006226e4c5 -r 1e90054c3ac5 mod_tls_policy/mod_tls_policy.lua --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_tls_policy/mod_tls_policy.lua Fri Jan 30 12:12:06 2015 +0100 @@ -0,0 +1,37 @@ + +assert(require"ssl.core".info, "Incompatible LuaSec version"); + +local function hook(event_name, typ, policy) + if not policy then return end + if policy == "FS" then + policy = { key = "DH$" }; + elseif type(policy) == "string" then + policy = { cipher = policy }; + end + + module:hook(event_name, function (event) + local origin = event.origin; + if origin.encrypted then + local info = origin.conn:socket():info(); + for key, what in pairs(policy) do + module:log("debug", "Does info[%q] = %s match %s ?", key, tostring(info[key]), tostring(what)); + if (type(what) == "number" and what < info[key] ) or (type(what) == "string" and not what:match(info[key])) then + origin:close({ condition = "policy-violation", text = "Cipher not acceptable" }); + return false; + end + module:log("debug", "Seems so"); + end + module:log("debug", "Policy matches"); + end + end, 1000); +end + +local policy = module:get_option(module.name, {}); + +if type(policy) == "string" then + policy = { c2s = policy, s2s = policy }; +end + +hook("stream-features", "c2s", policy.c2s); +hook("s2s-stream-features", "s2sin", policy.s2sin or policy.s2s); +hook("stanza/http://etherx.jabber.org/streams:features", "s2sout", policy.s2sout or policy.s2s);