Software / code / prosody-modules
Changeset
1600:1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 30 Jan 2015 12:12:06 +0100 |
| parents | 1599:8e006226e4c5 |
| children | 1601:c5ca63ac0e1b |
| files | mod_tls_policy/mod_tls_policy.lua |
| diffstat | 1 files changed, 37 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_tls_policy/mod_tls_policy.lua Fri Jan 30 12:12:06 2015 +0100 @@ -0,0 +1,37 @@ + +assert(require"ssl.core".info, "Incompatible LuaSec version"); + +local function hook(event_name, typ, policy) + if not policy then return end + if policy == "FS" then + policy = { key = "DH$" }; + elseif type(policy) == "string" then + policy = { cipher = policy }; + end + + module:hook(event_name, function (event) + local origin = event.origin; + if origin.encrypted then + local info = origin.conn:socket():info(); + for key, what in pairs(policy) do + module:log("debug", "Does info[%q] = %s match %s ?", key, tostring(info[key]), tostring(what)); + if (type(what) == "number" and what < info[key] ) or (type(what) == "string" and not what:match(info[key])) then + origin:close({ condition = "policy-violation", text = "Cipher not acceptable" }); + return false; + end + module:log("debug", "Seems so"); + end + module:log("debug", "Policy matches"); + end + end, 1000); +end + +local policy = module:get_option(module.name, {}); + +if type(policy) == "string" then + policy = { c2s = policy, s2s = policy }; +end + +hook("stream-features", "c2s", policy.c2s); +hook("s2s-stream-features", "s2sin", policy.s2sin or policy.s2s); +hook("stanza/http://etherx.jabber.org/streams:features", "s2sout", policy.s2sout or policy.s2s);
