Software / code / prosody-modules
Changeset
1330:bb6f3312ab46
mod_s2s_auth_dane: Don't allow unencrypted connections if TLSA exists
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 05 Mar 2014 17:44:27 +0100 |
| parents | 1329:8d99b9c4cf0c |
| children | 1331:dbaa67babeb4 |
| files | mod_s2s_auth_dane/mod_s2s_auth_dane.lua |
| diffstat | 1 files changed, 17 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Wed Mar 05 17:42:15 2014 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Wed Mar 05 17:44:27 2014 +0100 @@ -104,6 +104,23 @@ end end); +function module.add_host(module) + module:hook("s2s-authenticated", function(event) + local session = event.session; + local srv_hosts = session.srv_hosts; + local srv_choice = session.srv_choice; + if srv_hosts[srv_choice].dane and not session.secure then + -- TLSA record but no TLS, not ok. + session:close({ + condition = "policy-violation", + text = "Encrypted server-to-server communication is required but was not " + ..((session.direction == "outgoing" and "offered") or "used") + }); + return false; + end + end); +end + function module.unload() s2sout.try_connect = _try_connect; end
