Software `/` code `/` prosody

Annotate

plugins/mod_tls.lua @ 4157:1b5a8e071a80

mod_tls: Drop 'TLS negotiation started for ...' to debug level from info

author	Matthew Wild <mwild1@gmail.com>
date	Tue, 22 Feb 2011 18:29:35 +0000
parent	3583:ef86ba720f00
child	4244:19c9bf88ec89

rev	line source
1523 841d61be198f Remove version number from copyright headers Matthew Wild <mwild1@gmail.com> parents: 1219 diff changeset	1 -- Prosody IM
2923 b7049746bd29 Update copyright headers for 2010 Matthew Wild <mwild1@gmail.com> parents: 2877 diff changeset	2 -- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010 Matthew Wild <mwild1@gmail.com> parents: 2877 diff changeset	3 -- Copyright (C) 2008-2010 Waqas Hussain
519 cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 438 diff changeset	4 --
758 b1885732e979 GPL->MIT! Matthew Wild <mwild1@gmail.com> parents: 705 diff changeset	5 -- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT! Matthew Wild <mwild1@gmail.com> parents: 705 diff changeset	6 -- COPYING file in the source package for more information.
519 cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 438 diff changeset	7 --
cccd610a0ef9 Insert copyright/license headers Matthew Wild <mwild1@gmail.com> parents: 438 diff changeset	8
3583 ef86ba720f00 mod_tls: Let hosts without an 'ssl' option inherit it from their parent hosts. Waqas Hussain <waqas20@gmail.com> parents: 3574 diff changeset	9 local config = require "core.configmanager";
3571 675d65036f31 certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls Matthew Wild <mwild1@gmail.com> parents: 3397 diff changeset	10 local create_context = require "core.certmanager".create_context;
69 5b664c8fef86 forgot to commit mod_tls, oops :) Matthew Wild <mwild1@gmail.com> parents: diff changeset	11 local st = require "util.stanza";
99 ba08b8a4eeef Abstract connections with "connection listeners" Matthew Wild <mwild1@gmail.com> parents: 69 diff changeset	12
1912 126401a7159f require_encryption deprecated, use c2s_require_encryption instead Matthew Wild <mwild1@gmail.com> parents: 1911 diff changeset	13 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
1913 da49a59dff7c mod_tls: require_s2s_encryption -> s2s_require_encryption Matthew Wild <mwild1@gmail.com> parents: 1912 diff changeset	14 local secure_s2s_only = module:get_option("s2s_require_encryption");
2933 e68ff49fa79b Merge 0.6->0.7 Matthew Wild <mwild1@gmail.com> parents: 2925 2932 diff changeset	15 local allow_s2s_tls = module:get_option("s2s_allow_encryption") ~= false;
1219 f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	16
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	17 local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	18 local starttls_attr = { xmlns = xmlns_starttls };
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	19 local starttls_proceed = st.stanza("proceed", starttls_attr);
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	20 local starttls_failure = st.stanza("failure", starttls_attr);
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	21 local c2s_feature = st.stanza("starttls", starttls_attr);
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	22 local s2s_feature = st.stanza("starttls", starttls_attr);
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	23 if secure_auth_only then c2s_feature:tag("required"):up(); end
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	24 if secure_s2s_only then s2s_feature:tag("required"):up(); end
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	25
2542 0a78847b38e2 mod_tls: Update for new server SSL syntax Matthew Wild <mwild1@gmail.com> parents: 2108 diff changeset	26 local global_ssl_ctx = prosody.global_ssl_ctx;
1219 f14e08a0ae7f mod_tls: Add <required/> to stream feature when TLS is required Matthew Wild <mwild1@gmail.com> parents: 1213 diff changeset	27
2872 cdc292d201fc mod_tls: Don't offer TLS on hosts that don't have any certs Matthew Wild <mwild1@gmail.com> parents: 2854 diff changeset	28 local host = hosts[module.host];
cdc292d201fc mod_tls: Don't offer TLS on hosts that don't have any certs Matthew Wild <mwild1@gmail.com> parents: 2854 diff changeset	29
2625 03287c06d986 mod_tls: Refactor to simplify detection of whether we can do TLS on a connection Matthew Wild <mwild1@gmail.com> parents: 2623 diff changeset	30 local function can_do_tls(session)
03287c06d986 mod_tls: Refactor to simplify detection of whether we can do TLS on a connection Matthew Wild <mwild1@gmail.com> parents: 2623 diff changeset	31 if session.type == "c2s_unauthed" then
2636 d2805ad5b736 mod_tls: Ban TLS after auth, not before. Waqas Hussain <waqas20@gmail.com> parents: 2635 diff changeset	32 return session.conn.starttls and host.ssl_ctx_in;
2933 e68ff49fa79b Merge 0.6->0.7 Matthew Wild <mwild1@gmail.com> parents: 2925 2932 diff changeset	33 elseif session.type == "s2sin_unauthed" and allow_s2s_tls then
2636 d2805ad5b736 mod_tls: Ban TLS after auth, not before. Waqas Hussain <waqas20@gmail.com> parents: 2635 diff changeset	34 return session.conn.starttls and host.ssl_ctx_in;
2933 e68ff49fa79b Merge 0.6->0.7 Matthew Wild <mwild1@gmail.com> parents: 2925 2932 diff changeset	35 elseif session.direction == "outgoing" and allow_s2s_tls then
2654 07a6f5f9d4be mod_tls: Only negotiate TLS on outgoing s2s connections if we have an SSL context (thanks Flo...) Matthew Wild <mwild1@gmail.com> parents: 2636 diff changeset	36 return session.conn.starttls and host.ssl_ctx;
2625 03287c06d986 mod_tls: Refactor to simplify detection of whether we can do TLS on a connection Matthew Wild <mwild1@gmail.com> parents: 2623 diff changeset	37 end
03287c06d986 mod_tls: Refactor to simplify detection of whether we can do TLS on a connection Matthew Wild <mwild1@gmail.com> parents: 2623 diff changeset	38 return false;
2932 d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	39 end
d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	40
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	41 -- Hook <starttls/>
2600 1e6f3002e04f mod_tls: Inlined some code. Waqas Hussain <waqas20@gmail.com> parents: 2596 diff changeset	42 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event)
1e6f3002e04f mod_tls: Inlined some code. Waqas Hussain <waqas20@gmail.com> parents: 2596 diff changeset	43 local origin = event.origin;
2625 03287c06d986 mod_tls: Refactor to simplify detection of whether we can do TLS on a connection Matthew Wild <mwild1@gmail.com> parents: 2623 diff changeset	44 if can_do_tls(origin) then
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	45 (origin.sends2s or origin.send)(starttls_proceed);
2600 1e6f3002e04f mod_tls: Inlined some code. Waqas Hussain <waqas20@gmail.com> parents: 2596 diff changeset	46 origin:reset_stream();
1e6f3002e04f mod_tls: Inlined some code. Waqas Hussain <waqas20@gmail.com> parents: 2596 diff changeset	47 local host = origin.to_host or origin.host;
2596 187cd90860cb mod_tls: Merged duplicate code. Waqas Hussain <waqas20@gmail.com> parents: 2595 diff changeset	48 local ssl_ctx = host and hosts[host].ssl_ctx_in or global_ssl_ctx;
2600 1e6f3002e04f mod_tls: Inlined some code. Waqas Hussain <waqas20@gmail.com> parents: 2596 diff changeset	49 origin.conn:starttls(ssl_ctx);
4157 1b5a8e071a80 mod_tls: Drop 'TLS negotiation started for ...' to debug level from info Matthew Wild <mwild1@gmail.com> parents: 3583 diff changeset	50 origin.log("debug", "TLS negotiation started for %s...", origin.type);
2600 1e6f3002e04f mod_tls: Inlined some code. Waqas Hussain <waqas20@gmail.com> parents: 2596 diff changeset	51 origin.secure = false;
2595 015934e20f03 mod_tls: Switched to new events API. Waqas Hussain <waqas20@gmail.com> parents: 2594 diff changeset	52 else
015934e20f03 mod_tls: Switched to new events API. Waqas Hussain <waqas20@gmail.com> parents: 2594 diff changeset	53 origin.log("warn", "Attempt to start TLS, but TLS is not available on this %s connection", origin.type);
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	54 (origin.sends2s or origin.send)(starttls_failure);
2601 e64c6a4aa50b mod_tls: Respond with proper error when TLS cannot be negotiated. Waqas Hussain <waqas20@gmail.com> parents: 2600 diff changeset	55 origin:close();
2595 015934e20f03 mod_tls: Switched to new events API. Waqas Hussain <waqas20@gmail.com> parents: 2594 diff changeset	56 end
015934e20f03 mod_tls: Switched to new events API. Waqas Hussain <waqas20@gmail.com> parents: 2594 diff changeset	57 return true;
015934e20f03 mod_tls: Switched to new events API. Waqas Hussain <waqas20@gmail.com> parents: 2594 diff changeset	58 end);
2932 d2816fb6c7ea mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s Matthew Wild <mwild1@gmail.com> parents: 2923 diff changeset	59
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	60 -- Advertize stream feature
2607 35a5d1c5ea28 mod_tls: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2605 diff changeset	61 module:hook("stream-features", function(event)
35a5d1c5ea28 mod_tls: Hook stream-features event using new events API. Waqas Hussain <waqas20@gmail.com> parents: 2605 diff changeset	62 local origin, features = event.origin, event.features;
2625 03287c06d986 mod_tls: Refactor to simplify detection of whether we can do TLS on a connection Matthew Wild <mwild1@gmail.com> parents: 2623 diff changeset	63 if can_do_tls(origin) then
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	64 features:add_child(c2s_feature);
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	65 end
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	66 end);
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	67 module:hook("s2s-stream-features", function(event)
2613 afa20941e098 s2smanager, mod_compression, mod_tls: Changed event.session to event.origin for s2s-stream-features event for consistency. Waqas Hussain <waqas20@gmail.com> parents: 2607 diff changeset	68 local origin, features = event.origin, event.features;
2625 03287c06d986 mod_tls: Refactor to simplify detection of whether we can do TLS on a connection Matthew Wild <mwild1@gmail.com> parents: 2623 diff changeset	69 if can_do_tls(origin) then
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	70 features:add_child(s2s_feature);
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	71 end
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	72 end);
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	73
334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	74 -- For s2sout connections, start TLS if we can
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	75 module:hook_stanza("http://etherx.jabber.org/streams", "features", function (session, stanza)
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	76 module:log("debug", "Received features element");
2654 07a6f5f9d4be mod_tls: Only negotiate TLS on outgoing s2s connections if we have an SSL context (thanks Flo...) Matthew Wild <mwild1@gmail.com> parents: 2636 diff changeset	77 if can_do_tls(session) and stanza:child_with_ns(xmlns_starttls) then
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	78 module:log("%s is offering TLS, taking up the offer...", session.to_host);
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	79 session.sends2s("<starttls xmlns='"..xmlns_starttls.."'/>");
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	80 return true;
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	81 end
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	82 end, 500);
1875 334383faf77b mod_tls: Advertise and handle TLS for s2s connections Matthew Wild <mwild1@gmail.com> parents: 1675 diff changeset	83
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	84 module:hook_stanza(xmlns_starttls, "proceed", function (session, stanza)
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	85 module:log("debug", "Proceeding with TLS on s2sout...");
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	86 session:reset_stream();
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	87 local ssl_ctx = session.from_host and hosts[session.from_host].ssl_ctx or global_ssl_ctx;
3397 f376f0bd1d1f mod_tls: Remove extraneous flag to starttls() for s2sout connecections Matthew Wild <mwild1@gmail.com> parents: 2933 diff changeset	88 session.conn:starttls(ssl_ctx);
2605 ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	89 session.secure = false;
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	90 return true;
ade70495fe7f mod_tls: Cleanup. Waqas Hussain <waqas20@gmail.com> parents: 2604 diff changeset	91 end);
3571 675d65036f31 certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls Matthew Wild <mwild1@gmail.com> parents: 3397 diff changeset	92
675d65036f31 certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls Matthew Wild <mwild1@gmail.com> parents: 3397 diff changeset	93 function module.load()
3583 ef86ba720f00 mod_tls: Let hosts without an 'ssl' option inherit it from their parent hosts. Waqas Hussain <waqas20@gmail.com> parents: 3574 diff changeset	94 local global_ssl_config = config.get("*", "core", "ssl");
ef86ba720f00 mod_tls: Let hosts without an 'ssl' option inherit it from their parent hosts. Waqas Hussain <waqas20@gmail.com> parents: 3574 diff changeset	95 local ssl_config = config.get(module.host, "core", "ssl");
ef86ba720f00 mod_tls: Let hosts without an 'ssl' option inherit it from their parent hosts. Waqas Hussain <waqas20@gmail.com> parents: 3574 diff changeset	96 local base_host = module.host:match("%.(.*)");
ef86ba720f00 mod_tls: Let hosts without an 'ssl' option inherit it from their parent hosts. Waqas Hussain <waqas20@gmail.com> parents: 3574 diff changeset	97 if ssl_config == global_ssl_config and hosts[base_host] then
ef86ba720f00 mod_tls: Let hosts without an 'ssl' option inherit it from their parent hosts. Waqas Hussain <waqas20@gmail.com> parents: 3574 diff changeset	98 ssl_config = config.get(base_host, "core", "ssl");
ef86ba720f00 mod_tls: Let hosts without an 'ssl' option inherit it from their parent hosts. Waqas Hussain <waqas20@gmail.com> parents: 3574 diff changeset	99 end
3574 1e088ec07d33 mod_tls: Pass the hostname rather than host session to certmanager.create_context() (thanks darkrain) Matthew Wild <mwild1@gmail.com> parents: 3571 diff changeset	100 host.ssl_ctx = create_context(host.host, "client", ssl_config); -- for outgoing connections
1e088ec07d33 mod_tls: Pass the hostname rather than host session to certmanager.create_context() (thanks darkrain) Matthew Wild <mwild1@gmail.com> parents: 3571 diff changeset	101 host.ssl_ctx_in = create_context(host.host, "server", ssl_config); -- for incoming connections
3571 675d65036f31 certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls Matthew Wild <mwild1@gmail.com> parents: 3397 diff changeset	102 end
675d65036f31 certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls Matthew Wild <mwild1@gmail.com> parents: 3397 diff changeset	103
675d65036f31 certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls Matthew Wild <mwild1@gmail.com> parents: 3397 diff changeset	104 function module.unload()
675d65036f31 certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls Matthew Wild <mwild1@gmail.com> parents: 3397 diff changeset	105 host.ssl_ctx = nil;
675d65036f31 certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls Matthew Wild <mwild1@gmail.com> parents: 3397 diff changeset	106 host.ssl_ctx_in = nil;
675d65036f31 certmanager, hostmanager, mod_tls: Move responsibility for creating per-host SSL contexts to mod_tls, meaning reloading certs is now as trivial as reloading mod_tls Matthew Wild <mwild1@gmail.com> parents: 3397 diff changeset	107 end

prosody

1b5a8e071a80

plugins/mod_tls.lua

Software / code / prosody

Annotate

plugins/mod_tls.lua @ 4157:1b5a8e071a80

Software `/` code `/` prosody