Annotate

plugins/mod_s2s_auth_certs.lua @ 10399:270cb2821566

mod_ping: Remove ad-hoc command 17:27:40 <Ge0rG> Zash: the Ping thing is absolutely worthless 17:27:55 <Zash> The command provided by mod_ping? 17:27:59 <pep.> To own server? 17:28:14 <Ge0rG> the Ping command in mod_admin_web, whatever it maps to 17:28:29 <Ge0rG> > Pong > 2019-11-07T16:28:16Z What am I supposed to do with that result? 17:28:29 <Zash> Yeah, mod_ping provides that 17:28:41 <Ge0rG> Is it a ping to my own server? Where's the RTT? 17:28:48 <Zash> Dunno if it's useful for more than verifying that the adhoc command system works 17:29:02 <Ge0rG> (it lags, but there is no indication of how much) 17:29:14 <Zash> It can't really test that itself 17:29:52 <Zash> Anyone opposed to deleting it? 17:30:42 <Zash> Half the module 17:42:47 <MattJ> Zash, I'm fine with removing it
author Kim Alvefur <zash@zash.se>
date Thu, 07 Nov 2019 19:23:42 +0100
parent 10226:77f900bbbf25
child 10454:6c3fccb75b38
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 module:set_global();
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 local cert_verify_identity = require "util.x509".verify_identity;
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local NULL = {};
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local log = module._log;
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 module:hook("s2s-check-certificate", function(event)
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 local session, host, cert = event.session, event.host, event.cert;
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 local conn = session.conn:socket();
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
10 local log = session.log or log;
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
12 if not cert then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
13 log("warn", "No certificate provided by %s", host or "unknown host");
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
14 return;
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
15 end
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
16
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
17 local chain_valid, errors;
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
18 if conn.getpeerverification then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
19 chain_valid, errors = conn:getpeerverification();
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
20 else
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
21 chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
22 end
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
23 -- Is there any interest in printing out all/the number of errors here?
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
24 if not chain_valid then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
25 log("debug", "certificate chain validation result: invalid");
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
26 for depth, t in pairs(errors or NULL) do
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
27 log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 end
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
29 session.cert_chain_status = "invalid";
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
30 else
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
31 log("debug", "certificate chain validation result: valid");
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
32 session.cert_chain_status = "valid";
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
34 -- We'll go ahead and verify the asserted identity if the
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
35 -- connecting server specified one.
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
36 if host then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
37 if cert_verify_identity(host, "xmpp-server", cert) then
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
38 session.cert_identity_status = "valid"
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
39 else
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
40 session.cert_identity_status = "invalid"
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 end
6373
84e7e418c29a mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
Kim Alvefur <zash@zash.se>
parents: 6320
diff changeset
42 log("debug", "certificate identity validation result: %s", session.cert_identity_status);
6319
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 end
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44 end
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 end, 509);
92d009af6eba mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46