Software /
code /
prosody
Annotate
util/session.lua @ 10224:94e341dee51c
core.certmanager: Move EECDH ciphers before EDH in default cipherstring
The original intent of having kEDH before kEECDH was that if a `dhparam`
file was specified, this would be interpreted as a preference by the
admin for old and well-tested Diffie-Hellman key agreement over newer
elliptic curve ones. Otherwise the faster elliptic curve ciphersuites
would be preferred. This didn't really work as intended since this
affects the ClientHello on outgoing s2s connections, leading to some
servers using poorly configured kEDH.
With Debian shipping OpenSSL settings that enforce a higher security
level, this caused interoperability problems with servers that use DH
params smaller than 2048 bits. E.g. jabber.org at the time of this
writing has 1024 bit DH params.
MattJ says
> Curves have won, and OpenSSL is less weird about them now
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 25 Aug 2019 20:22:35 +0200 |
parent | 10110:3fa3872588a8 |
child | 12640:999b1c59af6f |
rev | line source |
---|---|
6941
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
1 local initialize_filters = require "util.filters".initialize; |
6939
a9ae0c6ac4f4
util.session: What does the session say?
Kim Alvefur <zash@zash.se>
parents:
6938
diff
changeset
|
2 local logger = require "util.logger"; |
6937 | 3 |
4 local function new_session(typ) | |
5 local session = { | |
6 type = typ .. "_unauthed"; | |
9947
8ebca1240203
util.session: Fix session id not include unauthed forever
Kim Alvefur <zash@zash.se>
parents:
7181
diff
changeset
|
7 base_type = typ; |
6937 | 8 }; |
9 return session; | |
10 end | |
11 | |
6938
9df70e9e006b
util.session: What is the identity of a session?
Kim Alvefur <zash@zash.se>
parents:
6937
diff
changeset
|
12 local function set_id(session) |
9947
8ebca1240203
util.session: Fix session id not include unauthed forever
Kim Alvefur <zash@zash.se>
parents:
7181
diff
changeset
|
13 local id = session.base_type .. tostring(session):match("%x+$"):lower(); |
6938
9df70e9e006b
util.session: What is the identity of a session?
Kim Alvefur <zash@zash.se>
parents:
6937
diff
changeset
|
14 session.id = id; |
9df70e9e006b
util.session: What is the identity of a session?
Kim Alvefur <zash@zash.se>
parents:
6937
diff
changeset
|
15 return session; |
9df70e9e006b
util.session: What is the identity of a session?
Kim Alvefur <zash@zash.se>
parents:
6937
diff
changeset
|
16 end |
9df70e9e006b
util.session: What is the identity of a session?
Kim Alvefur <zash@zash.se>
parents:
6937
diff
changeset
|
17 |
6939
a9ae0c6ac4f4
util.session: What does the session say?
Kim Alvefur <zash@zash.se>
parents:
6938
diff
changeset
|
18 local function set_logger(session) |
7181
8af558965da3
util.session: Fix luacheck warnings
Kim Alvefur <zash@zash.se>
parents:
6941
diff
changeset
|
19 local log = logger.init(session.id); |
6939
a9ae0c6ac4f4
util.session: What does the session say?
Kim Alvefur <zash@zash.se>
parents:
6938
diff
changeset
|
20 session.log = log; |
a9ae0c6ac4f4
util.session: What does the session say?
Kim Alvefur <zash@zash.se>
parents:
6938
diff
changeset
|
21 return session; |
a9ae0c6ac4f4
util.session: What does the session say?
Kim Alvefur <zash@zash.se>
parents:
6938
diff
changeset
|
22 end |
a9ae0c6ac4f4
util.session: What does the session say?
Kim Alvefur <zash@zash.se>
parents:
6938
diff
changeset
|
23 |
6940
2be5e19485aa
util.session: How does a session relate do a connection?
Kim Alvefur <zash@zash.se>
parents:
6939
diff
changeset
|
24 local function set_conn(session, conn) |
2be5e19485aa
util.session: How does a session relate do a connection?
Kim Alvefur <zash@zash.se>
parents:
6939
diff
changeset
|
25 session.conn = conn; |
2be5e19485aa
util.session: How does a session relate do a connection?
Kim Alvefur <zash@zash.se>
parents:
6939
diff
changeset
|
26 session.ip = conn:ip(); |
2be5e19485aa
util.session: How does a session relate do a connection?
Kim Alvefur <zash@zash.se>
parents:
6939
diff
changeset
|
27 return session; |
2be5e19485aa
util.session: How does a session relate do a connection?
Kim Alvefur <zash@zash.se>
parents:
6939
diff
changeset
|
28 end |
2be5e19485aa
util.session: How does a session relate do a connection?
Kim Alvefur <zash@zash.se>
parents:
6939
diff
changeset
|
29 |
6941
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
30 local function set_send(session) |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
31 local conn = session.conn; |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
32 if not conn then |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
33 function session.send(data) |
10110
3fa3872588a8
util.session: Remove tostring call from logging
Kim Alvefur <zash@zash.se>
parents:
9947
diff
changeset
|
34 session.log("debug", "Discarding data sent to unconnected session: %s", data); |
6941
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
35 return false; |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
36 end |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
37 return session; |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
38 end |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
39 local filter = initialize_filters(session); |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
40 local w = conn.write; |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
41 session.send = function (t) |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
42 if t.name then |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
43 t = filter("stanzas/out", t); |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
44 end |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
45 if t then |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
46 t = filter("bytes/out", tostring(t)); |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
47 if t then |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
48 local ret, err = w(conn, t); |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
49 if not ret then |
10110
3fa3872588a8
util.session: Remove tostring call from logging
Kim Alvefur <zash@zash.se>
parents:
9947
diff
changeset
|
50 session.log("debug", "Error writing to connection: %s", err); |
6941
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
51 return false, err; |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
52 end |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
53 end |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
54 end |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
55 return true; |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
56 end |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
57 return session; |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
58 end |
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
59 |
6937 | 60 return { |
61 new = new_session; | |
6938
9df70e9e006b
util.session: What is the identity of a session?
Kim Alvefur <zash@zash.se>
parents:
6937
diff
changeset
|
62 set_id = set_id; |
6939
a9ae0c6ac4f4
util.session: What does the session say?
Kim Alvefur <zash@zash.se>
parents:
6938
diff
changeset
|
63 set_logger = set_logger; |
6940
2be5e19485aa
util.session: How does a session relate do a connection?
Kim Alvefur <zash@zash.se>
parents:
6939
diff
changeset
|
64 set_conn = set_conn; |
6941
33fbc835697d
util.session: How would you even send anything to a session?
Kim Alvefur <zash@zash.se>
parents:
6940
diff
changeset
|
65 set_send = set_send; |
6937 | 66 } |