Software / code / prosody
Annotate
plugins/mod_message.lua @ 13801:a5d5fefb8b68 13.0
mod_tls: Enable Prosody's certificate checking for incoming s2s connections (fixes #1916) (thanks Damian, Zash)
Various options in Prosody allow control over the behaviour of the certificate
verification process For example, some deployments choose to allow falling
back to traditional "dialback" authentication (XEP-0220), while others verify
via DANE, hard-coded fingerprints, or other custom plugins.
Implementing this flexibility requires us to override OpenSSL's default
certificate verification, to allow Prosody to verify the certificate itself,
apply custom policies and make decisions based on the outcome.
To enable our custom logic, we have to suppress OpenSSL's default behaviour of
aborting the connection with a TLS alert message. With LuaSec, this can be
achieved by using the verifyext "lsec_continue" flag.
We also need to use the lsec_ignore_purpose flag, because XMPP s2s uses server
certificates as "client" certificates (for mutual TLS verification in outgoing
s2s connections).
Commit 99d2100d2918 moved these settings out of the defaults and into mod_s2s,
because we only really need these changes for s2s, and they should be opt-in,
rather than automatically applied to all TLS services we offer.
That commit was incomplete, because it only added the flags for incoming
direct TLS connections. StartTLS connections are handled by mod_tls, which was
not applying the lsec_* flags. It previously worked because they were already
in the defaults.
This resulted in incoming s2s connections with "invalid" certificates being
aborted early by OpenSSL, even if settings such as `s2s_secure_auth = false`
or DANE were present in the config.
Outgoing s2s connections inherit verify "none" from the defaults, which means
OpenSSL will receive the cert but will not terminate the connection when it is
deemed invalid. This means we don't need lsec_continue there, and we also
don't need lsec_ignore_purpose (because the remote peer is a "server").
Wondering why we can't just use verify "none" for incoming s2s? It's because
in that mode, OpenSSL won't request a certificate from the peer for incoming
connections. Setting verify "peer" is how you ask OpenSSL to request a
certificate from the client, but also what triggers its built-in verification.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 01 Apr 2025 17:26:56 +0100 |
| parent | 12977:74b9e05af71e |
| rev | line source |
|---|---|
|
1522
569d58d21612
Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents:
1423
diff
changeset
|
1 -- Prosody IM |
|
2923
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
1522
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
1522
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5370
diff
changeset
|
4 -- |
|
1522
569d58d21612
Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents:
1423
diff
changeset
|
5 -- This project is MIT/X11 licensed. Please see the |
|
569d58d21612
Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents:
1423
diff
changeset
|
6 -- COPYING file in the source package for more information. |
|
569d58d21612
Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents:
1423
diff
changeset
|
7 -- |
|
569d58d21612
Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents:
1423
diff
changeset
|
8 |
| 1232 | 9 |
|
5370
7838acadb0fa
mod_announce, mod_auth_anonymous, mod_c2s, mod_c2s, mod_component, mod_iq, mod_message, mod_presence, mod_tls: Access prosody.{hosts,bare_sessions,full_sessions} instead of the old globals
Kim Alvefur <zash@zash.se>
parents:
4965
diff
changeset
|
10 local full_sessions = prosody.full_sessions; |
|
7838acadb0fa
mod_announce, mod_auth_anonymous, mod_c2s, mod_c2s, mod_component, mod_iq, mod_message, mod_presence, mod_tls: Access prosody.{hosts,bare_sessions,full_sessions} instead of the old globals
Kim Alvefur <zash@zash.se>
parents:
4965
diff
changeset
|
11 local bare_sessions = prosody.bare_sessions; |
| 1232 | 12 |
|
12977
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
11815
diff
changeset
|
13 local st = require "prosody.util.stanza"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
11815
diff
changeset
|
14 local jid_bare = require "prosody.util.jid".bare; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
11815
diff
changeset
|
15 local jid_split = require "prosody.util.jid".split; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
11815
diff
changeset
|
16 local user_exists = require "prosody.core.usermanager".user_exists; |
|
1274
50babb72edac
mod_message: mod_message now handles all cases
Waqas Hussain <waqas20@gmail.com>
parents:
1272
diff
changeset
|
17 |
|
1271
e78c161944ab
mod_message: Move bare JID processing to it's own function
Waqas Hussain <waqas20@gmail.com>
parents:
1234
diff
changeset
|
18 local function process_to_bare(bare, origin, stanza) |
|
1274
50babb72edac
mod_message: mod_message now handles all cases
Waqas Hussain <waqas20@gmail.com>
parents:
1272
diff
changeset
|
19 local user = bare_sessions[bare]; |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5370
diff
changeset
|
20 |
|
1272
28f9041d8c55
mod_message: Added code to handle error groupchat and headline messages to bare JID
Waqas Hussain <waqas20@gmail.com>
parents:
1271
diff
changeset
|
21 local t = stanza.attr.type; |
|
1275
850cf92b8ad4
mod_message: A little cleanup
Waqas Hussain <waqas20@gmail.com>
parents:
1274
diff
changeset
|
22 if t == "error" then |
|
7956
beaeafedc2d7
mod_message: Return early on messages of type error (silences empty if branch warning) [luacheck]
Kim Alvefur <zash@zash.se>
parents:
7718
diff
changeset
|
23 return true; -- discard |
|
1275
850cf92b8ad4
mod_message: A little cleanup
Waqas Hussain <waqas20@gmail.com>
parents:
1274
diff
changeset
|
24 elseif t == "groupchat" then |
|
11815
df1d3df2204a
mod_message: Fire event for groupchat messages sent to bare JID
Matthew Wild <mwild1@gmail.com>
parents:
11797
diff
changeset
|
25 local node, host = jid_split(bare); |
|
df1d3df2204a
mod_message: Fire event for groupchat messages sent to bare JID
Matthew Wild <mwild1@gmail.com>
parents:
11797
diff
changeset
|
26 if user_exists(node, host) then |
|
df1d3df2204a
mod_message: Fire event for groupchat messages sent to bare JID
Matthew Wild <mwild1@gmail.com>
parents:
11797
diff
changeset
|
27 if module:fire_event("message/bare/groupchat", { |
|
df1d3df2204a
mod_message: Fire event for groupchat messages sent to bare JID
Matthew Wild <mwild1@gmail.com>
parents:
11797
diff
changeset
|
28 origin = origin, stanza = stanza; |
|
df1d3df2204a
mod_message: Fire event for groupchat messages sent to bare JID
Matthew Wild <mwild1@gmail.com>
parents:
11797
diff
changeset
|
29 }) then |
|
df1d3df2204a
mod_message: Fire event for groupchat messages sent to bare JID
Matthew Wild <mwild1@gmail.com>
parents:
11797
diff
changeset
|
30 return true; |
|
df1d3df2204a
mod_message: Fire event for groupchat messages sent to bare JID
Matthew Wild <mwild1@gmail.com>
parents:
11797
diff
changeset
|
31 end |
|
df1d3df2204a
mod_message: Fire event for groupchat messages sent to bare JID
Matthew Wild <mwild1@gmail.com>
parents:
11797
diff
changeset
|
32 end |
|
df1d3df2204a
mod_message: Fire event for groupchat messages sent to bare JID
Matthew Wild <mwild1@gmail.com>
parents:
11797
diff
changeset
|
33 |
|
1272
28f9041d8c55
mod_message: Added code to handle error groupchat and headline messages to bare JID
Waqas Hussain <waqas20@gmail.com>
parents:
1271
diff
changeset
|
34 origin.send(st.error_reply(stanza, "cancel", "service-unavailable")); |
|
1275
850cf92b8ad4
mod_message: A little cleanup
Waqas Hussain <waqas20@gmail.com>
parents:
1274
diff
changeset
|
35 elseif t == "headline" then |
|
3408
e03fd9a16e19
mod_message: Discard headline messages sent to offline full JIDs (to follow latest spec updates).
Waqas Hussain <waqas20@gmail.com>
parents:
2923
diff
changeset
|
36 if user and stanza.attr.to == bare then |
|
1274
50babb72edac
mod_message: mod_message now handles all cases
Waqas Hussain <waqas20@gmail.com>
parents:
1272
diff
changeset
|
37 for _, session in pairs(user.sessions) do |
|
1272
28f9041d8c55
mod_message: Added code to handle error groupchat and headline messages to bare JID
Waqas Hussain <waqas20@gmail.com>
parents:
1271
diff
changeset
|
38 if session.presence and session.priority >= 0 then |
|
28f9041d8c55
mod_message: Added code to handle error groupchat and headline messages to bare JID
Waqas Hussain <waqas20@gmail.com>
parents:
1271
diff
changeset
|
39 session.send(stanza); |
|
28f9041d8c55
mod_message: Added code to handle error groupchat and headline messages to bare JID
Waqas Hussain <waqas20@gmail.com>
parents:
1271
diff
changeset
|
40 end |
|
28f9041d8c55
mod_message: Added code to handle error groupchat and headline messages to bare JID
Waqas Hussain <waqas20@gmail.com>
parents:
1271
diff
changeset
|
41 end |
|
1274
50babb72edac
mod_message: mod_message now handles all cases
Waqas Hussain <waqas20@gmail.com>
parents:
1272
diff
changeset
|
42 end -- current policy is to discard headlines if no recipient is available |
|
1275
850cf92b8ad4
mod_message: A little cleanup
Waqas Hussain <waqas20@gmail.com>
parents:
1274
diff
changeset
|
43 else -- chat or normal message |
|
850cf92b8ad4
mod_message: A little cleanup
Waqas Hussain <waqas20@gmail.com>
parents:
1274
diff
changeset
|
44 if user then -- some resources are connected |
|
1418
d14de6cb8b5b
mod_message, mod_presence: Maintain list of top resources. Less work in routing messages to bare JIDs. - #optimization
Waqas Hussain <waqas20@gmail.com>
parents:
1329
diff
changeset
|
45 local recipients = user.top_resources; |
|
d14de6cb8b5b
mod_message, mod_presence: Maintain list of top resources. Less work in routing messages to bare JIDs. - #optimization
Waqas Hussain <waqas20@gmail.com>
parents:
1329
diff
changeset
|
46 if recipients then |
|
4965
c1685f0441b7
mod_message: Don't treat a message as delivered ok if session.send() returns false
Matthew Wild <mwild1@gmail.com>
parents:
4759
diff
changeset
|
47 local sent; |
|
1275
850cf92b8ad4
mod_message: A little cleanup
Waqas Hussain <waqas20@gmail.com>
parents:
1274
diff
changeset
|
48 for i=1,#recipients do |
|
4965
c1685f0441b7
mod_message: Don't treat a message as delivered ok if session.send() returns false
Matthew Wild <mwild1@gmail.com>
parents:
4759
diff
changeset
|
49 sent = recipients[i].send(stanza) or sent; |
|
1275
850cf92b8ad4
mod_message: A little cleanup
Waqas Hussain <waqas20@gmail.com>
parents:
1274
diff
changeset
|
50 end |
|
4965
c1685f0441b7
mod_message: Don't treat a message as delivered ok if session.send() returns false
Matthew Wild <mwild1@gmail.com>
parents:
4759
diff
changeset
|
51 if sent then |
|
c1685f0441b7
mod_message: Don't treat a message as delivered ok if session.send() returns false
Matthew Wild <mwild1@gmail.com>
parents:
4759
diff
changeset
|
52 return true; |
|
c1685f0441b7
mod_message: Don't treat a message as delivered ok if session.send() returns false
Matthew Wild <mwild1@gmail.com>
parents:
4759
diff
changeset
|
53 end |
|
1274
50babb72edac
mod_message: mod_message now handles all cases
Waqas Hussain <waqas20@gmail.com>
parents:
1272
diff
changeset
|
54 end |
|
1272
28f9041d8c55
mod_message: Added code to handle error groupchat and headline messages to bare JID
Waqas Hussain <waqas20@gmail.com>
parents:
1271
diff
changeset
|
55 end |
|
1275
850cf92b8ad4
mod_message: A little cleanup
Waqas Hussain <waqas20@gmail.com>
parents:
1274
diff
changeset
|
56 -- no resources are online |
|
850cf92b8ad4
mod_message: A little cleanup
Waqas Hussain <waqas20@gmail.com>
parents:
1274
diff
changeset
|
57 local node, host = jid_split(bare); |
|
3970
0f9ab57a1aee
mod_message: Send service-unavailable if offline storage fails.
Robert Hoelz <rob@hoelz.ro>
parents:
3968
diff
changeset
|
58 local ok |
|
1275
850cf92b8ad4
mod_message: A little cleanup
Waqas Hussain <waqas20@gmail.com>
parents:
1274
diff
changeset
|
59 if user_exists(node, host) then |
|
3972
a05cf5d9c7ab
mod_message, mod_offline: Change message/offline/store -> message/offline/handle
Robert Hoelz <rob@hoelz.ro>
parents:
3970
diff
changeset
|
60 ok = module:fire_event('message/offline/handle', { |
|
11797
72a2b85c0537
mod_message: Clarify purpose of username field in offline message event
Kim Alvefur <zash@zash.se>
parents:
11482
diff
changeset
|
61 username = node, -- username of the recipient of the offline message |
|
72a2b85c0537
mod_message: Clarify purpose of username field in offline message event
Kim Alvefur <zash@zash.se>
parents:
11482
diff
changeset
|
62 origin = origin, -- the sender |
|
8139
4119cca64064
mod_message: Normalize indentation
Kim Alvefur <zash@zash.se>
parents:
8136
diff
changeset
|
63 stanza = stanza, |
|
3970
0f9ab57a1aee
mod_message: Send service-unavailable if offline storage fails.
Robert Hoelz <rob@hoelz.ro>
parents:
3968
diff
changeset
|
64 }); |
|
0f9ab57a1aee
mod_message: Send service-unavailable if offline storage fails.
Robert Hoelz <rob@hoelz.ro>
parents:
3968
diff
changeset
|
65 end |
|
0f9ab57a1aee
mod_message: Send service-unavailable if offline storage fails.
Robert Hoelz <rob@hoelz.ro>
parents:
3968
diff
changeset
|
66 |
|
0f9ab57a1aee
mod_message: Send service-unavailable if offline storage fails.
Robert Hoelz <rob@hoelz.ro>
parents:
3968
diff
changeset
|
67 if not ok then |
|
1275
850cf92b8ad4
mod_message: A little cleanup
Waqas Hussain <waqas20@gmail.com>
parents:
1274
diff
changeset
|
68 origin.send(st.error_reply(stanza, "cancel", "service-unavailable")); |
|
850cf92b8ad4
mod_message: A little cleanup
Waqas Hussain <waqas20@gmail.com>
parents:
1274
diff
changeset
|
69 end |
|
1274
50babb72edac
mod_message: mod_message now handles all cases
Waqas Hussain <waqas20@gmail.com>
parents:
1272
diff
changeset
|
70 end |
|
50babb72edac
mod_message: mod_message now handles all cases
Waqas Hussain <waqas20@gmail.com>
parents:
1272
diff
changeset
|
71 return true; |
|
1271
e78c161944ab
mod_message: Move bare JID processing to it's own function
Waqas Hussain <waqas20@gmail.com>
parents:
1234
diff
changeset
|
72 end |
|
e78c161944ab
mod_message: Move bare JID processing to it's own function
Waqas Hussain <waqas20@gmail.com>
parents:
1234
diff
changeset
|
73 |
|
e78c161944ab
mod_message: Move bare JID processing to it's own function
Waqas Hussain <waqas20@gmail.com>
parents:
1234
diff
changeset
|
74 module:hook("message/full", function(data) |
|
8728
41c959c5c84b
Fix spelling throughout the codebase [codespell]
Kim Alvefur <zash@zash.se>
parents:
8141
diff
changeset
|
75 -- message to full JID received |
|
1271
e78c161944ab
mod_message: Move bare JID processing to it's own function
Waqas Hussain <waqas20@gmail.com>
parents:
1234
diff
changeset
|
76 local origin, stanza = data.origin, data.stanza; |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5370
diff
changeset
|
77 |
|
1271
e78c161944ab
mod_message: Move bare JID processing to it's own function
Waqas Hussain <waqas20@gmail.com>
parents:
1234
diff
changeset
|
78 local session = full_sessions[stanza.attr.to]; |
|
4965
c1685f0441b7
mod_message: Don't treat a message as delivered ok if session.send() returns false
Matthew Wild <mwild1@gmail.com>
parents:
4759
diff
changeset
|
79 if session and session.send(stanza) then |
|
1271
e78c161944ab
mod_message: Move bare JID processing to it's own function
Waqas Hussain <waqas20@gmail.com>
parents:
1234
diff
changeset
|
80 return true; |
|
e78c161944ab
mod_message: Move bare JID processing to it's own function
Waqas Hussain <waqas20@gmail.com>
parents:
1234
diff
changeset
|
81 else -- resource not online |
|
e78c161944ab
mod_message: Move bare JID processing to it's own function
Waqas Hussain <waqas20@gmail.com>
parents:
1234
diff
changeset
|
82 return process_to_bare(jid_bare(stanza.attr.to), origin, stanza); |
|
e78c161944ab
mod_message: Move bare JID processing to it's own function
Waqas Hussain <waqas20@gmail.com>
parents:
1234
diff
changeset
|
83 end |
|
7718
c58075c4d375
mod_message, mod_carbons: Adjust event hook priorities to negative (core modules should do this to make overriding from other modules easier)
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
84 end, -1); |
|
1271
e78c161944ab
mod_message: Move bare JID processing to it's own function
Waqas Hussain <waqas20@gmail.com>
parents:
1234
diff
changeset
|
85 |
|
e78c161944ab
mod_message: Move bare JID processing to it's own function
Waqas Hussain <waqas20@gmail.com>
parents:
1234
diff
changeset
|
86 module:hook("message/bare", function(data) |
|
8728
41c959c5c84b
Fix spelling throughout the codebase [codespell]
Kim Alvefur <zash@zash.se>
parents:
8141
diff
changeset
|
87 -- message to bare JID received |
|
1271
e78c161944ab
mod_message: Move bare JID processing to it's own function
Waqas Hussain <waqas20@gmail.com>
parents:
1234
diff
changeset
|
88 local origin, stanza = data.origin, data.stanza; |
|
e78c161944ab
mod_message: Move bare JID processing to it's own function
Waqas Hussain <waqas20@gmail.com>
parents:
1234
diff
changeset
|
89 |
|
e78c161944ab
mod_message: Move bare JID processing to it's own function
Waqas Hussain <waqas20@gmail.com>
parents:
1234
diff
changeset
|
90 return process_to_bare(stanza.attr.to or (origin.username..'@'..origin.host), origin, stanza); |
|
7718
c58075c4d375
mod_message, mod_carbons: Adjust event hook priorities to negative (core modules should do this to make overriding from other modules easier)
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
91 end, -1); |
