Software / code / prosody
Annotate
util/helpers.lua @ 13801:a5d5fefb8b68 13.0
mod_tls: Enable Prosody's certificate checking for incoming s2s connections (fixes #1916) (thanks Damian, Zash)
Various options in Prosody allow control over the behaviour of the certificate
verification process For example, some deployments choose to allow falling
back to traditional "dialback" authentication (XEP-0220), while others verify
via DANE, hard-coded fingerprints, or other custom plugins.
Implementing this flexibility requires us to override OpenSSL's default
certificate verification, to allow Prosody to verify the certificate itself,
apply custom policies and make decisions based on the outcome.
To enable our custom logic, we have to suppress OpenSSL's default behaviour of
aborting the connection with a TLS alert message. With LuaSec, this can be
achieved by using the verifyext "lsec_continue" flag.
We also need to use the lsec_ignore_purpose flag, because XMPP s2s uses server
certificates as "client" certificates (for mutual TLS verification in outgoing
s2s connections).
Commit 99d2100d2918 moved these settings out of the defaults and into mod_s2s,
because we only really need these changes for s2s, and they should be opt-in,
rather than automatically applied to all TLS services we offer.
That commit was incomplete, because it only added the flags for incoming
direct TLS connections. StartTLS connections are handled by mod_tls, which was
not applying the lsec_* flags. It previously worked because they were already
in the defaults.
This resulted in incoming s2s connections with "invalid" certificates being
aborted early by OpenSSL, even if settings such as `s2s_secure_auth = false`
or DANE were present in the config.
Outgoing s2s connections inherit verify "none" from the defaults, which means
OpenSSL will receive the cert but will not terminate the connection when it is
deemed invalid. This means we don't need lsec_continue there, and we also
don't need lsec_ignore_purpose (because the remote peer is a "server").
Wondering why we can't just use verify "none" for incoming s2s? It's because
in that mode, OpenSSL won't request a certificate from the peer for incoming
connections. Setting verify "peer" is how you ask OpenSSL to request a
certificate from the client, but also what triggers its built-in verification.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 01 Apr 2025 17:26:56 +0100 |
| parent | 12975:d10957394a3c |
| rev | line source |
|---|---|
|
1964
101a8df23b29
util.helpers: Add copyright header
Matthew Wild <mwild1@gmail.com>
parents:
1959
diff
changeset
|
1 -- Prosody IM |
|
2923
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
1964
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
1964
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5415
diff
changeset
|
4 -- |
|
1964
101a8df23b29
util.helpers: Add copyright header
Matthew Wild <mwild1@gmail.com>
parents:
1959
diff
changeset
|
5 -- This project is MIT/X11 licensed. Please see the |
|
101a8df23b29
util.helpers: Add copyright header
Matthew Wild <mwild1@gmail.com>
parents:
1959
diff
changeset
|
6 -- COPYING file in the source package for more information. |
|
101a8df23b29
util.helpers: Add copyright header
Matthew Wild <mwild1@gmail.com>
parents:
1959
diff
changeset
|
7 -- |
|
1531
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
|
12975
d10957394a3c
util: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
11059
diff
changeset
|
9 local debug = require "prosody.util.debug"; |
|
4681
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
10 |
|
1531
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 -- Helper functions for debugging |
|
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 |
|
12975
d10957394a3c
util: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
11059
diff
changeset
|
13 local log = require "prosody.util.logger".init("util.debug"); |
|
1531
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 |
|
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
15 local function log_events(events, name, logger) |
|
1531
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 local f = events.fire_event; |
|
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 if not f then |
|
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 error("Object does not appear to be a util.events object"); |
|
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 end |
|
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 logger = logger or log; |
|
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 name = name or tostring(events); |
|
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 function events.fire_event(event, ...) |
|
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 logger("debug", "%s firing event: %s", name, event); |
|
1795
0e933d6f2c31
util.helpers: It would be a good idea to fire an event when we say we are
Matthew Wild <mwild1@gmail.com>
parents:
1531
diff
changeset
|
24 return f(event, ...); |
|
1531
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 end |
|
11059
ad89e3cc67b6
util.helpers: when logging events, log individual handler calls
Matthew Wild <mwild1@gmail.com>
parents:
8411
diff
changeset
|
26 |
|
ad89e3cc67b6
util.helpers: when logging events, log individual handler calls
Matthew Wild <mwild1@gmail.com>
parents:
8411
diff
changeset
|
27 local function event_handler_hook(handler, event_name, event_data) |
|
ad89e3cc67b6
util.helpers: when logging events, log individual handler calls
Matthew Wild <mwild1@gmail.com>
parents:
8411
diff
changeset
|
28 logger("debug", "calling handler for %s: %s", event_name, handler); |
|
ad89e3cc67b6
util.helpers: when logging events, log individual handler calls
Matthew Wild <mwild1@gmail.com>
parents:
8411
diff
changeset
|
29 local ok, ret = pcall(handler, event_data); |
|
ad89e3cc67b6
util.helpers: when logging events, log individual handler calls
Matthew Wild <mwild1@gmail.com>
parents:
8411
diff
changeset
|
30 if not ok then |
|
ad89e3cc67b6
util.helpers: when logging events, log individual handler calls
Matthew Wild <mwild1@gmail.com>
parents:
8411
diff
changeset
|
31 logger("error", "error in event handler %s: %s", handler, ret); |
|
ad89e3cc67b6
util.helpers: when logging events, log individual handler calls
Matthew Wild <mwild1@gmail.com>
parents:
8411
diff
changeset
|
32 error(ret); |
|
ad89e3cc67b6
util.helpers: when logging events, log individual handler calls
Matthew Wild <mwild1@gmail.com>
parents:
8411
diff
changeset
|
33 end |
|
ad89e3cc67b6
util.helpers: when logging events, log individual handler calls
Matthew Wild <mwild1@gmail.com>
parents:
8411
diff
changeset
|
34 if ret ~= nil then |
|
ad89e3cc67b6
util.helpers: when logging events, log individual handler calls
Matthew Wild <mwild1@gmail.com>
parents:
8411
diff
changeset
|
35 logger("debug", "event chain ended for %s by %s with result: %s", event_name, handler, ret); |
|
ad89e3cc67b6
util.helpers: when logging events, log individual handler calls
Matthew Wild <mwild1@gmail.com>
parents:
8411
diff
changeset
|
36 end |
|
ad89e3cc67b6
util.helpers: when logging events, log individual handler calls
Matthew Wild <mwild1@gmail.com>
parents:
8411
diff
changeset
|
37 return ret; |
|
ad89e3cc67b6
util.helpers: when logging events, log individual handler calls
Matthew Wild <mwild1@gmail.com>
parents:
8411
diff
changeset
|
38 end |
|
ad89e3cc67b6
util.helpers: when logging events, log individual handler calls
Matthew Wild <mwild1@gmail.com>
parents:
8411
diff
changeset
|
39 events.set_debug_hook(event_handler_hook); |
|
1531
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 events[events.fire_event] = f; |
|
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 return events; |
|
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 end |
|
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 |
|
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
44 local function revert_log_events(events) |
|
4536
285450536ec0
util.helpers: After nearly 'fixing' this code, I conclude it instead only deserves a bigger smile
Matthew Wild <mwild1@gmail.com>
parents:
2923
diff
changeset
|
45 events.fire_event, events[events.fire_event] = events[events.fire_event], nil; -- :)) |
|
11059
ad89e3cc67b6
util.helpers: when logging events, log individual handler calls
Matthew Wild <mwild1@gmail.com>
parents:
8411
diff
changeset
|
46 events.set_debug_hook(nil); |
|
1531
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 end |
|
21051377f11b
util.helpers: New util library to aid with debugging, etc.
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 |
|
6783
cd44427c7295
util.helpers: Fix order of functions using each other [fixes 00412b36166f]
Kim Alvefur <zash@zash.se>
parents:
6777
diff
changeset
|
49 local function log_host_events(host) |
|
cd44427c7295
util.helpers: Fix order of functions using each other [fixes 00412b36166f]
Kim Alvefur <zash@zash.se>
parents:
6777
diff
changeset
|
50 return log_events(prosody.hosts[host].events, host); |
|
cd44427c7295
util.helpers: Fix order of functions using each other [fixes 00412b36166f]
Kim Alvefur <zash@zash.se>
parents:
6777
diff
changeset
|
51 end |
|
cd44427c7295
util.helpers: Fix order of functions using each other [fixes 00412b36166f]
Kim Alvefur <zash@zash.se>
parents:
6777
diff
changeset
|
52 |
|
cd44427c7295
util.helpers: Fix order of functions using each other [fixes 00412b36166f]
Kim Alvefur <zash@zash.se>
parents:
6777
diff
changeset
|
53 local function revert_log_host_events(host) |
|
cd44427c7295
util.helpers: Fix order of functions using each other [fixes 00412b36166f]
Kim Alvefur <zash@zash.se>
parents:
6777
diff
changeset
|
54 return revert_log_events(prosody.hosts[host].events); |
|
cd44427c7295
util.helpers: Fix order of functions using each other [fixes 00412b36166f]
Kim Alvefur <zash@zash.se>
parents:
6777
diff
changeset
|
55 end |
|
cd44427c7295
util.helpers: Fix order of functions using each other [fixes 00412b36166f]
Kim Alvefur <zash@zash.se>
parents:
6777
diff
changeset
|
56 |
|
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
57 local function show_events(events, specific_event) |
|
4681
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
58 local event_handlers = events._handlers; |
|
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
59 local events_array = {}; |
|
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
60 local event_handler_arrays = {}; |
|
7720
7166750fb963
util.helpers: List event priorities instead of useless array index
Kim Alvefur <zash@zash.se>
parents:
6783
diff
changeset
|
61 for event, priorities in pairs(events._event_map) do |
|
4681
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
62 local handlers = event_handlers[event]; |
|
4705
447f5a94792d
util.helpers: show_events(): Make more robust, and allow filtering results to a specific event
Matthew Wild <mwild1@gmail.com>
parents:
4681
diff
changeset
|
63 if handlers and (event == specific_event or not specific_event) then |
|
447f5a94792d
util.helpers: show_events(): Make more robust, and allow filtering results to a specific event
Matthew Wild <mwild1@gmail.com>
parents:
4681
diff
changeset
|
64 table.insert(events_array, event); |
|
447f5a94792d
util.helpers: show_events(): Make more robust, and allow filtering results to a specific event
Matthew Wild <mwild1@gmail.com>
parents:
4681
diff
changeset
|
65 local handler_strings = {}; |
|
447f5a94792d
util.helpers: show_events(): Make more robust, and allow filtering results to a specific event
Matthew Wild <mwild1@gmail.com>
parents:
4681
diff
changeset
|
66 for i, handler in ipairs(handlers) do |
|
447f5a94792d
util.helpers: show_events(): Make more robust, and allow filtering results to a specific event
Matthew Wild <mwild1@gmail.com>
parents:
4681
diff
changeset
|
67 local upvals = debug.string_from_var_table(debug.get_upvalues_table(handler)); |
|
8411
a9e8523a5e73
util.helpers: Handle missing priorities, happens due to wildcard magic in net.http.server (fixes #1044)
Kim Alvefur <zash@zash.se>
parents:
7720
diff
changeset
|
68 handler_strings[i] = " "..(priorities[handler] or "?")..": "..tostring(handler)..(upvals and ("\n "..upvals) or ""); |
|
4705
447f5a94792d
util.helpers: show_events(): Make more robust, and allow filtering results to a specific event
Matthew Wild <mwild1@gmail.com>
parents:
4681
diff
changeset
|
69 end |
|
447f5a94792d
util.helpers: show_events(): Make more robust, and allow filtering results to a specific event
Matthew Wild <mwild1@gmail.com>
parents:
4681
diff
changeset
|
70 event_handler_arrays[event] = handler_strings; |
|
4681
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
71 end |
|
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
72 end |
|
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
73 table.sort(events_array); |
|
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
74 local i = 1; |
|
4705
447f5a94792d
util.helpers: show_events(): Make more robust, and allow filtering results to a specific event
Matthew Wild <mwild1@gmail.com>
parents:
4681
diff
changeset
|
75 while i <= #events_array do |
|
4681
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
76 local handlers = event_handler_arrays[events_array[i]]; |
|
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
77 for j=#handlers, 1, -1 do |
|
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
78 table.insert(events_array, i+1, handlers[j]); |
|
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
79 end |
|
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
80 if i > 1 then events_array[i] = "\n"..events_array[i]; end |
|
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
81 i = i + #handlers + 1 |
|
4705
447f5a94792d
util.helpers: show_events(): Make more robust, and allow filtering results to a specific event
Matthew Wild <mwild1@gmail.com>
parents:
4681
diff
changeset
|
82 end |
|
4681
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
83 return table.concat(events_array, "\n"); |
|
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
84 end |
|
3299223bbed5
util.helpers: Add show_events(), to show the events and handlers in a util.events object
Matthew Wild <mwild1@gmail.com>
parents:
4536
diff
changeset
|
85 |
|
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
86 local function get_upvalue(f, get_name) |
|
1959
f56670ce64de
util.helpers: Add get_upvalue(function, name) helper
Matthew Wild <mwild1@gmail.com>
parents:
1795
diff
changeset
|
87 local i, name, value = 0; |
|
f56670ce64de
util.helpers: Add get_upvalue(function, name) helper
Matthew Wild <mwild1@gmail.com>
parents:
1795
diff
changeset
|
88 repeat |
|
f56670ce64de
util.helpers: Add get_upvalue(function, name) helper
Matthew Wild <mwild1@gmail.com>
parents:
1795
diff
changeset
|
89 i = i + 1; |
|
f56670ce64de
util.helpers: Add get_upvalue(function, name) helper
Matthew Wild <mwild1@gmail.com>
parents:
1795
diff
changeset
|
90 name, value = debug.getupvalue(f, i); |
|
f56670ce64de
util.helpers: Add get_upvalue(function, name) helper
Matthew Wild <mwild1@gmail.com>
parents:
1795
diff
changeset
|
91 until name == get_name or name == nil; |
|
f56670ce64de
util.helpers: Add get_upvalue(function, name) helper
Matthew Wild <mwild1@gmail.com>
parents:
1795
diff
changeset
|
92 return value; |
|
f56670ce64de
util.helpers: Add get_upvalue(function, name) helper
Matthew Wild <mwild1@gmail.com>
parents:
1795
diff
changeset
|
93 end |
|
f56670ce64de
util.helpers: Add get_upvalue(function, name) helper
Matthew Wild <mwild1@gmail.com>
parents:
1795
diff
changeset
|
94 |
|
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
95 return { |
|
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
96 log_host_events = log_host_events; |
|
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
97 revert_log_host_events = revert_log_host_events; |
|
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
98 log_events = log_events; |
|
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
99 revert_log_events = revert_log_events; |
|
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
100 show_events = show_events; |
|
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
101 get_upvalue = get_upvalue; |
|
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
102 }; |
