prosody
02f8b10d73e8
plugins/mod_s2s_auth_certs.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

plugins/mod_s2s_auth_certs.lua @ 12816:02f8b10d73e8

mod_s2s_auth_certs: Validate certificates against secure SRV targets Secure delegation or "Mini-DANE" As with the existing DANE support, only usable in one direction, client certificate authentication will fail if this is relied on.
author Kim Alvefur <zash@zash.se>
date Thu, 22 Dec 2022 00:13:37 +0100
parent 12812:b2d422b88cd6
child 12977:74b9e05af71e
comparison
equal deleted inserted replaced
12815:2d134201dc55 12816:02f8b10d73e8
9 9
10 module:hook("s2s-check-certificate", function(event) 10 module:hook("s2s-check-certificate", function(event)
11 local session, host, cert = event.session, event.host, event.cert; 11 local session, host, cert = event.session, event.host, event.cert;
12 local conn = session.conn; 12 local conn = session.conn;
13 local log = session.log or log; 13 local log = session.log or log;
14
15 local secure_hostname = conn.extra and conn.extra.secure_hostname;
14 16
15 if not cert then 17 if not cert then
16 log("warn", "No certificate provided by %s", host or "unknown host"); 18 log("warn", "No certificate provided by %s", host or "unknown host");
17 return; 19 return;
18 end 20 end
43 else 45 else
44 session.cert_identity_status = "invalid" 46 session.cert_identity_status = "invalid"
45 end 47 end
46 log("debug", "certificate identity validation result: %s", session.cert_identity_status); 48 log("debug", "certificate identity validation result: %s", session.cert_identity_status);
47 end 49 end
50
51 -- Check for DNSSEC-signed SRV hostname
52 if secure_hostname and session.cert_identity_status ~= "valid" then
53 if cert_verify_identity(secure_hostname, "xmpp-server", cert) then
54 module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host);
55 session.cert_identity_status = "valid"
56 end
57 end
48 end 58 end
49 measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1); 59 measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);
50 end, 509); 60 end, 509);
51 61