prosody
4b34687ede3f
plugins/mod_tls.lua
Software / code / prosody
Comparison
plugins/mod_tls.lua @ 9740:4b34687ede3f
mod_tls: Keep TLS context errors and repeat them again for each session
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 28 Dec 2018 00:04:26 +0100 |
| parent | 8131:c8e3a0caa0a9 |
| child | 9854:115b5e32d960 |
comparison
equal
deleted
inserted
replaced
| 9739:a74d78f79b23 | 9740:4b34687ede3f |
|---|---|
| 33 local hosts = prosody.hosts; | 33 local hosts = prosody.hosts; |
| 34 local host = hosts[module.host]; | 34 local host = hosts[module.host]; |
| 35 | 35 |
| 36 local ssl_ctx_c2s, ssl_ctx_s2sout, ssl_ctx_s2sin; | 36 local ssl_ctx_c2s, ssl_ctx_s2sout, ssl_ctx_s2sin; |
| 37 local ssl_cfg_c2s, ssl_cfg_s2sout, ssl_cfg_s2sin; | 37 local ssl_cfg_c2s, ssl_cfg_s2sout, ssl_cfg_s2sin; |
| 38 local err_c2s, err_s2sin, err_s2sout; | |
| 38 | 39 |
| 39 function module.load() | 40 function module.load() |
| 40 local NULL, err = {}; | 41 local NULL = {}; |
| 41 local modhost = module.host; | 42 local modhost = module.host; |
| 42 local parent = modhost:match("%.(.*)$"); | 43 local parent = modhost:match("%.(.*)$"); |
| 43 | 44 |
| 44 local parent_ssl = rawgetopt(parent, "ssl") or NULL; | 45 local parent_ssl = rawgetopt(parent, "ssl") or NULL; |
| 45 local host_ssl = rawgetopt(modhost, "ssl") or parent_ssl; | 46 local host_ssl = rawgetopt(modhost, "ssl") or parent_ssl; |
| 50 | 51 |
| 51 local global_s2s = rawgetopt("*", "s2s_ssl") or NULL; | 52 local global_s2s = rawgetopt("*", "s2s_ssl") or NULL; |
| 52 local parent_s2s = rawgetopt(parent, "s2s_ssl") or NULL; | 53 local parent_s2s = rawgetopt(parent, "s2s_ssl") or NULL; |
| 53 local host_s2s = rawgetopt(modhost, "s2s_ssl") or parent_s2s; | 54 local host_s2s = rawgetopt(modhost, "s2s_ssl") or parent_s2s; |
| 54 | 55 |
| 55 ssl_ctx_c2s, err, ssl_cfg_c2s = create_context(host.host, "server", host_c2s, host_ssl, global_c2s); -- for incoming client connections | 56 ssl_ctx_c2s, err_c2s, ssl_cfg_c2s = create_context(host.host, "server", host_c2s, host_ssl, global_c2s); -- for incoming client connections |
| 56 if not ssl_ctx_c2s then module:log("error", "Error creating context for c2s: %s", err); end | 57 if not ssl_ctx_c2s then module:log("error", "Error creating context for c2s: %s", err_c2s); end |
| 57 | 58 |
| 58 ssl_ctx_s2sout, err, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s); -- for outgoing server connections | 59 ssl_ctx_s2sout, err_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s); -- for outgoing server connections |
| 59 if not ssl_ctx_s2sout then module:log("error", "Error creating contexts for s2sout: %s", err); end | 60 if not ssl_ctx_s2sout then module:log("error", "Error creating contexts for s2sout: %s", err_s2sout); end |
| 60 | 61 |
| 61 ssl_ctx_s2sin, err, ssl_cfg_s2sin = create_context(host.host, "server", host_s2s, host_ssl, global_s2s); -- for incoming server connections | 62 ssl_ctx_s2sin, err_s2sin, ssl_cfg_s2sin = create_context(host.host, "server", host_s2s, host_ssl, global_s2s); -- for incoming server connections |
| 62 if not ssl_ctx_s2sin then module:log("error", "Error creating contexts for s2sin: %s", err); end | 63 if not ssl_ctx_s2sin then module:log("error", "Error creating contexts for s2sin: %s", err_s2sin); end |
| 63 end | 64 end |
| 64 | 65 |
| 65 module:hook_global("config-reloaded", module.load); | 66 module:hook_global("config-reloaded", module.load); |
| 66 | 67 |
| 67 local function can_do_tls(session) | 68 local function can_do_tls(session) |
| 72 return false; | 73 return false; |
| 73 elseif session.ssl_ctx ~= nil then | 74 elseif session.ssl_ctx ~= nil then |
| 74 return session.ssl_ctx; | 75 return session.ssl_ctx; |
| 75 end | 76 end |
| 76 if session.type == "c2s_unauthed" then | 77 if session.type == "c2s_unauthed" then |
| 78 if not ssl_ctx_c2s and c2s_require_encryption then | |
| 79 session.log("error", "No TLS context available for c2s. Earlier error was: %s", err_c2s); | |
| 80 end | |
| 77 session.ssl_ctx = ssl_ctx_c2s; | 81 session.ssl_ctx = ssl_ctx_c2s; |
| 78 session.ssl_cfg = ssl_cfg_c2s; | 82 session.ssl_cfg = ssl_cfg_c2s; |
| 79 elseif session.type == "s2sin_unauthed" and allow_s2s_tls then | 83 elseif session.type == "s2sin_unauthed" and allow_s2s_tls then |
| 84 if not ssl_ctx_s2sin and s2s_require_encryption then | |
| 85 session.log("error", "No TLS context available for s2sin. Earlier error was: %s", err_s2sin); | |
| 86 end | |
| 80 session.ssl_ctx = ssl_ctx_s2sin; | 87 session.ssl_ctx = ssl_ctx_s2sin; |
| 81 session.ssl_cfg = ssl_cfg_s2sin; | 88 session.ssl_cfg = ssl_cfg_s2sin; |
| 82 elseif session.direction == "outgoing" and allow_s2s_tls then | 89 elseif session.direction == "outgoing" and allow_s2s_tls then |
| 90 if not ssl_ctx_s2sout and s2s_require_encryption then | |
| 91 session.log("error", "No TLS context available for s2sout. Earlier error was: %s", err_s2sout); | |
| 92 end | |
| 83 session.ssl_ctx = ssl_ctx_s2sout; | 93 session.ssl_ctx = ssl_ctx_s2sout; |
| 84 session.ssl_cfg = ssl_cfg_s2sout; | 94 session.ssl_cfg = ssl_cfg_s2sout; |
| 85 else | 95 else |
| 86 session.log("debug", "Unknown session type, don't know which TLS context to use"); | 96 session.log("debug", "Unknown session type, don't know which TLS context to use"); |
| 87 return false; | 97 return false; |
