prosody
7722372aa087
plugins/mod_s2s/mod_s2s.lua
Software / code / prosody
Comparison
plugins/mod_s2s/mod_s2s.lua @ 5770:7722372aa087
Merge 0.9->trunk
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 06 Aug 2013 14:35:03 +0200 |
| parent | 5764:969e0a054795 |
| parent | 5769:f6ea5b3739c9 |
| child | 5776:bd0ff8ae98a8 |
comparison
equal
deleted
inserted
replaced
| 5765:d854c17a45fd | 5770:7722372aa087 |
|---|---|
| 244 chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } }; | 244 chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } }; |
| 245 end | 245 end |
| 246 -- Is there any interest in printing out all/the number of errors here? | 246 -- Is there any interest in printing out all/the number of errors here? |
| 247 if not chain_valid then | 247 if not chain_valid then |
| 248 (session.log or log)("debug", "certificate chain validation result: invalid"); | 248 (session.log or log)("debug", "certificate chain validation result: invalid"); |
| 249 for depth, t in ipairs(errors or NULL) do | 249 for depth, t in pairs(errors or NULL) do |
| 250 (session.log or log)("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) | 250 (session.log or log)("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) |
| 251 end | 251 end |
| 252 session.cert_chain_status = "invalid"; | 252 session.cert_chain_status = "invalid"; |
| 253 else | 253 else |
| 254 (session.log or log)("debug", "certificate chain validation result: valid"); | 254 (session.log or log)("debug", "certificate chain validation result: valid"); |
| 260 if cert_verify_identity(host, "xmpp-server", cert) then | 260 if cert_verify_identity(host, "xmpp-server", cert) then |
| 261 session.cert_identity_status = "valid" | 261 session.cert_identity_status = "valid" |
| 262 else | 262 else |
| 263 session.cert_identity_status = "invalid" | 263 session.cert_identity_status = "invalid" |
| 264 end | 264 end |
| 265 (session.log or log)("debug", "certificate identity validation result: %s", session.cert_identity_status); | |
| 265 end | 266 end |
| 266 end | 267 end |
| 267 end | 268 end |
| 268 return module:fire_event("s2s-check-certificate", { host = host, session = session, cert = cert }); | 269 return module:fire_event("s2s-check-certificate", { host = host, session = session, cert = cert }); |
| 269 end | 270 end |
| 656 must_secure = true; | 657 must_secure = true; |
| 657 elseif must_secure and insecure_domains[host] then | 658 elseif must_secure and insecure_domains[host] then |
| 658 must_secure = false; | 659 must_secure = false; |
| 659 end | 660 end |
| 660 | 661 |
| 661 if must_secure and not session.cert_identity_status then | 662 if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") then |
| 662 module:log("warn", "Forbidding insecure connection to/from %s", host); | 663 module:log("warn", "Forbidding insecure connection to/from %s", host); |
| 663 if session.direction == "incoming" then | 664 if session.direction == "incoming" then |
| 664 session:close({ condition = "not-authorized", text = "Your server's certificate is invalid, expired, or not trusted by "..session.to_host }); | 665 session:close({ condition = "not-authorized", text = "Your server's certificate is invalid, expired, or not trusted by "..session.to_host }); |
| 665 else -- Close outgoing connections without warning | 666 else -- Close outgoing connections without warning |
| 666 session:close(false); | 667 session:close(false); |
