Comparison

prosodyctl @ 5657:7957f14038e8

prosodyctl: Add 'prosodyctl check certs' for validating TLS/SSL certificates
author Kim Alvefur <zash@zash.se>
date Fri, 07 Jun 2013 20:59:43 +0200
parent 5655:6d7f7548b2c9
child 5723:24b6eb65480c
comparison
equal deleted inserted replaced
5656:576488cffc3a 5657:7957f14038e8
1020 print("For more information about DNS configuration please see http://prosody.im/doc/dns"); 1020 print("For more information about DNS configuration please see http://prosody.im/doc/dns");
1021 print(""); 1021 print("");
1022 ok = false; 1022 ok = false;
1023 end 1023 end
1024 end 1024 end
1025 if not what or what == "certs" then
1026 local cert_ok;
1027 print"Checking certificates..."
1028 local x509_verify_identity = require"util.x509".verify_identity;
1029 local ssl = dependencies.softreq"ssl";
1030 -- local datetime_parse = require"util.datetime".parse_x509;
1031 local load_cert = ssl and ssl.x509 and ssl.x509.load;
1032 -- or ssl.cert_from_pem
1033 if not ssl then
1034 print("LuaSec not available, can't perform certificate checks")
1035 if what == "certs" then cert_ok = false end
1036 elseif not load_cert then
1037 print("This version of LuaSec (" .. ssl._VERSION .. ") does not support certificate checking");
1038 cert_ok = false
1039 else
1040 for host in pairs(hosts) do
1041 if host ~= "*" then -- Should check global certs too.
1042 print("Checking certificate for "..host);
1043 -- First, let's find out what certificate this host uses.
1044 local ssl_config = config.rawget(host, "ssl");
1045 if not ssl_config then
1046 local base_host = host:match("%.(.*)");
1047 ssl_config = config.get(base_host, "ssl");
1048 end
1049 if not ssl_config then
1050 print(" No 'ssl' option defined for "..host)
1051 cert_ok = false
1052 elseif not ssl_config.certificate then
1053 print(" No 'certificate' set in ssl option for "..host)
1054 cert_ok = false
1055 elseif not ssl_config.key then
1056 print(" No 'key' set in ssl option for "..host)
1057 cert_ok = false
1058 else
1059 local key, err = io.open(ssl_config.key); -- Permissions check only
1060 if not key then
1061 print(" Could not open "..ssl_config.key..": "..err);
1062 cert_ok = false
1063 else
1064 key:close();
1065 end
1066 local cert_fh, err = io.open(ssl_config.certificate); -- Load the file.
1067 if not cert_fh then
1068 print(" Could not open "..ssl_config.certificate..": "..err);
1069 cert_ok = false
1070 else
1071 print(" Certificate: "..ssl_config.certificate)
1072 local cert = load_cert(cert_fh:read"*a"); cert_fh = cert_fh:close();
1073 if not cert:validat(os.time()) then
1074 print(" Certificate has expired.")
1075 cert_ok = false
1076 end
1077 if config.get(host, "component_module") == nil
1078 and not x509_verify_identity(host, "_xmpp-client", cert) then
1079 print(" Not vaild for client connections to "..host..".")
1080 cert_ok = false
1081 end
1082 if (not (config.get(name, "anonymous_login")
1083 or config.get(name, "authentication") == "anonymous"))
1084 and not x509_verify_identity(host, "_xmpp-client", cert) then
1085 print(" Not vaild for server-to-server connections to "..host..".")
1086 cert_ok = false
1087 end
1088 end
1089 end
1090 end
1091 end
1092 if cert_ok == false then
1093 print("")
1094 print("For more information about certificates please see http://prosody.im/doc/certificates");
1095 ok = false
1096 end
1097 end
1098 print("")
1099 end
1025 if not ok then 1100 if not ok then
1026 print("Problems found, see above."); 1101 print("Problems found, see above.");
1027 else 1102 else
1028 print("All checks passed, congratulations!"); 1103 print("All checks passed, congratulations!");
1029 end 1104 end