Software /
code /
prosody
Comparison
prosodyctl @ 5657:7957f14038e8
prosodyctl: Add 'prosodyctl check certs' for validating TLS/SSL certificates
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 07 Jun 2013 20:59:43 +0200 |
parent | 5655:6d7f7548b2c9 |
child | 5723:24b6eb65480c |
comparison
equal
deleted
inserted
replaced
5656:576488cffc3a | 5657:7957f14038e8 |
---|---|
1020 print("For more information about DNS configuration please see http://prosody.im/doc/dns"); | 1020 print("For more information about DNS configuration please see http://prosody.im/doc/dns"); |
1021 print(""); | 1021 print(""); |
1022 ok = false; | 1022 ok = false; |
1023 end | 1023 end |
1024 end | 1024 end |
1025 if not what or what == "certs" then | |
1026 local cert_ok; | |
1027 print"Checking certificates..." | |
1028 local x509_verify_identity = require"util.x509".verify_identity; | |
1029 local ssl = dependencies.softreq"ssl"; | |
1030 -- local datetime_parse = require"util.datetime".parse_x509; | |
1031 local load_cert = ssl and ssl.x509 and ssl.x509.load; | |
1032 -- or ssl.cert_from_pem | |
1033 if not ssl then | |
1034 print("LuaSec not available, can't perform certificate checks") | |
1035 if what == "certs" then cert_ok = false end | |
1036 elseif not load_cert then | |
1037 print("This version of LuaSec (" .. ssl._VERSION .. ") does not support certificate checking"); | |
1038 cert_ok = false | |
1039 else | |
1040 for host in pairs(hosts) do | |
1041 if host ~= "*" then -- Should check global certs too. | |
1042 print("Checking certificate for "..host); | |
1043 -- First, let's find out what certificate this host uses. | |
1044 local ssl_config = config.rawget(host, "ssl"); | |
1045 if not ssl_config then | |
1046 local base_host = host:match("%.(.*)"); | |
1047 ssl_config = config.get(base_host, "ssl"); | |
1048 end | |
1049 if not ssl_config then | |
1050 print(" No 'ssl' option defined for "..host) | |
1051 cert_ok = false | |
1052 elseif not ssl_config.certificate then | |
1053 print(" No 'certificate' set in ssl option for "..host) | |
1054 cert_ok = false | |
1055 elseif not ssl_config.key then | |
1056 print(" No 'key' set in ssl option for "..host) | |
1057 cert_ok = false | |
1058 else | |
1059 local key, err = io.open(ssl_config.key); -- Permissions check only | |
1060 if not key then | |
1061 print(" Could not open "..ssl_config.key..": "..err); | |
1062 cert_ok = false | |
1063 else | |
1064 key:close(); | |
1065 end | |
1066 local cert_fh, err = io.open(ssl_config.certificate); -- Load the file. | |
1067 if not cert_fh then | |
1068 print(" Could not open "..ssl_config.certificate..": "..err); | |
1069 cert_ok = false | |
1070 else | |
1071 print(" Certificate: "..ssl_config.certificate) | |
1072 local cert = load_cert(cert_fh:read"*a"); cert_fh = cert_fh:close(); | |
1073 if not cert:validat(os.time()) then | |
1074 print(" Certificate has expired.") | |
1075 cert_ok = false | |
1076 end | |
1077 if config.get(host, "component_module") == nil | |
1078 and not x509_verify_identity(host, "_xmpp-client", cert) then | |
1079 print(" Not vaild for client connections to "..host..".") | |
1080 cert_ok = false | |
1081 end | |
1082 if (not (config.get(name, "anonymous_login") | |
1083 or config.get(name, "authentication") == "anonymous")) | |
1084 and not x509_verify_identity(host, "_xmpp-client", cert) then | |
1085 print(" Not vaild for server-to-server connections to "..host..".") | |
1086 cert_ok = false | |
1087 end | |
1088 end | |
1089 end | |
1090 end | |
1091 end | |
1092 if cert_ok == false then | |
1093 print("") | |
1094 print("For more information about certificates please see http://prosody.im/doc/certificates"); | |
1095 ok = false | |
1096 end | |
1097 end | |
1098 print("") | |
1099 end | |
1025 if not ok then | 1100 if not ok then |
1026 print("Problems found, see above."); | 1101 print("Problems found, see above."); |
1027 else | 1102 else |
1028 print("All checks passed, congratulations!"); | 1103 print("All checks passed, congratulations!"); |
1029 end | 1104 end |