prosody
84e7e418c29a
plugins/mod_s2s_auth_certs.lua
Software / code / prosody
Comparison
plugins/mod_s2s_auth_certs.lua @ 6373:84e7e418c29a
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 29 Aug 2014 02:24:49 +0200 |
| parent | 6320:17344d25a0f6 |
| child | 10226:77f900bbbf25 |
comparison
equal
deleted
inserted
replaced
| 6370:3cfbd3f2c658 | 6373:84e7e418c29a |
|---|---|
| 5 local log = module._log; | 5 local log = module._log; |
| 6 | 6 |
| 7 module:hook("s2s-check-certificate", function(event) | 7 module:hook("s2s-check-certificate", function(event) |
| 8 local session, host, cert = event.session, event.host, event.cert; | 8 local session, host, cert = event.session, event.host, event.cert; |
| 9 local conn = session.conn:socket(); | 9 local conn = session.conn:socket(); |
| 10 local log = session.log or log; | |
| 10 | 11 |
| 11 if cert then | 12 if not cert then |
| 12 local log = session.log or log; | 13 log("warn", "No certificate provided by %s", host or "unknown host"); |
| 13 local chain_valid, errors; | 14 return; |
| 14 if conn.getpeerverification then | 15 end |
| 15 chain_valid, errors = conn:getpeerverification(); | 16 |
| 16 elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg | 17 local chain_valid, errors; |
| 17 chain_valid, errors = conn:getpeerchainvalid(); | 18 if conn.getpeerverification then |
| 18 errors = (not chain_valid) and { { errors } } or nil; | 19 chain_valid, errors = conn:getpeerverification(); |
| 19 else | 20 elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg |
| 20 chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } }; | 21 chain_valid, errors = conn:getpeerchainvalid(); |
| 22 errors = (not chain_valid) and { { errors } } or nil; | |
| 23 else | |
| 24 chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } }; | |
| 25 end | |
| 26 -- Is there any interest in printing out all/the number of errors here? | |
| 27 if not chain_valid then | |
| 28 log("debug", "certificate chain validation result: invalid"); | |
| 29 for depth, t in pairs(errors or NULL) do | |
| 30 log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) | |
| 21 end | 31 end |
| 22 -- Is there any interest in printing out all/the number of errors here? | 32 session.cert_chain_status = "invalid"; |
| 23 if not chain_valid then | 33 else |
| 24 log("debug", "certificate chain validation result: invalid"); | 34 log("debug", "certificate chain validation result: valid"); |
| 25 for depth, t in pairs(errors or NULL) do | 35 session.cert_chain_status = "valid"; |
| 26 log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) | 36 |
| 37 -- We'll go ahead and verify the asserted identity if the | |
| 38 -- connecting server specified one. | |
| 39 if host then | |
| 40 if cert_verify_identity(host, "xmpp-server", cert) then | |
| 41 session.cert_identity_status = "valid" | |
| 42 else | |
| 43 session.cert_identity_status = "invalid" | |
| 27 end | 44 end |
| 28 session.cert_chain_status = "invalid"; | 45 log("debug", "certificate identity validation result: %s", session.cert_identity_status); |
| 29 else | |
| 30 log("debug", "certificate chain validation result: valid"); | |
| 31 session.cert_chain_status = "valid"; | |
| 32 | |
| 33 -- We'll go ahead and verify the asserted identity if the | |
| 34 -- connecting server specified one. | |
| 35 if host then | |
| 36 if cert_verify_identity(host, "xmpp-server", cert) then | |
| 37 session.cert_identity_status = "valid" | |
| 38 else | |
| 39 session.cert_identity_status = "invalid" | |
| 40 end | |
| 41 log("debug", "certificate identity validation result: %s", session.cert_identity_status); | |
| 42 end | |
| 43 end | 46 end |
| 44 end | 47 end |
| 45 end, 509); | 48 end, 509); |
| 46 | 49 |
