prosody
8fac32810144
plugins/mod_s2s.lua
Software / code / prosody
Comparison
plugins/mod_s2s.lua @ 12474:8fac32810144 0.12
mod_s2s: Improve robustness of outgoing s2s certificate verification
This change ensures we have positively verified the certificates of the server
we are connecting to before marking the session as authenticated. It protects
against situations where the verify-or-close stage of the connection was
interrupted (e.g. due to an uncaught error).
Thanks to Zash for discovery and testing.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 25 Apr 2022 15:07:49 +0100 |
| parent | 12362:0fd58f54d653 |
| child | 12476:d8a6e03a7161 |
| child | 12679:7d4a95ba9b6c |
comparison
equal
deleted
inserted
replaced
| 12466:9ee41552bca0 | 12474:8fac32810144 |
|---|---|
| 347 text = "Encrypted server-to-server communication is required but was not " | 347 text = "Encrypted server-to-server communication is required but was not " |
| 348 ..((session.direction == "outgoing" and "offered") or "used") | 348 ..((session.direction == "outgoing" and "offered") or "used") |
| 349 }, nil, "Could not establish encrypted connection to remote server"); | 349 }, nil, "Could not establish encrypted connection to remote server"); |
| 350 end | 350 end |
| 351 end | 351 end |
| 352 | |
| 353 if session.type == "s2sout_unauthed" and not session.authenticated_remote and secure_auth and not insecure_domains[host] then | |
| 354 session:close({ | |
| 355 condition = "policy-violation"; | |
| 356 text = "Failed to verify certificate (internal error)"; | |
| 357 }); | |
| 358 return; | |
| 359 end | |
| 360 | |
| 352 if hosts[host] then | 361 if hosts[host] then |
| 353 session:close({ condition = "undefined-condition", text = "Attempt to authenticate as a host we serve" }); | 362 session:close({ condition = "undefined-condition", text = "Attempt to authenticate as a host we serve" }); |
| 354 end | 363 end |
| 355 if session.type == "s2sout_unauthed" then | 364 if session.type == "s2sout_unauthed" then |
| 356 session.type = "s2sout"; | 365 session.type = "s2sout"; |
| 529 session.streamid = attr.id; | 538 session.streamid = attr.id; |
| 530 | 539 |
| 531 if session.secure and not session.cert_chain_status then | 540 if session.secure and not session.cert_chain_status then |
| 532 if check_cert_status(session) == false then | 541 if check_cert_status(session) == false then |
| 533 return; | 542 return; |
| 543 else | |
| 544 session.authenticated_remote = true; | |
| 534 end | 545 end |
| 535 end | 546 end |
| 536 | 547 |
| 537 -- If server is pre-1.0, don't wait for features, just do dialback | 548 -- If server is pre-1.0, don't wait for features, just do dialback |
| 538 if session.version < 1.0 then | 549 if session.version < 1.0 then |
