prosody
92d009af6eba
plugins/mod_s2s/mod_s2s.lua
Software / code / prosody
Comparison
plugins/mod_s2s/mod_s2s.lua @ 6319:92d009af6eba
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 25 Jul 2014 20:41:54 +0200 |
| parent | 6301:2fdd71b08126 |
| child | 6321:566c8e571108 |
comparison
equal
deleted
inserted
replaced
| 6315:7a3e2f2d43fc | 6319:92d009af6eba |
|---|---|
| 241 local cert | 241 local cert |
| 242 if conn.getpeercertificate then | 242 if conn.getpeercertificate then |
| 243 cert = conn:getpeercertificate() | 243 cert = conn:getpeercertificate() |
| 244 end | 244 end |
| 245 | 245 |
| 246 if cert then | |
| 247 local chain_valid, errors; | |
| 248 if conn.getpeerverification then | |
| 249 chain_valid, errors = conn:getpeerverification(); | |
| 250 elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg | |
| 251 chain_valid, errors = conn:getpeerchainvalid(); | |
| 252 errors = (not chain_valid) and { { errors } } or nil; | |
| 253 else | |
| 254 chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } }; | |
| 255 end | |
| 256 -- Is there any interest in printing out all/the number of errors here? | |
| 257 if not chain_valid then | |
| 258 (session.log or log)("debug", "certificate chain validation result: invalid"); | |
| 259 for depth, t in pairs(errors or NULL) do | |
| 260 (session.log or log)("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) | |
| 261 end | |
| 262 session.cert_chain_status = "invalid"; | |
| 263 else | |
| 264 (session.log or log)("debug", "certificate chain validation result: valid"); | |
| 265 session.cert_chain_status = "valid"; | |
| 266 | |
| 267 -- We'll go ahead and verify the asserted identity if the | |
| 268 -- connecting server specified one. | |
| 269 if host then | |
| 270 if cert_verify_identity(host, "xmpp-server", cert) then | |
| 271 session.cert_identity_status = "valid" | |
| 272 else | |
| 273 session.cert_identity_status = "invalid" | |
| 274 end | |
| 275 (session.log or log)("debug", "certificate identity validation result: %s", session.cert_identity_status); | |
| 276 end | |
| 277 end | |
| 278 end | |
| 279 return module:fire_event("s2s-check-certificate", { host = host, session = session, cert = cert }); | 246 return module:fire_event("s2s-check-certificate", { host = host, session = session, cert = cert }); |
| 280 end | 247 end |
| 281 | 248 |
| 282 --- XMPP stream event handlers | 249 --- XMPP stream event handlers |
| 283 | 250 |
