prosody
b2331f3dfeea
plugins/mod_tls.lua
Software / code / prosody
Comparison
plugins/mod_tls.lua @ 11120:b2331f3dfeea
Merge 0.11->trunk
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Wed, 30 Sep 2020 09:50:33 +0100 |
| parent | 10784:0b0fe73199d2 |
| child | 11340:a7109eb45e30 |
comparison
equal
deleted
inserted
replaced
| 11119:68df52bf08d5 | 11120:b2331f3dfeea |
|---|---|
| 33 local hosts = prosody.hosts; | 33 local hosts = prosody.hosts; |
| 34 local host = hosts[module.host]; | 34 local host = hosts[module.host]; |
| 35 | 35 |
| 36 local ssl_ctx_c2s, ssl_ctx_s2sout, ssl_ctx_s2sin; | 36 local ssl_ctx_c2s, ssl_ctx_s2sout, ssl_ctx_s2sin; |
| 37 local ssl_cfg_c2s, ssl_cfg_s2sout, ssl_cfg_s2sin; | 37 local ssl_cfg_c2s, ssl_cfg_s2sout, ssl_cfg_s2sin; |
| 38 local err_c2s, err_s2sin, err_s2sout; | |
| 38 | 39 |
| 39 function module.load(reload) | 40 function module.load(reload) |
| 40 local NULL, err = {}; | 41 local NULL = {}; |
| 41 local modhost = module.host; | 42 local modhost = module.host; |
| 42 local parent = modhost:match("%.(.*)$"); | 43 local parent = modhost:match("%.(.*)$"); |
| 43 | 44 |
| 44 local parent_ssl = rawgetopt(parent, "ssl") or NULL; | 45 local parent_ssl = rawgetopt(parent, "ssl") or NULL; |
| 45 local host_ssl = rawgetopt(modhost, "ssl") or parent_ssl; | 46 local host_ssl = rawgetopt(modhost, "ssl") or parent_ssl; |
| 51 local global_s2s = rawgetopt("*", "s2s_ssl") or NULL; | 52 local global_s2s = rawgetopt("*", "s2s_ssl") or NULL; |
| 52 local parent_s2s = rawgetopt(parent, "s2s_ssl") or NULL; | 53 local parent_s2s = rawgetopt(parent, "s2s_ssl") or NULL; |
| 53 local host_s2s = rawgetopt(modhost, "s2s_ssl") or parent_s2s; | 54 local host_s2s = rawgetopt(modhost, "s2s_ssl") or parent_s2s; |
| 54 | 55 |
| 55 module:log("debug", "Creating context for c2s"); | 56 module:log("debug", "Creating context for c2s"); |
| 56 ssl_ctx_c2s, err, ssl_cfg_c2s = create_context(host.host, "server", host_c2s, host_ssl, global_c2s); -- for incoming client connections | 57 local request_client_certs = { verify = { "peer", "client_once", }; }; |
| 57 if not ssl_ctx_c2s then module:log("error", "Error creating context for c2s: %s", err); end | |
| 58 | 58 |
| 59 module:log("debug", "Creating context for s2sout"); | 59 module:log("debug", "Creating context for s2sout"); |
| 60 ssl_ctx_s2sout, err, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s); -- for outgoing server connections | 60 ssl_ctx_c2s, err_c2s, ssl_cfg_c2s = create_context(host.host, "server", host_c2s, host_ssl, global_c2s); -- for incoming client connections |
| 61 if not ssl_ctx_s2sout then module:log("error", "Error creating contexts for s2sout: %s", err); end | 61 if not ssl_ctx_c2s then module:log("error", "Error creating context for c2s: %s", err_c2s); end |
| 62 | 62 |
| 63 module:log("debug", "Creating context for s2sin"); | 63 module:log("debug", "Creating context for s2sin"); |
| 64 ssl_ctx_s2sin, err, ssl_cfg_s2sin = create_context(host.host, "server", host_s2s, host_ssl, global_s2s); -- for incoming server connections | 64 -- for outgoing server connections |
| 65 if not ssl_ctx_s2sin then module:log("error", "Error creating contexts for s2sin: %s", err); end | 65 ssl_ctx_s2sout, err_s2sout, ssl_cfg_s2sout = create_context(host.host, "client", host_s2s, host_ssl, global_s2s, request_client_certs); |
| 66 if not ssl_ctx_s2sout then module:log("error", "Error creating contexts for s2sout: %s", err_s2sout); end | |
| 67 | |
| 68 -- for incoming server connections | |
| 69 ssl_ctx_s2sin, err_s2sin, ssl_cfg_s2sin = create_context(host.host, "server", host_s2s, host_ssl, global_s2s, request_client_certs); | |
| 70 if not ssl_ctx_s2sin then module:log("error", "Error creating contexts for s2sin: %s", err_s2sin); end | |
| 66 | 71 |
| 67 if reload then | 72 if reload then |
| 68 module:log("info", "Certificates reloaded"); | 73 module:log("info", "Certificates reloaded"); |
| 69 else | 74 else |
| 70 module:log("info", "Certificates loaded"); | 75 module:log("info", "Certificates loaded"); |
| 81 return false; | 86 return false; |
| 82 elseif session.ssl_ctx ~= nil then | 87 elseif session.ssl_ctx ~= nil then |
| 83 return session.ssl_ctx; | 88 return session.ssl_ctx; |
| 84 end | 89 end |
| 85 if session.type == "c2s_unauthed" then | 90 if session.type == "c2s_unauthed" then |
| 91 if not ssl_ctx_c2s and c2s_require_encryption then | |
| 92 session.log("error", "No TLS context available for c2s. Earlier error was: %s", err_c2s); | |
| 93 end | |
| 86 session.ssl_ctx = ssl_ctx_c2s; | 94 session.ssl_ctx = ssl_ctx_c2s; |
| 87 session.ssl_cfg = ssl_cfg_c2s; | 95 session.ssl_cfg = ssl_cfg_c2s; |
| 88 elseif session.type == "s2sin_unauthed" and allow_s2s_tls then | 96 elseif session.type == "s2sin_unauthed" and allow_s2s_tls then |
| 97 if not ssl_ctx_s2sin and s2s_require_encryption then | |
| 98 session.log("error", "No TLS context available for s2sin. Earlier error was: %s", err_s2sin); | |
| 99 end | |
| 89 session.ssl_ctx = ssl_ctx_s2sin; | 100 session.ssl_ctx = ssl_ctx_s2sin; |
| 90 session.ssl_cfg = ssl_cfg_s2sin; | 101 session.ssl_cfg = ssl_cfg_s2sin; |
| 91 elseif session.direction == "outgoing" and allow_s2s_tls then | 102 elseif session.direction == "outgoing" and allow_s2s_tls then |
| 103 if not ssl_ctx_s2sout and s2s_require_encryption then | |
| 104 session.log("error", "No TLS context available for s2sout. Earlier error was: %s", err_s2sout); | |
| 105 end | |
| 92 session.ssl_ctx = ssl_ctx_s2sout; | 106 session.ssl_ctx = ssl_ctx_s2sout; |
| 93 session.ssl_cfg = ssl_cfg_s2sout; | 107 session.ssl_cfg = ssl_cfg_s2sout; |
| 94 else | 108 else |
| 95 session.log("debug", "Unknown session type, don't know which TLS context to use"); | 109 session.log("debug", "Unknown session type, don't know which TLS context to use"); |
| 96 return false; | 110 return false; |
