prosody
d2816fb6c7ea
plugins/mod_tls.lua
Software / code / prosody
Comparison
plugins/mod_tls.lua @ 2932:d2816fb6c7ea
mod_tls: Add s2s_allow_encryption option which, when set to false, disabled TLS for s2s
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Wed, 24 Mar 2010 20:00:22 +0000 |
| parent | 2923:b7049746bd29 |
| child | 2933:e68ff49fa79b |
comparison
equal
deleted
inserted
replaced
| 2924:8dc4e2e00129 | 2932:d2816fb6c7ea |
|---|---|
| 14 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); | 14 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); |
| 15 local secure_s2s_only = module:get_option("s2s_require_encryption"); | 15 local secure_s2s_only = module:get_option("s2s_require_encryption"); |
| 16 | 16 |
| 17 local host = hosts[module.host]; | 17 local host = hosts[module.host]; |
| 18 | 18 |
| 19 local starttls_attr = { xmlns = xmlns_starttls }; | |
| 20 | |
| 21 --- Client-to-server TLS handling | |
| 19 module:add_handler("c2s_unauthed", "starttls", xmlns_starttls, | 22 module:add_handler("c2s_unauthed", "starttls", xmlns_starttls, |
| 20 function (session, stanza) | 23 function (session, stanza) |
| 21 if session.conn.starttls and host.ssl_ctx_in then | 24 if session.conn.starttls and host.ssl_ctx_in then |
| 22 session.send(st.stanza("proceed", { xmlns = xmlns_starttls })); | 25 session.send(st.stanza("proceed", starttls_attr)); |
| 23 session:reset_stream(); | 26 session:reset_stream(); |
| 24 if session.host and hosts[session.host].ssl_ctx_in then | 27 if session.host and hosts[session.host].ssl_ctx_in then |
| 25 session.conn.set_sslctx(hosts[session.host].ssl_ctx_in); | 28 session.conn.set_sslctx(hosts[session.host].ssl_ctx_in); |
| 26 end | 29 end |
| 27 session.conn.starttls(); | 30 session.conn.starttls(); |
| 28 session.log("info", "TLS negotiation started..."); | 31 session.log("info", "TLS negotiation started..."); |
| 29 session.secure = false; | 32 session.secure = false; |
| 30 else | 33 else |
| 31 session.log("warn", "Attempt to start TLS, but TLS is not available on this connection"); | 34 session.log("warn", "Attempt to start TLS, but TLS is not available on this connection"); |
| 32 (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls })); | 35 (session.sends2s or session.send)(st.stanza("failure", starttls_attr)); |
| 33 session:close(); | |
| 34 end | |
| 35 end); | |
| 36 | |
| 37 module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls, | |
| 38 function (session, stanza) | |
| 39 if session.conn.starttls and host.ssl_ctx_in then | |
| 40 session.sends2s(st.stanza("proceed", { xmlns = xmlns_starttls })); | |
| 41 session:reset_stream(); | |
| 42 if session.to_host and hosts[session.to_host].ssl_ctx_in then | |
| 43 session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in); | |
| 44 end | |
| 45 session.conn.starttls(); | |
| 46 session.log("info", "TLS negotiation started for incoming s2s..."); | |
| 47 session.secure = false; | |
| 48 else | |
| 49 session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection"); | |
| 50 (session.sends2s or session.send)(st.stanza("failure", { xmlns = xmlns_starttls })); | |
| 51 session:close(); | 36 session:close(); |
| 52 end | 37 end |
| 53 end); | 38 end); |
| 54 | 39 |
| 55 | |
| 56 local starttls_attr = { xmlns = xmlns_starttls }; | |
| 57 module:add_event_hook("stream-features", | 40 module:add_event_hook("stream-features", |
| 58 function (session, features) | 41 function (session, features) |
| 59 if session.conn.starttls then | 42 if session.conn.starttls then |
| 60 features:tag("starttls", starttls_attr); | 43 features:tag("starttls", starttls_attr); |
| 61 if secure_auth_only then | 44 if secure_auth_only then |
| 63 else | 46 else |
| 64 features:up(); | 47 features:up(); |
| 65 end | 48 end |
| 66 end | 49 end |
| 67 end); | 50 end); |
| 51 --- | |
| 52 | |
| 53 -- Stop here if the user doesn't want to allow s2s encryption | |
| 54 if module:get_option("s2s_allow_encryption") == false then | |
| 55 return; | |
| 56 end | |
| 57 | |
| 58 --- Server-to-server TLS handling | |
| 59 module:add_handler("s2sin_unauthed", "starttls", xmlns_starttls, | |
| 60 function (session, stanza) | |
| 61 if session.conn.starttls and host.ssl_ctx_in then | |
| 62 session.sends2s(st.stanza("proceed", starttls_attr)); | |
| 63 session:reset_stream(); | |
| 64 if session.to_host and hosts[session.to_host].ssl_ctx_in then | |
| 65 session.conn.set_sslctx(hosts[session.to_host].ssl_ctx_in); | |
| 66 end | |
| 67 session.conn.starttls(); | |
| 68 session.log("info", "TLS negotiation started for incoming s2s..."); | |
| 69 session.secure = false; | |
| 70 else | |
| 71 session.log("warn", "Attempt to start TLS, but TLS is not available on this s2s connection"); | |
| 72 (session.sends2s or session.send)(st.stanza("failure", starttls_attr)); | |
| 73 session:close(); | |
| 74 end | |
| 75 end); | |
| 76 | |
| 68 | 77 |
| 69 module:hook("s2s-stream-features", | 78 module:hook("s2s-stream-features", |
| 70 function (data) | 79 function (data) |
| 71 local session, features = data.session, data.features; | 80 local session, features = data.session, data.features; |
| 72 if session.to_host and session.conn.starttls then | 81 if session.to_host and session.conn.starttls then |
