mod_s2s: Improve robustness of outgoing s2s certificate verification This change ensures we have positively verified the certificates of the server we are connecting to before marking the session as authenticated. It protects against situations where the verify-or-close stage of the connection was interrupted (e.g. due to an uncaught error). Thanks to Zash for discovery and testing.

author: Matthew Wild <mwild1@gmail.com>
date: Mon, 25 Apr 2022 15:07:49 +0100
parent: 12362:0fd58f54d653
child: 12476:d8a6e03a7161
child: 12679:7d4a95ba9b6c
--- a/plugins/mod_s2s.lua	Wed Apr 13 18:46:11 2022 +0100
+++ b/plugins/mod_s2s.lua	Mon Apr 25 15:07:49 2022 +0100
@@ -349,6 +349,15 @@
 			}, nil, "Could not establish encrypted connection to remote server");
 		end
 	end
+
+	if session.type == "s2sout_unauthed" and not session.authenticated_remote and secure_auth and not insecure_domains[host] then
+		session:close({
+			condition = "policy-violation";
+			text = "Failed to verify certificate (internal error)";
+		});
+		return;
+	end
+
 	if hosts[host] then
 		session:close({ condition = "undefined-condition", text = "Attempt to authenticate as a host we serve" });
 	end
@@ -531,6 +540,8 @@
 		if session.secure and not session.cert_chain_status then
 			if check_cert_status(session) == false then
 				return;
+			else
+				session.authenticated_remote = true;
 			end
 		end
author	Matthew Wild <mwild1@gmail.com>
date	Mon, 25 Apr 2022 15:07:49 +0100
parent	12362:0fd58f54d653
child	12476:d8a6e03a7161
child	12679:7d4a95ba9b6c