prosody
a0ad62a269df
net/http.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Diff

net/http.lua @ 8201:a0ad62a269df

Merge 0.10->trunk
author Kim Alvefur <zash@zash.se>
date Mon, 28 Aug 2017 21:05:12 +0200
parent 8121:a33a87f13155
parent 8200:e92585ab4998
child 8534:c071cabfa066
line wrap: on
line diff
--- a/net/http.lua	Fri Jul 28 23:47:38 2017 +0100
+++ b/net/http.lua	Mon Aug 28 21:05:12 2017 +0200
@@ -11,6 +11,7 @@
 local httpstream_new = require "net.http.parser".new;
 local util_http = require "util.http";
 local events = require "util.events";
+local verify_identity = require"util.x509".verify_identity;
 
 local ssl_available = pcall(require, "ssl");
 
@@ -34,6 +35,26 @@
 
 function listener.onconnect(conn)
 	local req = requests[conn];
+
+	-- Validate certificate
+	if not req.insecure and conn:ssl() then
+		local sock = conn:socket();
+		local chain_valid = sock.getpeerverification and sock:getpeerverification();
+		if not chain_valid then
+			req.callback("certificate-chain-invalid", 0, req);
+			req.callback = nil;
+			conn:close();
+			return;
+		end
+		local cert = sock.getpeercertificate and sock:getpeercertificate();
+		if not cert or not verify_identity(req.host, false, cert) then
+			req.callback("certificate-verify-failed", 0, req);
+			req.callback = nil;
+			conn:close();
+			return;
+		end
+	end
+
 	-- Send the request
 	local request_line = { req.method or "GET", " ", req.path, " HTTP/1.1\r\n" };
 	if req.query then
@@ -181,6 +202,7 @@
 				headers[k] = v;
 			end
 		end
+		req.insecure = ex.insecure;
 	end
 
 	log("debug", "Making %s %s request '%s' to %s", req.scheme:upper(), method or "GET", req.id, (ex and ex.suppress_url and host_header) or u);
@@ -196,7 +218,7 @@
 
 	local sslctx = false;
 	if using_https then
-		sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" } };
+		sslctx = ex and ex.sslctx or self.options and self.options.sslctx;
 	end
 
 	local handler, conn = server.addclient(host, port_number, listener, "*a", sslctx)
@@ -235,17 +257,19 @@
 			return new(setmetatable(new_options, { __index = options }));
 		end or new;
 		events = events.new();
-		request = request;
 	};
 	return http;
 end
 
-local default_http = new();
+local default_http = new({
+	sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" } };
+});
 
 return {
 	request = function (u, ex, callback)
 		return default_http:request(u, ex, callback);
 	end;
+	default = default_http;
 	new = new;
 	events = default_http.events;
 	-- COMPAT