prosody
053417068957
plugins/mod_s2s_auth_certs.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

File

plugins/mod_s2s_auth_certs.lua @ 12605:053417068957

doap: Update XEP versions for which no code changes appear needed XEP-0004: Partial forms are handled XEP-0045: We're already strict with GC 1.0 XEP-0060: Change in semantics wrt 'pubsub#type', but not in code XEP-0115: No protocol change XEP-0138: Specification moved to Obsolete XEP-0163: Editorial only change XEP-0215: Minor schema change XEP-0280: Editorial change XEP-0297: Had the wrong version number XEP-0106: Note missing piece for version 1.1 XEP-0313: Editorial change XEP-0363: Editorial clarification, no code change required XEP-0380: Registry additions, no code change needed XEP-0384: Not directly supported, only here because people will ask otherwise XEP-0445: Broken out of XEP-0401
author Kim Alvefur <zash@zash.se>
date Mon, 08 Aug 2022 20:33:44 +0200
parent 12480:7e9ebdc75ce4
child 12808:12bd40b8e105
line wrap: on
line source

module:set_global();

local cert_verify_identity = require "util.x509".verify_identity;
local NULL = {};
local log = module._log;

local measure_cert_statuses = module:metric("counter", "checked", "", "Certificate validation results",
	{ "chain"; "identity" })

module:hook("s2s-check-certificate", function(event)
	local session, host, cert = event.session, event.host, event.cert;
	local conn = session.conn;
	local log = session.log or log;

	if not cert then
		log("warn", "No certificate provided by %s", host or "unknown host");
		return;
	end

	local chain_valid, errors;
	if conn.ssl_peerverification then
		chain_valid, errors = conn:ssl_peerverification();
	else
		chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
	end
	-- Is there any interest in printing out all/the number of errors here?
	if not chain_valid then
		log("debug", "certificate chain validation result: invalid");
		for depth, t in pairs(errors or NULL) do
			log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
		end
		session.cert_chain_status = "invalid";
		session.cert_chain_errors = errors;
	else
		log("debug", "certificate chain validation result: valid");
		session.cert_chain_status = "valid";

		-- We'll go ahead and verify the asserted identity if the
		-- connecting server specified one.
		if host then
			if cert_verify_identity(host, "xmpp-server", cert) then
				session.cert_identity_status = "valid"
			else
				session.cert_identity_status = "invalid"
			end
			log("debug", "certificate identity validation result: %s", session.cert_identity_status);
		end
	end
	measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);
end, 509);