File

plugins/mod_s2s_auth_certs.lua @ 10399:270cb2821566

mod_ping: Remove ad-hoc command 17:27:40 <Ge0rG> Zash: the Ping thing is absolutely worthless 17:27:55 <Zash> The command provided by mod_ping? 17:27:59 <pep.> To own server? 17:28:14 <Ge0rG> the Ping command in mod_admin_web, whatever it maps to 17:28:29 <Ge0rG> > Pong > 2019-11-07T16:28:16Z What am I supposed to do with that result? 17:28:29 <Zash> Yeah, mod_ping provides that 17:28:41 <Ge0rG> Is it a ping to my own server? Where's the RTT? 17:28:48 <Zash> Dunno if it's useful for more than verifying that the adhoc command system works 17:29:02 <Ge0rG> (it lags, but there is no indication of how much) 17:29:14 <Zash> It can't really test that itself 17:29:52 <Zash> Anyone opposed to deleting it? 17:30:42 <Zash> Half the module 17:42:47 <MattJ> Zash, I'm fine with removing it
author Kim Alvefur <zash@zash.se>
date Thu, 07 Nov 2019 19:23:42 +0100
parent 10226:77f900bbbf25
child 10454:6c3fccb75b38
line wrap: on
line source

module:set_global();

local cert_verify_identity = require "util.x509".verify_identity;
local NULL = {};
local log = module._log;

module:hook("s2s-check-certificate", function(event)
	local session, host, cert = event.session, event.host, event.cert;
	local conn = session.conn:socket();
	local log = session.log or log;

	if not cert then
		log("warn", "No certificate provided by %s", host or "unknown host");
		return;
	end

	local chain_valid, errors;
	if conn.getpeerverification then
		chain_valid, errors = conn:getpeerverification();
	else
		chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
	end
	-- Is there any interest in printing out all/the number of errors here?
	if not chain_valid then
		log("debug", "certificate chain validation result: invalid");
		for depth, t in pairs(errors or NULL) do
			log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
		end
		session.cert_chain_status = "invalid";
	else
		log("debug", "certificate chain validation result: valid");
		session.cert_chain_status = "valid";

		-- We'll go ahead and verify the asserted identity if the
		-- connecting server specified one.
		if host then
			if cert_verify_identity(host, "xmpp-server", cert) then
				session.cert_identity_status = "valid"
			else
				session.cert_identity_status = "invalid"
			end
			log("debug", "certificate identity validation result: %s", session.cert_identity_status);
		end
	end
end, 509);