prosody
bad813103cd4
plugins/mod_s2s_auth_certs.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

File

plugins/mod_s2s_auth_certs.lua @ 12352:bad813103cd4

prosody.cfg.lua.dist: Remove comment about mod_*.lua above modules_enabled This is a very old statement, but people generally don't need to check for the files, and shouldn't be encouraged to put them in Prosody's source dir. The installer will be the way forward for most people, and hg for the rest. Manually moving files into the right place is not something most users should be doing.
author Matthew Wild <mwild1@gmail.com>
date Thu, 03 Mar 2022 10:24:59 +0000
parent 11835:a405884c62f4
child 12480:7e9ebdc75ce4
line wrap: on
line source

module:set_global();

local cert_verify_identity = require "util.x509".verify_identity;
local NULL = {};
local log = module._log;

local measure_cert_statuses = module:metric("counter", "checked", "", "Certificate validation results",
	{ "chain"; "identity" })

module:hook("s2s-check-certificate", function(event)
	local session, host, cert = event.session, event.host, event.cert;
	local conn = session.conn:socket();
	local log = session.log or log;

	if not cert then
		log("warn", "No certificate provided by %s", host or "unknown host");
		return;
	end

	local chain_valid, errors;
	if conn.getpeerverification then
		chain_valid, errors = conn:getpeerverification();
	else
		chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
	end
	-- Is there any interest in printing out all/the number of errors here?
	if not chain_valid then
		log("debug", "certificate chain validation result: invalid");
		for depth, t in pairs(errors or NULL) do
			log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
		end
		session.cert_chain_status = "invalid";
		session.cert_chain_errors = errors;
	else
		log("debug", "certificate chain validation result: valid");
		session.cert_chain_status = "valid";

		-- We'll go ahead and verify the asserted identity if the
		-- connecting server specified one.
		if host then
			if cert_verify_identity(host, "xmpp-server", cert) then
				session.cert_identity_status = "valid"
			else
				session.cert_identity_status = "invalid"
			end
			log("debug", "certificate identity validation result: %s", session.cert_identity_status);
		end
	end
	measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);
end, 509);