File

plugins/mod_s2s_auth_certs.lua @ 12828:f33887f925e1

net.server_epoll: Remove delay on last main loop iteration when quitting Main difference is that timers are not checked unconditionally before each poll, only when running out of previous poll results (hidden by util.poll). This removes a final poll at shutdown that usually delays the 'not quitting' condition check by one second.
author Kim Alvefur <zash@zash.se>
date Fri, 06 Jan 2023 04:38:39 +0100
parent 12816:02f8b10d73e8
child 12977:74b9e05af71e
line wrap: on
line source

module:set_global();

local cert_verify_identity = require "util.x509".verify_identity;
local NULL = {};
local log = module._log;

local measure_cert_statuses = module:metric("counter", "checked", "", "Certificate validation results",
	{ "chain"; "identity" })

module:hook("s2s-check-certificate", function(event)
	local session, host, cert = event.session, event.host, event.cert;
	local conn = session.conn;
	local log = session.log or log;

	local secure_hostname = conn.extra and conn.extra.secure_hostname;

	if not cert then
		log("warn", "No certificate provided by %s", host or "unknown host");
		return;
	end

	local chain_valid, errors;
	if conn.ssl_peerverification then
		chain_valid, errors = conn:ssl_peerverification();
	else
		chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
	end
	-- Is there any interest in printing out all/the number of errors here?
	if not chain_valid then
		log("debug", "certificate chain validation result: invalid");
		for depth, t in pairs(errors or NULL) do
			log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
		end
		session.cert_chain_status = "invalid";
		session.cert_chain_errors = errors;
	else
		log("debug", "certificate chain validation result: valid");
		session.cert_chain_status = "valid";

		-- We'll go ahead and verify the asserted identity if the
		-- connecting server specified one.
		if host then
			if cert_verify_identity(host, "xmpp-server", cert) then
				session.cert_identity_status = "valid"
			else
				session.cert_identity_status = "invalid"
			end
			log("debug", "certificate identity validation result: %s", session.cert_identity_status);
		end

		-- Check for DNSSEC-signed SRV hostname
		if secure_hostname and session.cert_identity_status ~= "valid" then
			if cert_verify_identity(secure_hostname, "xmpp-server", cert) then
				module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host);
				session.cert_identity_status = "valid"
			end
		end
	end
	measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);
end, 509);