Changeset

12816:02f8b10d73e8

mod_s2s_auth_certs: Validate certificates against secure SRV targets Secure delegation or "Mini-DANE" As with the existing DANE support, only usable in one direction, client certificate authentication will fail if this is relied on.
author Kim Alvefur <zash@zash.se>
date Thu, 22 Dec 2022 00:13:37 +0100
parents 12815:2d134201dc55
children 12817:176fd3ea505c
files plugins/mod_s2s_auth_certs.lua
diffstat 1 files changed, 10 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/plugins/mod_s2s_auth_certs.lua	Thu Dec 22 00:11:23 2022 +0100
+++ b/plugins/mod_s2s_auth_certs.lua	Thu Dec 22 00:13:37 2022 +0100
@@ -12,6 +12,8 @@
 	local conn = session.conn;
 	local log = session.log or log;
 
+	local secure_hostname = conn.extra and conn.extra.secure_hostname;
+
 	if not cert then
 		log("warn", "No certificate provided by %s", host or "unknown host");
 		return;
@@ -45,6 +47,14 @@
 			end
 			log("debug", "certificate identity validation result: %s", session.cert_identity_status);
 		end
+
+		-- Check for DNSSEC-signed SRV hostname
+		if secure_hostname and session.cert_identity_status ~= "valid" then
+			if cert_verify_identity(secure_hostname, "xmpp-server", cert) then
+				module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host);
+				session.cert_identity_status = "valid"
+			end
+		end
 	end
 	measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);
 end, 509);