Software / code / prosody
Changeset
12816:02f8b10d73e8
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Secure delegation or "Mini-DANE"
As with the existing DANE support, only usable in one direction, client
certificate authentication will fail if this is relied on.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 22 Dec 2022 00:13:37 +0100 |
| parents | 12815:2d134201dc55 |
| children | 12817:176fd3ea505c |
| files | plugins/mod_s2s_auth_certs.lua |
| diffstat | 1 files changed, 10 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/plugins/mod_s2s_auth_certs.lua Thu Dec 22 00:11:23 2022 +0100 +++ b/plugins/mod_s2s_auth_certs.lua Thu Dec 22 00:13:37 2022 +0100 @@ -12,6 +12,8 @@ local conn = session.conn; local log = session.log or log; + local secure_hostname = conn.extra and conn.extra.secure_hostname; + if not cert then log("warn", "No certificate provided by %s", host or "unknown host"); return; @@ -45,6 +47,14 @@ end log("debug", "certificate identity validation result: %s", session.cert_identity_status); end + + -- Check for DNSSEC-signed SRV hostname + if secure_hostname and session.cert_identity_status ~= "valid" then + if cert_verify_identity(secure_hostname, "xmpp-server", cert) then + module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host); + session.cert_identity_status = "valid" + end + end end measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1); end, 509);
