diff options
author | Kim Alvefur <zash@zash.se> | 2017-07-07 21:04:30 +0200 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2017-07-07 21:04:30 +0200 |
commit | e605ac0987662ef14c3f0b642079a815961102e1 (patch) | |
tree | daa48db8f12d3f641179b7a02a609e61db26e604 | |
parent | cb0a2ffe81725c4457a999af5c03b91493629df5 (diff) | |
download | prosody-e605ac0987662ef14c3f0b642079a815961102e1.tar.gz prosody-e605ac0987662ef14c3f0b642079a815961102e1.zip |
net.http: Validate HTTPS certificates (fixes #659)
-rw-r--r-- | net/http.lua | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/net/http.lua b/net/http.lua index 756deaf4..eba050cd 100644 --- a/net/http.lua +++ b/net/http.lua @@ -11,6 +11,7 @@ local url = require "socket.url" local httpstream_new = require "net.http.parser".new; local util_http = require "util.http"; local events = require "util.events"; +local verify_identity = require"util.x509".verify_identity; local ssl_available = pcall(require, "ssl"); @@ -34,6 +35,26 @@ local listener = { default_port = 80, default_mode = "*a" }; function listener.onconnect(conn) local req = requests[conn]; + + -- Validate certificate + if conn:ssl() then + local sock = conn:socket(); + local chain_valid = sock.getpeerverification and sock:getpeerverification(); + if not chain_valid then + req.callback("certificate-chain-invalid", 0, req); + req.callback = nil; + conn:close(); + return; + end + local cert = sock.getpeercertificate and sock:getpeercertificate(); + if not cert or not verify_identity(req.host, false, cert) then + req.callback("certificate-verify-failed", 0, req); + req.callback = nil; + conn:close(); + return; + end + end + -- Send the request local request_line = { req.method or "GET", " ", req.path, " HTTP/1.1\r\n" }; if req.query then |