aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2022-08-02 19:26:26 +0200
committerKim Alvefur <zash@zash.se>2022-08-02 19:26:26 +0200
commita2f8218a63e2ebbe04d1a0fc2a235af59c34f515 (patch)
tree2e0b4ed511ab01d1f2c10acf9f205a57665e3e3e
parent79f4868b63ff6385bbc2290ba31361bcb7ce63b5 (diff)
downloadprosody-a2f8218a63e2ebbe04d1a0fc2a235af59c34f515.tar.gz
prosody-a2f8218a63e2ebbe04d1a0fc2a235af59c34f515.zip
mod_tls: Record STARTTLS state so it can be shown in Shell
This field can be viewed using s2s:show(nil, "... starttls") even without any special support in mod_admin_shell, which can be added later to make it nicer. One can then assume that a TLS connection with an empty / nil starttls field means Direct TLS.
-rw-r--r--plugins/mod_s2s.lua4
-rw-r--r--plugins/mod_tls.lua3
2 files changed, 6 insertions, 1 deletions
diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua
index dd585ac7..ac3c8d4f 100644
--- a/plugins/mod_s2s.lua
+++ b/plugins/mod_s2s.lua
@@ -429,7 +429,8 @@ function stream_callbacks._streamopened(session, attr)
session.had_stream = true; -- Had a stream opened at least once
-- TODO: Rename session.secure to session.encrypted
- if session.secure == false then
+ if session.secure == false then -- Set by mod_tls during STARTTLS handshake
+ session.starttls = "completed";
session_secure(session);
end
@@ -750,6 +751,7 @@ local function initialize_session(session)
local w = conn.write;
if conn:ssl() then
+ -- Direct TLS was used
session_secure(session);
end
diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua
index fc35b1d0..380effe3 100644
--- a/plugins/mod_tls.lua
+++ b/plugins/mod_tls.lua
@@ -128,6 +128,7 @@ end);
-- Hook <starttls/>
module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event)
local origin = event.origin;
+ origin.starttls = "requested";
if can_do_tls(origin) then
if origin.conn.block_reads then
-- we need to ensure that no data is read anymore, otherwise we could end up in a situation where
@@ -176,6 +177,7 @@ module:hook_tag("http://etherx.jabber.org/streams", "features", function (sessio
module:log("debug", "%s is not offering TLS", session.to_host);
return;
end
+ session.starttls = "initiated";
session.sends2s(starttls_initiate);
return true;
end
@@ -193,6 +195,7 @@ module:hook_tag(xmlns_starttls, "proceed", function (session, stanza) -- luachec
if session.type == "s2sout_unauthed" and can_do_tls(session) then
module:log("debug", "Proceeding with TLS on s2sout...");
session:reset_stream();
+ session.starttls = "proceeding"
session.conn:starttls(session.ssl_ctx, session.to_host);
session.secure = false;
return true;