diff options
author | Kim Alvefur <zash@zash.se> | 2014-08-29 02:24:49 +0200 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2014-08-29 02:24:49 +0200 |
commit | a2ce0553f814fac78f7113820bc12a30afa2b934 (patch) | |
tree | ea2f22c0704d6d9b8f693f989bd4942f0847dfd6 | |
parent | f475cd36580a041206e9dc16a828bbc8586f6fbe (diff) | |
download | prosody-a2ce0553f814fac78f7113820bc12a30afa2b934.tar.gz prosody-a2ce0553f814fac78f7113820bc12a30afa2b934.zip |
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
-rw-r--r-- | plugins/mod_s2s_auth_certs.lua | 61 |
1 files changed, 32 insertions, 29 deletions
diff --git a/plugins/mod_s2s_auth_certs.lua b/plugins/mod_s2s_auth_certs.lua index efc81130..dd0eb3cb 100644 --- a/plugins/mod_s2s_auth_certs.lua +++ b/plugins/mod_s2s_auth_certs.lua @@ -7,39 +7,42 @@ local log = module._log; module:hook("s2s-check-certificate", function(event) local session, host, cert = event.session, event.host, event.cert; local conn = session.conn:socket(); + local log = session.log or log; - if cert then - local log = session.log or log; - local chain_valid, errors; - if conn.getpeerverification then - chain_valid, errors = conn:getpeerverification(); - elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg - chain_valid, errors = conn:getpeerchainvalid(); - errors = (not chain_valid) and { { errors } } or nil; - else - chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } }; + if not cert then + log("warn", "No certificate provided by %s", host or "unknown host"); + return; + end + + local chain_valid, errors; + if conn.getpeerverification then + chain_valid, errors = conn:getpeerverification(); + elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg + chain_valid, errors = conn:getpeerchainvalid(); + errors = (not chain_valid) and { { errors } } or nil; + else + chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } }; + end + -- Is there any interest in printing out all/the number of errors here? + if not chain_valid then + log("debug", "certificate chain validation result: invalid"); + for depth, t in pairs(errors or NULL) do + log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) end - -- Is there any interest in printing out all/the number of errors here? - if not chain_valid then - log("debug", "certificate chain validation result: invalid"); - for depth, t in pairs(errors or NULL) do - log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) - end - session.cert_chain_status = "invalid"; - else - log("debug", "certificate chain validation result: valid"); - session.cert_chain_status = "valid"; + session.cert_chain_status = "invalid"; + else + log("debug", "certificate chain validation result: valid"); + session.cert_chain_status = "valid"; - -- We'll go ahead and verify the asserted identity if the - -- connecting server specified one. - if host then - if cert_verify_identity(host, "xmpp-server", cert) then - session.cert_identity_status = "valid" - else - session.cert_identity_status = "invalid" - end - log("debug", "certificate identity validation result: %s", session.cert_identity_status); + -- We'll go ahead and verify the asserted identity if the + -- connecting server specified one. + if host then + if cert_verify_identity(host, "xmpp-server", cert) then + session.cert_identity_status = "valid" + else + session.cert_identity_status = "invalid" end + log("debug", "certificate identity validation result: %s", session.cert_identity_status); end end end, 509); |