aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2014-08-29 02:24:49 +0200
committerKim Alvefur <zash@zash.se>2014-08-29 02:24:49 +0200
commita2ce0553f814fac78f7113820bc12a30afa2b934 (patch)
treeea2f22c0704d6d9b8f693f989bd4942f0847dfd6
parentf475cd36580a041206e9dc16a828bbc8586f6fbe (diff)
downloadprosody-a2ce0553f814fac78f7113820bc12a30afa2b934.tar.gz
prosody-a2ce0553f814fac78f7113820bc12a30afa2b934.zip
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate)
-rw-r--r--plugins/mod_s2s_auth_certs.lua61
1 files changed, 32 insertions, 29 deletions
diff --git a/plugins/mod_s2s_auth_certs.lua b/plugins/mod_s2s_auth_certs.lua
index efc81130..dd0eb3cb 100644
--- a/plugins/mod_s2s_auth_certs.lua
+++ b/plugins/mod_s2s_auth_certs.lua
@@ -7,39 +7,42 @@ local log = module._log;
module:hook("s2s-check-certificate", function(event)
local session, host, cert = event.session, event.host, event.cert;
local conn = session.conn:socket();
+ local log = session.log or log;
- if cert then
- local log = session.log or log;
- local chain_valid, errors;
- if conn.getpeerverification then
- chain_valid, errors = conn:getpeerverification();
- elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg
- chain_valid, errors = conn:getpeerchainvalid();
- errors = (not chain_valid) and { { errors } } or nil;
- else
- chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
+ if not cert then
+ log("warn", "No certificate provided by %s", host or "unknown host");
+ return;
+ end
+
+ local chain_valid, errors;
+ if conn.getpeerverification then
+ chain_valid, errors = conn:getpeerverification();
+ elseif conn.getpeerchainvalid then -- COMPAT mw/luasec-hg
+ chain_valid, errors = conn:getpeerchainvalid();
+ errors = (not chain_valid) and { { errors } } or nil;
+ else
+ chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
+ end
+ -- Is there any interest in printing out all/the number of errors here?
+ if not chain_valid then
+ log("debug", "certificate chain validation result: invalid");
+ for depth, t in pairs(errors or NULL) do
+ log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
end
- -- Is there any interest in printing out all/the number of errors here?
- if not chain_valid then
- log("debug", "certificate chain validation result: invalid");
- for depth, t in pairs(errors or NULL) do
- log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
- end
- session.cert_chain_status = "invalid";
- else
- log("debug", "certificate chain validation result: valid");
- session.cert_chain_status = "valid";
+ session.cert_chain_status = "invalid";
+ else
+ log("debug", "certificate chain validation result: valid");
+ session.cert_chain_status = "valid";
- -- We'll go ahead and verify the asserted identity if the
- -- connecting server specified one.
- if host then
- if cert_verify_identity(host, "xmpp-server", cert) then
- session.cert_identity_status = "valid"
- else
- session.cert_identity_status = "invalid"
- end
- log("debug", "certificate identity validation result: %s", session.cert_identity_status);
+ -- We'll go ahead and verify the asserted identity if the
+ -- connecting server specified one.
+ if host then
+ if cert_verify_identity(host, "xmpp-server", cert) then
+ session.cert_identity_status = "valid"
+ else
+ session.cert_identity_status = "invalid"
end
+ log("debug", "certificate identity validation result: %s", session.cert_identity_status);
end
end
end, 509);