diff options
author | Kim Alvefur <zash@zash.se> | 2023-11-13 09:50:06 +0100 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2023-11-13 09:50:06 +0100 |
commit | 8dcd20725a32473f27429ec81c7b6994ffb274fe (patch) | |
tree | 2ecaa24789a6f6f8866f5a8232ce10cbed8772d0 | |
parent | 5146db2da02de75a12fbf626f318e16b00683aae (diff) | |
download | prosody-8dcd20725a32473f27429ec81c7b6994ffb274fe.tar.gz prosody-8dcd20725a32473f27429ec81c7b6994ffb274fe.zip |
util.prosodyctl.check: Check cert for HTTPS if http module enabled
-rw-r--r-- | util/prosodyctl/check.lua | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/util/prosodyctl/check.lua b/util/prosodyctl/check.lua index 7ba0ccd0..8e4a4dc5 100644 --- a/util/prosodyctl/check.lua +++ b/util/prosodyctl/check.lua @@ -313,6 +313,7 @@ local function check(arg) local set = require "prosody.util.set"; local it = require "prosody.util.iterators"; local ok = true; + local function contains_match(hayset, needle) for member in hayset do if member:find(needle) then return true end end end local function disabled_hosts(host, conf) return host ~= "*" and conf.enabled ~= false; end local function enabled_hosts() return it.filter(disabled_hosts, pairs(configmanager.getconfig())); end local checks = {}; @@ -973,9 +974,6 @@ local function check(arg) end local known_http_modules = set.new { "bosh"; "http_files"; "http_file_share"; "http_openmetrics"; "websocket" }; - local function contains_match(hayset, needle) - for member in hayset do if member:find(needle) then return true end end - end if modules:contains("http") or not set.intersection(modules, known_http_modules):empty() or contains_match(modules, "^http_") or contains_match(modules, "_web$") then @@ -1183,6 +1181,18 @@ local function check(arg) print(" Not valid for server-to-server connections to "..host..".") cert_ok = false end + + local known_http_modules = set.new { "bosh"; "http_files"; "http_file_share"; "http_openmetrics"; "websocket" }; + local http_loaded = modules:contains("http") + or not set.intersection(modules, known_http_modules):empty() + or contains_match(modules, "^http_") + or contains_match(modules, "_web$"); + + local http_host = api(host):get_option_string("http_host", host); + if http_loaded and not x509_verify_identity(http_host, nil, cert) then + print(" Not valid for HTTPS connections to "..host..".") + cert_ok = false + end if use_dane then if cert.pubkey then print(" DANE: TLSA 3 1 1 "..sha256(pem2der(cert:pubkey()), true)) |