aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2017-07-07 21:04:30 +0200
committerKim Alvefur <zash@zash.se>2017-07-07 21:04:30 +0200
commite605ac0987662ef14c3f0b642079a815961102e1 (patch)
treedaa48db8f12d3f641179b7a02a609e61db26e604 /net
parentcb0a2ffe81725c4457a999af5c03b91493629df5 (diff)
downloadprosody-e605ac0987662ef14c3f0b642079a815961102e1.tar.gz
prosody-e605ac0987662ef14c3f0b642079a815961102e1.zip
net.http: Validate HTTPS certificates (fixes #659)
Diffstat (limited to 'net')
-rw-r--r--net/http.lua21
1 files changed, 21 insertions, 0 deletions
diff --git a/net/http.lua b/net/http.lua
index 756deaf4..eba050cd 100644
--- a/net/http.lua
+++ b/net/http.lua
@@ -11,6 +11,7 @@ local url = require "socket.url"
local httpstream_new = require "net.http.parser".new;
local util_http = require "util.http";
local events = require "util.events";
+local verify_identity = require"util.x509".verify_identity;
local ssl_available = pcall(require, "ssl");
@@ -34,6 +35,26 @@ local listener = { default_port = 80, default_mode = "*a" };
function listener.onconnect(conn)
local req = requests[conn];
+
+ -- Validate certificate
+ if conn:ssl() then
+ local sock = conn:socket();
+ local chain_valid = sock.getpeerverification and sock:getpeerverification();
+ if not chain_valid then
+ req.callback("certificate-chain-invalid", 0, req);
+ req.callback = nil;
+ conn:close();
+ return;
+ end
+ local cert = sock.getpeercertificate and sock:getpeercertificate();
+ if not cert or not verify_identity(req.host, false, cert) then
+ req.callback("certificate-verify-failed", 0, req);
+ req.callback = nil;
+ conn:close();
+ return;
+ end
+ end
+
-- Send the request
local request_line = { req.method or "GET", " ", req.path, " HTTP/1.1\r\n" };
if req.query then