diff options
author | Kim Alvefur <zash@zash.se> | 2022-12-22 00:13:37 +0100 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2022-12-22 00:13:37 +0100 |
commit | 85ff75c53fe58cf16d51e01810712d8634d052c4 (patch) | |
tree | bf6f677f96cadf278f4b2d0c52deb8c16c407a18 /plugins/mod_s2s_auth_certs.lua | |
parent | d257416abe54466f66f6c92d95f48141e556fdb5 (diff) | |
download | prosody-85ff75c53fe58cf16d51e01810712d8634d052c4.tar.gz prosody-85ff75c53fe58cf16d51e01810712d8634d052c4.zip |
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Secure delegation or "Mini-DANE"
As with the existing DANE support, only usable in one direction, client
certificate authentication will fail if this is relied on.
Diffstat (limited to 'plugins/mod_s2s_auth_certs.lua')
-rw-r--r-- | plugins/mod_s2s_auth_certs.lua | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/plugins/mod_s2s_auth_certs.lua b/plugins/mod_s2s_auth_certs.lua index bde3cb82..f917b116 100644 --- a/plugins/mod_s2s_auth_certs.lua +++ b/plugins/mod_s2s_auth_certs.lua @@ -12,6 +12,8 @@ module:hook("s2s-check-certificate", function(event) local conn = session.conn; local log = session.log or log; + local secure_hostname = conn.extra and conn.extra.secure_hostname; + if not cert then log("warn", "No certificate provided by %s", host or "unknown host"); return; @@ -45,6 +47,14 @@ module:hook("s2s-check-certificate", function(event) end log("debug", "certificate identity validation result: %s", session.cert_identity_status); end + + -- Check for DNSSEC-signed SRV hostname + if secure_hostname and session.cert_identity_status ~= "valid" then + if cert_verify_identity(secure_hostname, "xmpp-server", cert) then + module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host); + session.cert_identity_status = "valid" + end + end end measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1); end, 509); |