aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_s2s_auth_certs.lua
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2022-12-22 00:13:37 +0100
committerKim Alvefur <zash@zash.se>2022-12-22 00:13:37 +0100
commit85ff75c53fe58cf16d51e01810712d8634d052c4 (patch)
treebf6f677f96cadf278f4b2d0c52deb8c16c407a18 /plugins/mod_s2s_auth_certs.lua
parentd257416abe54466f66f6c92d95f48141e556fdb5 (diff)
downloadprosody-85ff75c53fe58cf16d51e01810712d8634d052c4.tar.gz
prosody-85ff75c53fe58cf16d51e01810712d8634d052c4.zip
mod_s2s_auth_certs: Validate certificates against secure SRV targets
Secure delegation or "Mini-DANE" As with the existing DANE support, only usable in one direction, client certificate authentication will fail if this is relied on.
Diffstat (limited to 'plugins/mod_s2s_auth_certs.lua')
-rw-r--r--plugins/mod_s2s_auth_certs.lua10
1 files changed, 10 insertions, 0 deletions
diff --git a/plugins/mod_s2s_auth_certs.lua b/plugins/mod_s2s_auth_certs.lua
index bde3cb82..f917b116 100644
--- a/plugins/mod_s2s_auth_certs.lua
+++ b/plugins/mod_s2s_auth_certs.lua
@@ -12,6 +12,8 @@ module:hook("s2s-check-certificate", function(event)
local conn = session.conn;
local log = session.log or log;
+ local secure_hostname = conn.extra and conn.extra.secure_hostname;
+
if not cert then
log("warn", "No certificate provided by %s", host or "unknown host");
return;
@@ -45,6 +47,14 @@ module:hook("s2s-check-certificate", function(event)
end
log("debug", "certificate identity validation result: %s", session.cert_identity_status);
end
+
+ -- Check for DNSSEC-signed SRV hostname
+ if secure_hostname and session.cert_identity_status ~= "valid" then
+ if cert_verify_identity(secure_hostname, "xmpp-server", cert) then
+ module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host);
+ session.cert_identity_status = "valid"
+ end
+ end
end
measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);
end, 509);