aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_s2s_auth_certs.lua
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/mod_s2s_auth_certs.lua')
-rw-r--r--plugins/mod_s2s_auth_certs.lua10
1 files changed, 10 insertions, 0 deletions
diff --git a/plugins/mod_s2s_auth_certs.lua b/plugins/mod_s2s_auth_certs.lua
index bde3cb82..f917b116 100644
--- a/plugins/mod_s2s_auth_certs.lua
+++ b/plugins/mod_s2s_auth_certs.lua
@@ -12,6 +12,8 @@ module:hook("s2s-check-certificate", function(event)
local conn = session.conn;
local log = session.log or log;
+ local secure_hostname = conn.extra and conn.extra.secure_hostname;
+
if not cert then
log("warn", "No certificate provided by %s", host or "unknown host");
return;
@@ -45,6 +47,14 @@ module:hook("s2s-check-certificate", function(event)
end
log("debug", "certificate identity validation result: %s", session.cert_identity_status);
end
+
+ -- Check for DNSSEC-signed SRV hostname
+ if secure_hostname and session.cert_identity_status ~= "valid" then
+ if cert_verify_identity(secure_hostname, "xmpp-server", cert) then
+ module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host);
+ session.cert_identity_status = "valid"
+ end
+ end
end
measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);
end, 509);
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-01 15:25:15 +0000