aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_c2s.lua
Commit message (Collapse)AuthorAgeFilesLines
* mod_saslauth, mod_c2s: Disable tls-server-end-point channel binding by defaultMatthew Wild2023-10-261-7/+0
| | | | | | | | | | | | | | | | | | | | | | This channel binding method is now enabled when a hash is manually set in the config, or it attempts to discover the hash automatically if the value is the special string "auto". A related change to mod_c2s prevents complicated certificate lookups in the client connection hot path - this work now happens only when this channel binding method is used. I'm not aware of anything else that uses ssl_cfg (vs ssl_ctx). Rationale for disabling by default: - Minor performance impact in automatic cert detection - This method is weak against a leaked/stolen private key (other methods such as 'tls-exporter' would not be compromised in such a case) Rationale for keeping the implementation: - For some deployments, this may be the only method available (e.g. due to TLS offloading in another process/server).
* mod_c2s: Add session.ssl_cfg/ssl_ctx for direct TLS connectionsMatthew Wild2022-09-071-0/+8
|
* plugins: Handle how get_option_period returns "never"Kim Alvefur2023-07-211-1/+1
|
* plugins: Use integer config API with interval specification where sensibleKim Alvefur2023-07-171-1/+1
| | | | | | | Many of these fall into a few categories: - util.cache size, must be >= 1 - byte or item counts that logically can't be negative - port numbers that should be in 1..0xffff
* plugins: Switch to :get_option_period() for time range optionsKim Alvefur2023-07-161-2/+2
| | | | Improves readability ("1 day" vs 86400) and centralizes validation.
* core.sessionmanager: Delay closing a replaced connection after replacementKim Alvefur2023-05-071-0/+1
| | | | | | | | | | Closing the session invokes ondisconnect and session close logic, including mod_smacks hibernation and the timer that destroys the session after a timeout. By closing the connection after it has been detached from the sessions table it will no longer invoke the ondetach handler, which should prevent the above problem.
* mod_c2s,mod_s2s: Fix tag name for SLA (thanks mjk)Kim Alvefur2023-05-031-1/+1
| | | | | | | The (still not published) XEP-xxxx: Stream Limits Advertisement uses the element <max-bytes/> to advertise the maximum octet size of top level stream elements. "size" was probably a leftover of an even earlier version of the (Proto)XEP.
* plugins: Prefix module imports with prosody namespaceKim Alvefur2023-03-241-9/+9
|
* mod_c2s: Disconnect accounts when they are disabledKim Alvefur2023-02-231-0/+1
| | | | | | | | We decided that at the first stage, accounts that are disabled should simply be prevented from authenticating, thus they should also be prevented from having connected sessions. Since this is aimed to be a moderation action for cases of abuse, they shouldn't be allowed to continue being connected.
* mod_c2s,mod_s2s: Adapt to XEP-xxxx: Stream Limits AdvertisementKim Alvefur2022-10-201-1/+2
| | | | Thanks MattJ
* mod_c2s: Advertise stanza size limit to clientsKim Alvefur2021-03-161-0/+4
| | | | | | | Should help clients avoid sending stanzas that will get their stream killed. Custom namespace while ironing out the protocol. My spoon is too big!
* mod_c2s: Include stream attributes in stream-features eventMatthew Wild2022-10-141-1/+1
| | | | We need this to access 'from' in SASL2/FAST.
* mod_smacks: Long overdue cleanup of resumption code, fixes some old TODOsMatthew Wild2022-08-261-0/+8
|
* mod_authz_internal, and more: New iteration of role APIMatthew Wild2022-08-171-1/+1
| | | | | | | | | | | These changes to the API (hopefully the last) introduce a cleaner separation between the user's primary (default) role, and their secondary (optional) roles. To keep the code sane and reduce complexity, a data migration is needed for people using stored roles in 0.12. This can be performed with prosodyctl mod_authz_internal migrate <host>
* net: isolate LuaSec-specificsJonas Schäfer2022-04-271-4/+2
| | | | | | | | | | | | | | For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions.
* mod_c2s,mod_s2s: Fix error on shutdown (Thanks Martin)Kim Alvefur2022-02-221-1/+1
| | | | | Since there are two calls to done() that can happen, if the timing is right (or wrong) both can happen, which previously triggered an error.
* mod_c2s,mod_s2s: Wrap callback to improve tracebacksKim Alvefur2022-02-221-1/+1
| | | | | Should make traces point here instead of timer dispatch, making debugging easier
* mod_c2s: Ignore unused event payload [luacheck]Kim Alvefur2022-02-181-1/+1
|
* mod_c2s,mod_s2s: Wait for sessions to close before proceeding with shutdown ↵Kim Alvefur2022-02-171-1/+16
| | | | | | | | | | steps Ensures unavailable presence and other outgoing stanzas are sent. Waiting for c2s sessions to close first before proceeding to disable and close s2s ensures that unavailable presence can go out, even if it requires dialback to complete first.
* mod_c2s: Close ports in a separate, earlier event from closing sessionsKim Alvefur2022-02-181-0/+2
| | | | | Lets other things step in and do things while c2s ports are closed, e.g. mod_smacks, or other modules with port handlers that forward to c2s.
* mod_c2s,mod_s2s: Disable and close port listeners before closing sessionsKim Alvefur2022-02-111-0/+7
| | | | This ensures no new clients can start connecting during shutdown
* mod_c2s: Fire pre-closing event regardless of connected stateKim Alvefur2021-12-181-3/+3
| | | | | | | | With mod_smacks, a session can outlive the connection, so whether the event is fired should not hinge on whether the session is connected or not. Helps mod_smacks remove some state.
* mod_c2s: Add event just before closing as sessionKim Alvefur2021-12-011-0/+3
| | | | | | To allow modules to do things just before the session is closed. The '(pre-)resource-unbind' events are fired after the stream is closed, leaving no way to send something.
* mod_c2s: Disconnect user sessions on a role change eventMatthew Wild2021-11-121-18/+16
| | | | | The overlapping logic for deletion and password changed has been merged into a single function.
* mod_c2s,etc: Identify stanza object with appropriate functionKim Alvefur2021-10-241-2/+2
| | | | | Better than duck typing, in case anyone ever passes a non-stanza table with a 'name' field.
* mod_c2s: Rename Direct TLS listener 'c2s_direct_tls' for clarityKim Alvefur2021-09-091-1/+1
| | | | And to follow existing naming practices better than 'legacy_ssl' did.
* mod_c2s,mod_s2s: Indicate stanza size violation with condition from XEP-0205 ↵Kim Alvefur2021-09-061-1/+5
| | | | (thanks mjk)
* mod_c2s,mod_s2s: Fire event just before writesKim Alvefur2021-08-161-0/+7
| | | | | Could allow e.g. a XEP-0198 implementation to efficiently send ack requests at optimal times without using timers or nextTick.
* mod_c2s: Guard against LuaSec not returning TLS info (thanks Martin)Kim Alvefur2021-06-211-4/+4
| | | | | | | | | The :info() method has been observed to return nothing ... sometimes. Unclear what causes it. Perhaps the TLS connection was shut down or hasn't fully settled? The LuaSec code has code paths that return nothing or nil, error, so it is best to guard against it.
* mod_c2s: Log the same messages for Direct TLS as with starttlsKim Alvefur2021-06-201-1/+6
| | | | ^C^V
* mod_c2s: Update a comment to reflect Direct TLSKim Alvefur2021-06-201-1/+1
|
* mod_c2s: Add a Direct TLS listenerKim Alvefur2021-06-201-0/+10
| | | | | This only differs from 'legacy_ssl' in name, at least on the server side. For clients this is the one that uses SRV records.
* mod_c2s,mod_s2s: Collect stats on TLS versions and ciphersKim Alvefur2021-06-161-0/+7
|
* Merge 0.11->trunkMatthew Wild2021-05-131-1/+1
|\
| * mod_c2s, mod_s2s, mod_component, mod_bosh, mod_websockets: Set default ↵Matthew Wild2021-05-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | stanza size limits c2s/bosh/ws streams will default to 256KB, s2s and components to 512KB. These values are aligned with ejabberd's default settings, which should reduce issues related to inconsistent size limits between servers on the XMPP network. The previous default (10MB) is excessive for any production server, and allows significant memory usage by even unauthenticated sessions.
* | mod_c2s: Port to new OpenMetrics APIJonas Schäfer2021-04-181-10/+16
| |
* | mod_c2s: Fix traceback if session was destroyed while opening stream (thanks ↵Kim Alvefur2021-04-141-0/+3
| | | | | | | | | | | | | | | | | | | | | | Ge0rG) Could happen with the 'opportunistic_writes' setting, since then the stream opening is written directly to the socket, which can in turn trigger session destruction if the socket somehow got closed just after the other sent their stream header. Error happens later when it tries to `hosts[session.host == nil].events`
* | Merge 0.11->trunkKim Alvefur2021-04-101-4/+12
|\|
| * mod_c2s: Log about missing conn on async state changesKim Alvefur2021-03-181-0/+4
| |
| * mod_c2s: Improve code styleKim Alvefur2021-03-181-2/+6
| | | | | | | | | | We don't use the quoted table indexing style that often, it's not needed here and it's enough to check for falsyness rather than `nil`.
| * mod_c2s: Fix traceback in session close when conn is nilKim Alvefur2021-03-171-2/+2
| | | | | | | | Unclear how this happens.
| * mod_c2s: Don't throw errors in async code when connections are gonetmolitor2021-03-181-2/+2
| | | | | | | | Fixes #1507
| * mod_c2s,mod_s2s: Make stanza size limits configurable0.11.7Kim Alvefur2020-05-311-1/+2
| |
* | mod_c2s: Log a debug message before closing due to c2s_timeoutKim Alvefur2021-03-231-0/+1
| | | | | | | | | | | | | | It was confusing that the connection would just close without much explanation. Wanted this while investigating https://github.com/conversejs/converse.js/issues/2438
* | mod_c2s: Reflect stream 'from' attribute back if set (fix #1625)Kim Alvefur2021-02-031-1/+1
| | | | | | | | Clients should *not* be setting this before TLS anyways.
* | mod_c2s,mod_s2s: Make stanza size limits configurableKim Alvefur2020-05-311-1/+2
| |
* | mod_c2s,mod_s2s: Use a distinct stream error for hitting stanza size limitKim Alvefur2020-05-311-1/+5
| | | | | | | | Since this is not a real parse error, it should not be reported as such.
* | mod_c2s: Run stream open and close events in async thread, fixes #1103Kim Alvefur2020-05-081-2/+18
| | | | | | | | Enables async processing during stream opening and closing.
* | mod_c2s: Swap commentsKim Alvefur2020-04-191-2/+2
| |
* | mod_net_multiplex: Add support for using ALPNKim Alvefur2019-11-291-0/+1
| | | | | | | | | | | | | | Potentially a bit more efficient since it can jump to the selected protocol on connect instead of waiting for some data to look at. Adds a 'protocol' field to net providers for this purpose.