aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_s2s.lua
Commit message (Collapse)AuthorAgeFilesLines
* mod_s2s: Add event where resolver for s2sout can be tweakedKim Alvefur2022-08-181-0/+4
| | | | | | | | Could be used to implement custom connection methods (c.f. mod_onions) without needing to duplicate the rest of route_to_new_session(). Adds a feature to enable detection since it can be difficult to detect support for an event otherwise.
* mod_s2s: Fix firing buffer drain eventsKim Alvefur2022-08-261-2/+2
| | | | | Fixes the same kind of issue as in 65563530375b but once and for all, while improving similarity between incoming and outgoing connections.
* mod_s2s: Improve robustness of outgoing s2s certificate verificationMatthew Wild2022-04-251-0/+11
| | | | | | | | | This change ensures we have positively verified the certificates of the server we are connecting to before marking the session as authenticated. It protects against situations where the verify-or-close stage of the connection was interrupted (e.g. due to an uncaught error). Thanks to Zash for discovery and testing.
* Merge config-updates+check-turn from timberMatthew Wild2022-03-041-1/+1
|\
| * various: Require encryption by default for realKim Alvefur2021-12-251-1/+1
| | | | | | | | | | | | | | | | | | These options have been specified (and enabled) in the default config file for a long time. However if unspecified in the config, they were not enabled. Now they are. This may result in a change of behaviour for people using very old config files that lack the require_encryption options. But that's what we want.
* | mod_c2s,mod_s2s: Fix error on shutdown (Thanks Martin)Kim Alvefur2022-02-221-1/+1
| | | | | | | | | | Since there are two calls to done() that can happen, if the timing is right (or wrong) both can happen, which previously triggered an error.
* | mod_c2s,mod_s2s: Wrap callback to improve tracebacksKim Alvefur2022-02-221-1/+1
|/ | | | | Should make traces point here instead of timer dispatch, making debugging easier
* mod_c2s,mod_s2s: Wait for sessions to close before proceeding with shutdown ↵Kim Alvefur2022-02-171-1/+16
| | | | | | | | | | steps Ensures unavailable presence and other outgoing stanzas are sent. Waiting for c2s sessions to close first before proceeding to disable and close s2s ensures that unavailable presence can go out, even if it requires dialback to complete first.
* mod_s2s: Disable creation of new outgoing connections during shutdownKim Alvefur2022-02-111-0/+7
|
* mod_c2s,mod_s2s: Disable and close port listeners before closing sessionsKim Alvefur2022-02-111-0/+7
| | | | This ensures no new clients can start connecting during shutdown
* mod_s2s: Add new early s2s-connected eventsKim Alvefur2022-02-061-0/+3
| | | | | Allows doing things based on connections rather than sessions, which may have been created before or after.
* mod_s2s: Retrieve TLS context for outgoing Direct TLS connections from mod_tlsKim Alvefur2022-01-211-7/+11
| | | | | | | | | | So that the same TLS context is used for both Direct TLS and starttls, since they are supposed to be functionally identical apart from the few extra round trips. A new event is added because the 's2s-created' event fires much later, after a connection has already been established, where we need the TLS context before that.
* mod_s2s: Enable outgoing Direct TLS connectionsKim Alvefur2022-01-211-2/+9
| | | | | | | | | | Makes it faster by cutting out the roundtrips involved in <starttls/>, at the cost of making an additional SRV lookup. Since we already ignore a missing <starttls/> offer and try anyway there is not much difference in security. The fact that XMPP is used and the hostnames involved might still be visible until the future Encrypted ClientHello extension allows hiding those too.
* mod_s2s: Fix logging of <stream:error> consistency with other modsKim Alvefur2021-10-241-1/+1
| | | | | | | `reason` was often a table, so the log said "table: 0xptr" or such. mod_c2s, mod_bosh etc logs the stream error stanza object, so better do the same. It would be nicer if this was an util.error object, but that will have to be a future change.
* mod_s2s: Don't pass unknown hostnames as stats labelKim Alvefur2021-10-211-0/+1
| | | | | Labels are supposed to be fixed sets of things, so defined hosts are okay, but not unknown hosts.
* mod_s2s: Rename Direct TLS listener 's2s_direct_tls'Kim Alvefur2021-09-091-1/+1
| | | | | Following the style of other options like (c2s|s2s)_require_encryption, s2s_secure_auth etc.
* mod_s2s: Add a Direct TLS listenerKim Alvefur2021-08-101-0/+14
| | | | | | Mirroring the c2s 'direct_tls'. Naming things is hard. direct_tls_s2s_ports = { 5269+1 }
* mod_s2s: Handle connections having TLS from the startKim Alvefur2021-08-101-0/+4
| | | | | This could be done with multiplexing, or a future additional port definition.
* mod_s2s: Factor out procedure for newly encrypted sessionsKim Alvefur2021-08-101-12/+16
| | | | | Goal is to call this if the connection is using Direct TLS, either via multiplexing or a future Direct TLS S2S port.
* mod_c2s,mod_s2s: Indicate stanza size violation with condition from XEP-0205 ↵Kim Alvefur2021-09-061-1/+5
| | | | (thanks mjk)
* mod_c2s,mod_s2s: Fire event just before writesKim Alvefur2021-08-161-0/+7
| | | | | Could allow e.g. a XEP-0198 implementation to efficiently send ack requests at optimal times without using timers or nextTick.
* mod_s2s: Fire 's2s-ondrain' event, mirroring mod_c2sKim Alvefur2021-08-161-0/+7
| | | | | | | | Signals that any pending outgoing stanzas that were in the write buffer have at least been sent off to the Kernel and maybe even sent out over the network. See 7a703af90c9c for mod_c2s commit
* mod_s2s: Clone 'extra' data to let resolvers add more to itKim Alvefur2021-07-181-1/+5
| | | | | | | This way 'extra' is unique for each connect() instance, making it safer to mutate it, while inheriting the global settings. See 926d53af9a7a for some more context.
* mod_s2s: Handle measurement where the local host is unknownKim Alvefur2021-07-181-1/+1
| | | | | This could happen with Dialback-only connections or others that were missing the stream 'to' attribute.
* mod_s2s: Guard against missing 'to' on incoming streamKim Alvefur2021-07-181-1/+1
| | | | | | | | | | Given an incoming <stream:stream from="example.com"> this line would have mistakenly reported the 'from' as the local host. Neither are technically required and may be missing, especially on connections used only for Dialback. Outgoing connections initiated by Prosody always have 'from_host' and 'to_host', so it is safer to check it this way.
* mod_s2s: Don't close connections on reloadKim Alvefur2021-07-141-0/+1
|
* mod_s2s: Close connections attached to a host being deactivatedKim Alvefur2021-07-141-0/+8
| | | | | | Couldn't use those with the host being deactivated. Problem: This kicks in on reload, which isn't needed.
* mod_s2s: Vary log level by remote stream errorKim Alvefur2021-07-141-1/+33
| | | | | | | | | | | | | Increases log level for stream conditions that could indicate a problem on our end, especially programming errors like invalid XML, or the remote server saying that our certificate is invalid, since these should be investigated. Non-issues like closing of idle streams are lowered to debug since it's mostly noise. Other issues left at info are mostly about changes to the remote server, e.g. complete or partial shutdown.
* mod_s2s: Remove connection timeout once it's no longer neededKim Alvefur2021-07-131-1/+12
| | | | | | Reduces the number of left-over timers to handle after many s2s connections were started, leaving only the ones related to incomplete connections.
* mod_s2s: Log debug message on attempted close of an connectionless sessionKim Alvefur2021-07-111-0/+1
| | | | | | This should probably never happen, but probably does anyways. A debug message would show the truth of the matter.
* mod_s2s: Drop level of indentation by inverting a condition and early returnKim Alvefur2021-07-111-59/+61
| | | | | Nicer to get rid of a conditional that covers such a large portion of a pretty big function.
* mod_s2s: Use module API to fire eventsKim Alvefur2021-07-111-9/+8
| | | | | These direct accesses are probably more optimized, but weird when the module API has methods for these things.
* mod_s2s: Remove duplicate method call (thanks luacheck)Kim Alvefur2021-06-211-1/+0
| | | | Should have been removed in the previous commit.
* mod_s2s: Guard against LuaSec not returning TLS info here tooKim Alvefur2021-06-211-1/+2
| | | | See previous commit to mod_c2s: a62146353528
* mod_s2s: Bail if connection is destroyed after attempting to open streamKim Alvefur2021-06-161-0/+5
| | | | | | | | | | Fixes "attempt to compare number with nil" because `session.version` has been cleared by s2smanager.destroy_session. This can happen with the server_epoll setting opportunistic_writes enabled, which means that it can notice that the connection failed at this point, after which it triggers the whole chain of events that leads to session destruction and "cleaning" most of the session fields.
* mod_c2s,mod_s2s: Collect stats on TLS versions and ciphersKim Alvefur2021-06-161-0/+6
|
* Merge 0.11->trunkMatthew Wild2021-05-131-2/+2
|
* s2s et al.: Add counters for connection state transitionsJonas Schäfer2021-04-211-6/+45
|
* mod_s2s: Port to new OpenMetrics APIJonas Schäfer2021-04-181-10/+26
|
* mod_s2s: Buffer stream error + stream closing tagKim Alvefur2021-03-031-1/+4
| | | | | In "opportunistic writes" mode, prevents ondisconnect from happening while writing the stream closing tag.
* mod_s2s: Check direction in bidi-aware styleKim Alvefur2021-03-031-1/+1
| | | | | | Both session.incoming and session.outgoing are truthy here, but session.direction indicates the "real" direction in the way that matters for the order of events when opening or closing streams.
* mod_s2s: Add config setting to enable DANEKim Alvefur2021-03-021-0/+1
|
* mod_s2s: Clarify comment about unused TLS settingsKim Alvefur2021-02-061-1/+3
| | | | Ref 115b5e32d960
* Merge 0.11->trunkKim Alvefur2020-12-161-1/+1
|
* Merge 0.11->trunkKim Alvefur2020-12-111-1/+4
|
* mod_s2s: Move out of empty directoryKim Alvefur2020-06-021-0/+810
mod_s2s.lua had been all alone in there since the removal of s2sout.lib.lua in 756b8821007a