From 268dfa38c09c78b0bdab2cb1e3590b1ffa3ad86e Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 21 Jan 2022 17:59:19 +0100 Subject: mod_s2s: Enable outgoing Direct TLS connections Makes it faster by cutting out the roundtrips involved in , at the cost of making an additional SRV lookup. Since we already ignore a missing offer and try anyway there is not much difference in security. The fact that XMPP is used and the hostnames involved might still be visible until the future Encrypted ClientHello extension allows hiding those too. --- CHANGES | 2 +- plugins/mod_s2s.lua | 11 +++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 3e7907f0..b3f0bdb6 100644 --- a/CHANGES +++ b/CHANGES @@ -27,7 +27,7 @@ TRUNK - SNI support (including automatic certificate selection) - ALPN support in mod_net_multiplex - DANE support in low-level network layer -- Direct TLS support (c2s and incoming s2s) +- Direct TLS support (c2s and s2s) - SCRAM-SHA-256 - Direct TLS (including https) certificates updated on reload - Pluggable authorization providers (mod_authz_) diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua index 7b915194..66b4c56b 100644 --- a/plugins/mod_s2s.lua +++ b/plugins/mod_s2s.lua @@ -29,6 +29,7 @@ local uuid_gen = require "util.uuid".generate; local runner = require "util.async".runner; local connect = require "net.connect".connect; local service = require "net.resolvers.service"; +local resolver_chain = require "net.resolvers.chain"; local errors = require "util.error"; local set = require "util.set"; @@ -217,8 +218,14 @@ function route_to_new_session(event) log("debug", "stanza [%s] queued until connection complete", stanza.name); -- FIXME Cleaner solution to passing extra data from resolvers to net.server -- This mt-clone allows resolvers to add extra data, currently used for DANE TLSA records - local extra = setmetatable({}, s2s_service_options_mt); - connect(service.new(to_host, "xmpp-server", "tcp", extra), listener, nil, { session = host_session }); + local xmpp_extra = setmetatable({}, s2s_service_options_mt); + local sslctx = require"core.certmanager".create_context(from_host, "client"); -- TODO this should live in mod_tls ? + local xmpps_extra = setmetatable({ default_port = false; servername = to_host; sslctx = sslctx }, s2s_service_options_mt); + local direct_and_normal = resolver_chain.new({ + service.new(to_host, "xmpps-server", "tcp", xmpps_extra); + service.new(to_host, "xmpp-server", "tcp", xmpp_extra); + }); + connect(direct_and_normal, listener, nil, { session = host_session }); m_initiated_connections:with_labels(from_host):add(1) return true; end -- cgit v1.2.3