From bfe5b17163329f4b5aab2436b5ba3c021b838db6 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sun, 4 Aug 2013 17:33:00 +0200 Subject: mod_s2s: Log certificate identity validation result --- plugins/mod_s2s/mod_s2s.lua | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua index 5a2af968..ccf85012 100644 --- a/plugins/mod_s2s/mod_s2s.lua +++ b/plugins/mod_s2s/mod_s2s.lua @@ -255,6 +255,7 @@ local function check_cert_status(session) else session.cert_identity_status = "invalid" end + (session.log or log)("debug", "certificate identity validation result: %s", session.cert_identity_status); end end end -- cgit v1.2.3 From 47493361278343fd8693ade12dadf63715871609 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 5 Aug 2013 20:47:38 +0200 Subject: mod_s2s: Improve policy check --- plugins/mod_s2s/mod_s2s.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua index ccf85012..95015526 100644 --- a/plugins/mod_s2s/mod_s2s.lua +++ b/plugins/mod_s2s/mod_s2s.lua @@ -642,7 +642,7 @@ function check_auth_policy(event) must_secure = false; end - if must_secure and not session.cert_identity_status then + if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") then module:log("warn", "Forbidding insecure connection to/from %s", host); if session.direction == "incoming" then session:close({ condition = "not-authorized", text = "Your server's certificate is invalid, expired, or not trusted by "..session.to_host }); -- cgit v1.2.3 From 8e182dcbb67dfca09f5c00d48d46c2e5a635a63d Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 6 Aug 2013 14:31:20 +0200 Subject: util.hashes: Correct argument order --- util-src/hashes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util-src/hashes.c b/util-src/hashes.c index 39737ae0..ad25c1a7 100644 --- a/util-src/hashes.c +++ b/util-src/hashes.c @@ -85,7 +85,7 @@ static void hmac(struct hash_desc *desc, const char *key, size_t key_len, if (key_len > 64) { desc->Init(desc->ctx); desc->Update(desc->ctx, key, key_len); - desc->Final(desc->ctx, hashedKey); + desc->Final(hashedKey, desc->ctx); key = (const char*)hashedKey; key_len = desc->digestLength; } -- cgit v1.2.3 From 2d80fe3bbd1722cc703390bd9055902f7dd843bf Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 6 Aug 2013 14:32:31 +0200 Subject: mod_admin_telnet, mod_s2s: Fix reporting of certificate chain validation details --- plugins/mod_admin_telnet.lua | 2 +- plugins/mod_s2s/mod_s2s.lua | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/mod_admin_telnet.lua b/plugins/mod_admin_telnet.lua index b942e9bd..131689c5 100644 --- a/plugins/mod_admin_telnet.lua +++ b/plugins/mod_admin_telnet.lua @@ -673,7 +673,7 @@ end -- I think there's going to be more confusion among operators if we -- break from that. local function print_errors(print, errors) - for depth, t in ipairs(errors) do + for depth, t in pairs(errors) do print( (" %d: %s"):format( depth-1, diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua index 95015526..bb46cd2f 100644 --- a/plugins/mod_s2s/mod_s2s.lua +++ b/plugins/mod_s2s/mod_s2s.lua @@ -239,7 +239,7 @@ local function check_cert_status(session) -- Is there any interest in printing out all/the number of errors here? if not chain_valid then (session.log or log)("debug", "certificate chain validation result: invalid"); - for depth, t in ipairs(errors or NULL) do + for depth, t in pairs(errors or NULL) do (session.log or log)("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) end session.cert_chain_status = "invalid"; -- cgit v1.2.3