From dd3368d55b9a5c85938c90ebb92f7b60e0c0df2e Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Thu, 24 Sep 2015 20:02:00 +0200 Subject: prosodyctl check: Warn if encryption is required but LuaSec is unavailable --- prosodyctl | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/prosodyctl b/prosodyctl index b23d395d..ac0b7cd0 100755 --- a/prosodyctl +++ b/prosodyctl @@ -913,6 +913,19 @@ function commands.check(arg) print(" For more information see: http://prosody.im/doc/dns"); end end + local all_options = set.new(); + for host in enabled_hosts() do + all_options:include(set.new(it.to_array(it.keys(config[host])))); + end + local ssl = nil, dependencies.softreq"ssl"; + if not ssl then + if not set.intersection(all_options, set.new({"require_encryption", "c2s_require_encryption", "s2s_require_encryption"})):empty() then + print(""); + print(" You require encryption but LuaSec is not available."); + print(" Connections will fail."); + ok = false; + end + end print("Done.\n"); end -- cgit v1.2.3 From eb5aa38412c052e2d6aa8d99dcc32817a7836795 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Thu, 24 Sep 2015 20:02:57 +0200 Subject: prosodyctl check: Warn if certificate checking is enforced but LuaSec is too old --- prosodyctl | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/prosodyctl b/prosodyctl index ac0b7cd0..e4e22322 100755 --- a/prosodyctl +++ b/prosodyctl @@ -925,6 +925,30 @@ function commands.check(arg) print(" Connections will fail."); ok = false; end + elseif not ssl.loadcertificate then + if all_options:contains("s2s_secure_auth") then + print(""); + print(" You have set s2s_secure_auth but your version of LuaSec does "); + print(" not support certificate validation, so all s2s connections will"); + print(" fail."); + ok = false; + elseif all_options:contains("s2s_secure_domains") then + local secure_domains = set.new(); + for host in enabled_hosts() do + if config[host].s2s_secure_auth == true then + secure_domains:add("*"); + else + secure_domains:include(set.new(config[host].s2s_secure_domains)); + end + end + if not secure_domains:empty() then + print(""); + print(" You have set s2s_secure_domains but your version of LuaSec does "); + print(" not support certificate validation, so s2s connections to/from "); + print(" these domains will fail."); + ok = false; + end + end end print("Done.\n"); -- cgit v1.2.3 From 7dda2051767b494cba55b3b8c3a3086b60252f9a Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Thu, 24 Sep 2015 20:05:23 +0200 Subject: mod_c2s, mod_s2s: Close incoming connections if there are no features to offer on incomplete streams (fixes #285) --- plugins/mod_c2s.lua | 7 ++++++- plugins/mod_s2s/mod_s2s.lua | 9 +++++++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/plugins/mod_c2s.lua b/plugins/mod_c2s.lua index 1423eaa3..3d9f9f88 100644 --- a/plugins/mod_c2s.lua +++ b/plugins/mod_c2s.lua @@ -83,7 +83,12 @@ function stream_callbacks.streamopened(session, attr) local features = st.stanza("stream:features"); hosts[session.host].events.fire_event("stream-features", { origin = session, features = features }); - send(features); + if features.tags[1] or session.full_jid then + send(features); + else + (session.log or log)("warn", "No features to offer"); + session:close{ condition = "undefined-condition", text = "No features to proceed with" }; + end end function stream_callbacks.streamclosed(session) diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua index 480761f4..b44000a6 100644 --- a/plugins/mod_s2s/mod_s2s.lua +++ b/plugins/mod_s2s/mod_s2s.lua @@ -351,8 +351,13 @@ function stream_callbacks.streamopened(session, attr) (session.log or log)("warn", "No 'to' on stream header from %s means we can't offer any features", from or session.ip or "unknown host"); end - log("debug", "Sending stream features: %s", tostring(features)); - session.sends2s(features); + if ( session.type == "s2sin" or session.type == "s2sout" ) or features.tags[1] then + log("debug", "Sending stream features: %s", tostring(features)); + session.sends2s(features); + else + (session.log or log)("warn", "No features to offer, giving up"); + session:close({ condition = "undefined-condition", text = "No features to offer" }); + end end elseif session.direction == "outgoing" then session.notopen = nil; -- cgit v1.2.3