From 627b87ac7c1d4e67d317b88365df07bcd621f48e Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sun, 30 Jul 2017 18:47:43 +0200 Subject: net.websocket: Remove stray module api reference, shouldn't be used in here --- net/websocket.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/websocket.lua b/net/websocket.lua index 373210d6..777b894c 100644 --- a/net/websocket.lua +++ b/net/websocket.lua @@ -38,7 +38,7 @@ function websocket_listeners.ondetach(handler) end local function fail(s, code, reason) - module:log("warn", "WebSocket connection failed, closing. %d %s", code, reason); + log("warn", "WebSocket connection failed, closing. %d %s", code, reason); s:close(code, reason); s.handler:close(); return false -- cgit v1.2.3 From 10d48f1bad15b74de952aa8ce51d04ad60861c64 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 7 Jul 2017 20:16:00 +0200 Subject: net.http: Remove duplicate 'request' entry --- net/http.lua | 1 - 1 file changed, 1 deletion(-) (limited to 'net') diff --git a/net/http.lua b/net/http.lua index d820e471..cce363ae 100644 --- a/net/http.lua +++ b/net/http.lua @@ -235,7 +235,6 @@ local function new(options) return new(setmetatable(new_options, { __index = options })); end or new; events = events.new(); - request = request; }; return http; end -- cgit v1.2.3 From 450544aad0a236e7ebcf3307e8fe8dbda683d775 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 7 Jul 2017 20:30:52 +0200 Subject: net.http: Expose defaults --- net/http.lua | 1 + 1 file changed, 1 insertion(+) (limited to 'net') diff --git a/net/http.lua b/net/http.lua index cce363ae..0d14e526 100644 --- a/net/http.lua +++ b/net/http.lua @@ -245,6 +245,7 @@ return { request = function (u, ex, callback) return default_http:request(u, ex, callback); end; + default = default_http; new = new; events = default_http.events; -- COMPAT -- cgit v1.2.3 From 708ce26bc81ce86b5f0a23f4beb3119210ab6d8f Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 7 Jul 2017 20:31:52 +0200 Subject: net.http: Move default SSL/TLS settings into options, allowing them to be overriden in new() --- net/http.lua | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'net') diff --git a/net/http.lua b/net/http.lua index 0d14e526..756deaf4 100644 --- a/net/http.lua +++ b/net/http.lua @@ -196,7 +196,7 @@ local function request(self, u, ex, callback) local sslctx = false; if using_https then - sslctx = ex and ex.sslctx or { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" } }; + sslctx = ex and ex.sslctx or self.options and self.options.sslctx; end local handler, conn = server.addclient(host, port_number, listener, "*a", sslctx) @@ -239,7 +239,9 @@ local function new(options) return http; end -local default_http = new(); +local default_http = new({ + sslctx = { mode = "client", protocol = "sslv23", options = { "no_sslv2", "no_sslv3" } }; +}); return { request = function (u, ex, callback) -- cgit v1.2.3 From e605ac0987662ef14c3f0b642079a815961102e1 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 7 Jul 2017 21:04:30 +0200 Subject: net.http: Validate HTTPS certificates (fixes #659) --- net/http.lua | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'net') diff --git a/net/http.lua b/net/http.lua index 756deaf4..eba050cd 100644 --- a/net/http.lua +++ b/net/http.lua @@ -11,6 +11,7 @@ local url = require "socket.url" local httpstream_new = require "net.http.parser".new; local util_http = require "util.http"; local events = require "util.events"; +local verify_identity = require"util.x509".verify_identity; local ssl_available = pcall(require, "ssl"); @@ -34,6 +35,26 @@ local listener = { default_port = 80, default_mode = "*a" }; function listener.onconnect(conn) local req = requests[conn]; + + -- Validate certificate + if conn:ssl() then + local sock = conn:socket(); + local chain_valid = sock.getpeerverification and sock:getpeerverification(); + if not chain_valid then + req.callback("certificate-chain-invalid", 0, req); + req.callback = nil; + conn:close(); + return; + end + local cert = sock.getpeercertificate and sock:getpeercertificate(); + if not cert or not verify_identity(req.host, false, cert) then + req.callback("certificate-verify-failed", 0, req); + req.callback = nil; + conn:close(); + return; + end + end + -- Send the request local request_line = { req.method or "GET", " ", req.path, " HTTP/1.1\r\n" }; if req.query then -- cgit v1.2.3 From 7e28119b3d3fe91b2f8541da2af90b232ab38412 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 7 Jul 2017 21:04:46 +0200 Subject: net.http: Add option for disabling TLS certifictate validation --- net/http.lua | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'net') diff --git a/net/http.lua b/net/http.lua index eba050cd..8364a104 100644 --- a/net/http.lua +++ b/net/http.lua @@ -37,7 +37,7 @@ function listener.onconnect(conn) local req = requests[conn]; -- Validate certificate - if conn:ssl() then + if not req.insecure and conn:ssl() then local sock = conn:socket(); local chain_valid = sock.getpeerverification and sock:getpeerverification(); if not chain_valid then @@ -202,6 +202,7 @@ local function request(self, u, ex, callback) headers[k] = v; end end + req.insecure = ex.insecure; end log("debug", "Making %s %s request '%s' to %s", req.scheme:upper(), method or "GET", req.id, (ex and ex.suppress_url and host_header) or u); -- cgit v1.2.3