From bfe5b17163329f4b5aab2436b5ba3c021b838db6 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sun, 4 Aug 2013 17:33:00 +0200 Subject: mod_s2s: Log certificate identity validation result --- plugins/mod_s2s/mod_s2s.lua | 1 + 1 file changed, 1 insertion(+) (limited to 'plugins/mod_s2s/mod_s2s.lua') diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua index 5a2af968..ccf85012 100644 --- a/plugins/mod_s2s/mod_s2s.lua +++ b/plugins/mod_s2s/mod_s2s.lua @@ -255,6 +255,7 @@ local function check_cert_status(session) else session.cert_identity_status = "invalid" end + (session.log or log)("debug", "certificate identity validation result: %s", session.cert_identity_status); end end end -- cgit v1.2.3 From 47493361278343fd8693ade12dadf63715871609 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Mon, 5 Aug 2013 20:47:38 +0200 Subject: mod_s2s: Improve policy check --- plugins/mod_s2s/mod_s2s.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugins/mod_s2s/mod_s2s.lua') diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua index ccf85012..95015526 100644 --- a/plugins/mod_s2s/mod_s2s.lua +++ b/plugins/mod_s2s/mod_s2s.lua @@ -642,7 +642,7 @@ function check_auth_policy(event) must_secure = false; end - if must_secure and not session.cert_identity_status then + if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") then module:log("warn", "Forbidding insecure connection to/from %s", host); if session.direction == "incoming" then session:close({ condition = "not-authorized", text = "Your server's certificate is invalid, expired, or not trusted by "..session.to_host }); -- cgit v1.2.3 From 2d80fe3bbd1722cc703390bd9055902f7dd843bf Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 6 Aug 2013 14:32:31 +0200 Subject: mod_admin_telnet, mod_s2s: Fix reporting of certificate chain validation details --- plugins/mod_s2s/mod_s2s.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugins/mod_s2s/mod_s2s.lua') diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua index 95015526..bb46cd2f 100644 --- a/plugins/mod_s2s/mod_s2s.lua +++ b/plugins/mod_s2s/mod_s2s.lua @@ -239,7 +239,7 @@ local function check_cert_status(session) -- Is there any interest in printing out all/the number of errors here? if not chain_valid then (session.log or log)("debug", "certificate chain validation result: invalid"); - for depth, t in ipairs(errors or NULL) do + for depth, t in pairs(errors or NULL) do (session.log or log)("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", ")) end session.cert_chain_status = "invalid"; -- cgit v1.2.3