From 85ff75c53fe58cf16d51e01810712d8634d052c4 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Thu, 22 Dec 2022 00:13:37 +0100 Subject: mod_s2s_auth_certs: Validate certificates against secure SRV targets Secure delegation or "Mini-DANE" As with the existing DANE support, only usable in one direction, client certificate authentication will fail if this is relied on. --- plugins/mod_s2s_auth_certs.lua | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'plugins/mod_s2s_auth_certs.lua') diff --git a/plugins/mod_s2s_auth_certs.lua b/plugins/mod_s2s_auth_certs.lua index bde3cb82..f917b116 100644 --- a/plugins/mod_s2s_auth_certs.lua +++ b/plugins/mod_s2s_auth_certs.lua @@ -12,6 +12,8 @@ module:hook("s2s-check-certificate", function(event) local conn = session.conn; local log = session.log or log; + local secure_hostname = conn.extra and conn.extra.secure_hostname; + if not cert then log("warn", "No certificate provided by %s", host or "unknown host"); return; @@ -45,6 +47,14 @@ module:hook("s2s-check-certificate", function(event) end log("debug", "certificate identity validation result: %s", session.cert_identity_status); end + + -- Check for DNSSEC-signed SRV hostname + if secure_hostname and session.cert_identity_status ~= "valid" then + if cert_verify_identity(secure_hostname, "xmpp-server", cert) then + module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host); + session.cert_identity_status = "valid" + end + end end measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1); end, 509); -- cgit v1.2.3