From dd3368d55b9a5c85938c90ebb92f7b60e0c0df2e Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Thu, 24 Sep 2015 20:02:00 +0200
Subject: prosodyctl check: Warn if encryption is required but LuaSec is
 unavailable

---
 prosodyctl | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'prosodyctl')

diff --git a/prosodyctl b/prosodyctl
index b23d395d..ac0b7cd0 100755
--- a/prosodyctl
+++ b/prosodyctl
@@ -913,6 +913,19 @@ function commands.check(arg)
 			   	print("     For more information see: http://prosody.im/doc/dns");
 			end
 		end
+		local all_options = set.new();
+		for host in enabled_hosts() do
+			all_options:include(set.new(it.to_array(it.keys(config[host]))));
+		end
+		local ssl = nil, dependencies.softreq"ssl";
+		if not ssl then
+			if not set.intersection(all_options, set.new({"require_encryption", "c2s_require_encryption", "s2s_require_encryption"})):empty() then
+				print("");
+				print("    You require encryption but LuaSec is not available.");
+				print("    Connections will fail.");
+				ok = false;
+			end
+		end
 		
 		print("Done.\n");
 	end
-- 
cgit v1.2.3


From eb5aa38412c052e2d6aa8d99dcc32817a7836795 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Thu, 24 Sep 2015 20:02:57 +0200
Subject: prosodyctl check: Warn if certificate checking is enforced but LuaSec
 is too old

---
 prosodyctl | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

(limited to 'prosodyctl')

diff --git a/prosodyctl b/prosodyctl
index ac0b7cd0..e4e22322 100755
--- a/prosodyctl
+++ b/prosodyctl
@@ -925,6 +925,30 @@ function commands.check(arg)
 				print("    Connections will fail.");
 				ok = false;
 			end
+		elseif not ssl.loadcertificate then
+			if all_options:contains("s2s_secure_auth") then
+				print("");
+				print("    You have set s2s_secure_auth but your version of LuaSec does ");
+				print("    not support certificate validation, so all s2s connections will");
+				print("    fail.");
+				ok = false;
+			elseif all_options:contains("s2s_secure_domains") then
+				local secure_domains = set.new();
+				for host in enabled_hosts() do
+					if config[host].s2s_secure_auth == true then
+						secure_domains:add("*");
+					else
+						secure_domains:include(set.new(config[host].s2s_secure_domains));
+					end
+				end
+				if not secure_domains:empty() then
+					print("");
+					print("    You have set s2s_secure_domains but your version of LuaSec does ");
+					print("    not support certificate validation, so s2s connections to/from ");
+					print("    these domains will fail.");
+					ok = false;
+				end
+			end
 		end
 		
 		print("Done.\n");
-- 
cgit v1.2.3