prosody/plugins/mod_s2s_auth_certs.lua

module:set_global();

local cert_verify_identity = require "prosody.util.x509".verify_identity;
local log = module._log;

local measure_cert_statuses = module:metric("counter", "checked", "", "Certificate validation results",
	{ "chain"; "identity" })

module:hook("s2s-check-certificate", function(event)
	local session, host, cert = event.session, event.host, event.cert;
	local conn = session.conn;
	local log = session.log or log;

	local secure_hostname = conn.extra and conn.extra.secure_hostname;

	if not cert then
		log("warn", "No certificate provided by %s", host or "unknown host");
		return;
	end

	local chain_valid, errors = conn:ssl_peerverification();
	-- Is there any interest in printing out all/the number of errors here?
	if not chain_valid then
		log("debug", "certificate chain validation result: invalid");
		if type(errors) == "table" then
			for depth, t in pairs(errors) do
				log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "));
			end
		else
			log("debug", "certificate error: %s", errors);
		end
		session.cert_chain_status = "invalid";
		session.cert_chain_errors = errors;
	else
		log("debug", "certificate chain validation result: valid");
		session.cert_chain_status = "valid";

		-- We'll go ahead and verify the asserted identity if the
		-- connecting server specified one.
		if host then
			if cert_verify_identity(host, "xmpp-server", cert) then
				session.cert_identity_status = "valid"
			else
				session.cert_identity_status = "invalid"
			end
			log("debug", "certificate identity validation result: %s", session.cert_identity_status);
		end

		-- Check for DNSSEC-signed SRV hostname
		if secure_hostname and session.cert_identity_status ~= "valid" then
			if cert_verify_identity(secure_hostname, "xmpp-server", cert) then
				module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host);
				session.cert_identity_status = "valid"
			end
		end
	end
	measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);
end, 509);
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin 12 years ago			`module:set_global();`

plugins: Prefix module imports with prosody namespace 3 years ago			`local cert_verify_identity = require "prosody.util.x509".verify_identity;`
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin 12 years ago			`local log = module._log;`

mod_s2s_auth_certs: Collect stats on validation results (for #975) 4 years ago			`local measure_cert_statuses = module:metric("counter", "checked", "", "Certificate validation results",`
			`{ "chain"; "identity" })`

mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin 12 years ago			`module:hook("s2s-check-certificate", function(event)`
			`local session, host, cert = event.session, event.host, event.cert;`
net: isolate LuaSec-specifics For this, various accessor functions are now provided directly on the sockets, which reach down into the LuaSec implementation to obtain the information. While this may seem of little gain at first, it hides the implementation detail of the LuaSec+LuaSocket combination that the actual socket and the TLS layer are separate objects. The net gain here is that an alternative implementation does not have to emulate that specific implementation detail and "only" has to expose LuaSec-compatible data structures on the new functions. 4 years ago			`local conn = session.conn;`
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate) 12 years ago			`local log = session.log or log;`
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin 12 years ago
mod_s2s_auth_certs: Validate certificates against secure SRV targets Secure delegation or "Mini-DANE" As with the existing DANE support, only usable in one direction, client certificate authentication will fail if this is relied on. 3 years ago			`local secure_hostname = conn.extra and conn.extra.secure_hostname;`

mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate) 12 years ago			`if not cert then`
			`log("warn", "No certificate provided by %s", host or "unknown host");`
			`return;`
			`end`

mod_s2s_auth_certs: Remove LuaSec compat that moved to net.server 2 years ago			`local chain_valid, errors = conn:ssl_peerverification();`
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate) 12 years ago			`-- Is there any interest in printing out all/the number of errors here?`
			`if not chain_valid then`
			`log("debug", "certificate chain validation result: invalid");`
mod_s2s_auth_certs: Handle potential string error conn:ssl_peerverification() can now return a single error in case the connection has been closed for whatever reason 2 years ago			`if type(errors) == "table" then`
			`for depth, t in pairs(errors) do`
			`log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "));`
			`end`
			`else`
			`log("debug", "certificate error: %s", errors);`
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin 12 years ago			`end`
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate) 12 years ago			`session.cert_chain_status = "invalid";`
mod_s2s_auth_certs: Save chain validation errors for later use 6 years ago			`session.cert_chain_errors = errors;`
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate) 12 years ago			`else`
			`log("debug", "certificate chain validation result: valid");`
			`session.cert_chain_status = "valid";`
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin 12 years ago
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate) 12 years ago			`-- We'll go ahead and verify the asserted identity if the`
			`-- connecting server specified one.`
			`if host then`
			`if cert_verify_identity(host, "xmpp-server", cert) then`
			`session.cert_identity_status = "valid"`
			`else`
			`session.cert_identity_status = "invalid"`
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin 12 years ago			`end`
mod_s2s_auth_certs: Warn about lack of certificate (Mostly jabberd14 not sending a client certificate) 12 years ago			`log("debug", "certificate identity validation result: %s", session.cert_identity_status);`
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin 12 years ago			`end`
mod_s2s_auth_certs: Validate certificates against secure SRV targets Secure delegation or "Mini-DANE" As with the existing DANE support, only usable in one direction, client certificate authentication will fail if this is relied on. 3 years ago
			`-- Check for DNSSEC-signed SRV hostname`
			`if secure_hostname and session.cert_identity_status ~= "valid" then`
			`if cert_verify_identity(secure_hostname, "xmpp-server", cert) then`
			`module:log("info", "Secure SRV name delegation %q -> %q", secure_hostname, host);`
			`session.cert_identity_status = "valid"`
			`end`
			`end`
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin 12 years ago			`end`
mod_s2s_auth_certs: Collect stats on validation results (for #975) 4 years ago			`measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);`
mod_s2s_auth_certs: Split PKIX based certificate checking from mod_s2s into new plugin 12 years ago			`end, 509);`