apitech
/
prosody
mirror of https://github.com/bjc/prosody
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
IMPORTANT: due to a drive failure, as of 13-Mar-2021, the Mercurial repository had to be re-mirrored, which changed every commit SHA. The old SHAs and trees are backed up in the vault branches. Please migrate to the new branches as soon as you can.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11850 Commits
12 Branches
101 Tags
54 MiB
 
 
 
 
Tag: Branch: Tree: 21eeadecc7
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '21eeadecc7'
${ noResults }
prosody/plugins/mod_s2s_auth_certs.lua

51 lines
1.7 KiB
Raw Blame History

module:set_global();
local cert_verify_identity = require "util.x509".verify_identity;
local NULL = {};
local log = module._log;
local measure_cert_statuses = module:metric("counter", "checked", "", "Certificate validation results",
{ "chain"; "identity" })
module:hook("s2s-check-certificate", function(event)
local session, host, cert = event.session, event.host, event.cert;
local conn = session.conn:socket();
local log = session.log or log;
if not cert then
log("warn", "No certificate provided by %s", host or "unknown host");
return;
end
local chain_valid, errors;
if conn.getpeerverification then
chain_valid, errors = conn:getpeerverification();
else
chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
end
-- Is there any interest in printing out all/the number of errors here?
if not chain_valid then
log("debug", "certificate chain validation result: invalid");
for depth, t in pairs(errors or NULL) do
log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
end
session.cert_chain_status = "invalid";
session.cert_chain_errors = errors;
else
log("debug", "certificate chain validation result: valid");
session.cert_chain_status = "valid";
-- We'll go ahead and verify the asserted identity if the
-- connecting server specified one.
if host then
if cert_verify_identity(host, "xmpp-server", cert) then
session.cert_identity_status = "valid"
else
session.cert_identity_status = "invalid"
end
log("debug", "certificate identity validation result: %s", session.cert_identity_status);
end
end
measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);
end, 509);