mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-06 22:57:38 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

mod_s2s: Improve error in bounces due to cert validation problems

Browse source
This commit is contained in:
Kim Alvefur 2019-11-27 23:26:59 +01:00
parent f864eaf14f
commit 2934eccd99
1 changed files with 24 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

27
plugins/mod_s2s/mod_s2s.lua
View file

@ -30,6 +30,7 @@ local runner = require "util.async".runner;
local connect = require "net.connect".connect; local connect = require "net.connect".connect;
local service = require "net.resolvers.service"; local service = require "net.resolvers.service";
local errors = require "util.error"; local errors = require "util.error";
local set = require "util.set";
local connect_timeout = module:get_option_number("s2s_timeout", 90); local connect_timeout = module:get_option_number("s2s_timeout", 90);
local stream_close_timeout = module:get_option_number("s2s_close_timeout", 5); local stream_close_timeout = module:get_option_number("s2s_close_timeout", 5);
@ -725,6 +726,25 @@ function listener.onattach(conn, data)
end end
end end
-- Complete the sentence "Your certificate " with what's wrong
local function friendly_cert_error(session) --> string
if session.cert_chain_status == "invalid" then
if session.cert_chain_errors then
local cert_errors = set.new(session.cert_chain_errors[1]);
if cert_errors:contains("certificate has expired") then
return "has expired";
elseif cert_errors:contains("self signed certificate") then
return "is self-signed";
end
end
return "is not trusted"; -- for some other reason
elseif session.cert_identity_status == "invalid" then
return "is not valid for this name";
end
-- this should normally be unreachable except if no s2s auth module was loaded
return "could not be validated";
end
function check_auth_policy(event) function check_auth_policy(event)
local host, session = event.host, event.session; local host, session = event.host, event.session;
local must_secure = secure_auth; local must_secure = secure_auth;
@ -737,11 +757,12 @@ function check_auth_policy(event)
if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") then if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") then
module:log("warn", "Forbidding insecure connection to/from %s", host or session.ip or "(unknown host)"); module:log("warn", "Forbidding insecure connection to/from %s", host or session.ip or "(unknown host)");
local reason = friendly_cert_error(session);
if session.direction == "incoming" then if session.direction == "incoming" then
session:close({ condition = "not-authorized", text = "Your server's certificate is invalid, expired, or not trusted by "..session.to_host }, session:close({ condition = "not-authorized", text = "Your server's certificate "..reason },
nil, "Remote server's certificate is invalid, expired, or not trusted"); nil, "Remote server's certificate "..reason);
else -- Close outgoing connections without warning else -- Close outgoing connections without warning
session:close(false, nil, "Remote server's certificate is invalid, expired, or not trusted"); session:close(false, nil, "Remote server's certificate "..reason);
end end
return false; return false;
end end