annotate mod_warn_legacy_tls/mod_warn_legacy_tls.lua @ 4433:0e3f5f70a51d

mod_auth_ccert/README: Add certificate purpose conifg to example Thanks debacle By default Prosody validates all client certificates as if they were server certificates, for historical reasons, from a time when you couldn't get certificates with the client purpose.
author Kim Alvefur <zash@zash.se>
date Sat, 06 Feb 2021 22:15:08 +0100
parents 406b32b50457
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1525
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 local st = require"util.stanza";
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 local host = module.host;
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3
3727
36023eb3254e mod_warn_legacy_tls: Adapt to warn about TLS < 1.2
Kim Alvefur <zash@zash.se>
parents: 3726
diff changeset
4 local deprecated_protocols = module:get_option_set("legacy_tls_versions", { "SSLv3", "TLSv1", "TLSv1.1" });
36023eb3254e mod_warn_legacy_tls: Adapt to warn about TLS < 1.2
Kim Alvefur <zash@zash.se>
parents: 3726
diff changeset
5 local warning_message = module:get_option_string("legacy_tls_warning", "Your connection is encrypted using the %s protocol, which has known problems and will be disabled soon. Please upgrade your client.");
1525
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 module:hook("resource-bind", function (event)
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 local session = event.session;
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 module:log("debug", "mod_%s sees that %s logged in", module.name, session.username);
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 local ok, protocol = pcall(function(session)
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 return session.conn:socket():info"protocol";
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 end, session);
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 if not ok then
3727
36023eb3254e mod_warn_legacy_tls: Adapt to warn about TLS < 1.2
Kim Alvefur <zash@zash.se>
parents: 3726
diff changeset
15 module:log("debug", "Could not determine TLS version: %s", protocol);
36023eb3254e mod_warn_legacy_tls: Adapt to warn about TLS < 1.2
Kim Alvefur <zash@zash.se>
parents: 3726
diff changeset
16 elseif deprecated_protocols:contains(protocol) then
3730
ec3eb426271e mod_warn_legacy_tls: Log a warning attached to sessions using deprecated TLS versions
Kim Alvefur <zash@zash.se>
parents: 3727
diff changeset
17 session.log("warn", "Uses %s", protocol);
1525
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 module:add_timer(15, function ()
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 if session.type == "c2s" and session.resource then
3727
36023eb3254e mod_warn_legacy_tls: Adapt to warn about TLS < 1.2
Kim Alvefur <zash@zash.se>
parents: 3726
diff changeset
20 session.send(st.message({ from = host, type = "headline", to = session.full_jid }, warning_message:format(protocol)));
1525
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 end
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 end);
3731
406b32b50457 mod_warn_legacy_tls: Log debug message for acceptable TLS versions
Kim Alvefur <zash@zash.se>
parents: 3730
diff changeset
23 else
406b32b50457 mod_warn_legacy_tls: Log debug message for acceptable TLS versions
Kim Alvefur <zash@zash.se>
parents: 3730
diff changeset
24 module:log("debug", "Using acceptable TLS version: %s", protocol);
1525
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 end
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 end);