annotate mod_warn_legacy_tls/mod_warn_legacy_tls.lua @ 5401:c8d04ac200fc

mod_http_oauth2: Reject loopback URIs as client_uri This really should be a proper website with info, https://localhost is not good enough. Ideally we'd validate that it's got proper DNS and is actually reachable, but triggering HTTP or even DNS lookups seems like it would carry abuse potential that would best to avoid.
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:20:55 +0200
parents 406b32b50457
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1525
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 local st = require"util.stanza";
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 local host = module.host;
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3
3727
36023eb3254e mod_warn_legacy_tls: Adapt to warn about TLS < 1.2
Kim Alvefur <zash@zash.se>
parents: 3726
diff changeset
4 local deprecated_protocols = module:get_option_set("legacy_tls_versions", { "SSLv3", "TLSv1", "TLSv1.1" });
36023eb3254e mod_warn_legacy_tls: Adapt to warn about TLS < 1.2
Kim Alvefur <zash@zash.se>
parents: 3726
diff changeset
5 local warning_message = module:get_option_string("legacy_tls_warning", "Your connection is encrypted using the %s protocol, which has known problems and will be disabled soon. Please upgrade your client.");
1525
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 module:hook("resource-bind", function (event)
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 local session = event.session;
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 module:log("debug", "mod_%s sees that %s logged in", module.name, session.username);
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 local ok, protocol = pcall(function(session)
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 return session.conn:socket():info"protocol";
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 end, session);
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 if not ok then
3727
36023eb3254e mod_warn_legacy_tls: Adapt to warn about TLS < 1.2
Kim Alvefur <zash@zash.se>
parents: 3726
diff changeset
15 module:log("debug", "Could not determine TLS version: %s", protocol);
36023eb3254e mod_warn_legacy_tls: Adapt to warn about TLS < 1.2
Kim Alvefur <zash@zash.se>
parents: 3726
diff changeset
16 elseif deprecated_protocols:contains(protocol) then
3730
ec3eb426271e mod_warn_legacy_tls: Log a warning attached to sessions using deprecated TLS versions
Kim Alvefur <zash@zash.se>
parents: 3727
diff changeset
17 session.log("warn", "Uses %s", protocol);
1525
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 module:add_timer(15, function ()
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 if session.type == "c2s" and session.resource then
3727
36023eb3254e mod_warn_legacy_tls: Adapt to warn about TLS < 1.2
Kim Alvefur <zash@zash.se>
parents: 3726
diff changeset
20 session.send(st.message({ from = host, type = "headline", to = session.full_jid }, warning_message:format(protocol)));
1525
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 end
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 end);
3731
406b32b50457 mod_warn_legacy_tls: Log debug message for acceptable TLS versions
Kim Alvefur <zash@zash.se>
parents: 3730
diff changeset
23 else
406b32b50457 mod_warn_legacy_tls: Log debug message for acceptable TLS versions
Kim Alvefur <zash@zash.se>
parents: 3730
diff changeset
24 module:log("debug", "Using acceptable TLS version: %s", protocol);
1525
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 end
37cef218ba20 mod_sslv3_warn: Module to notice users connected with SSLv3 that they need to upgrade becasue SSLv3 is insecure
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 end);