prosody-modules: mod_s2s_log_certs/mod_s2s_log

annotate mod_s2s_log_certs/mod_s2s_log_certs.lua @ 4432:e83284d4d5c2

mod_auth_ccert/README: Add setting to ensure Prosdy asks for client certificate This used to be the default for all services, but since it triggers annoying popups in web browsers it was inverted in Prosody and only s2s enables it, so it needs to be explicitly enabled for c2s again. See trunk 115b5e32d960 Thanks debacle

author	Kim Alvefur <zash@zash.se>
date	Sat, 06 Feb 2021 21:34:25 +0100
parents	663e5d923ef0
children

rev	line source
1009 fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	1 module:set_global();
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	2
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	3 local dm_load = require "util.datamanager".load;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	4 local dm_store = require "util.datamanager".store;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	5 local datetime = require "util.datetime".datetime;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	6
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	7 local do_store = module:get_option_boolean(module:get_name().."_persist", false);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	8 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	9
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	10 local function note_cert_digest(event)
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	11 local session, remote_host, cert = event.session, event.host, event.cert;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	12
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	13 if not (remote_host and cert and cert.digest) then return end;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	14 local digest = cert:digest(digest_algo);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	15
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	16 local local_host = session.direction == "outgoing" and session.from_host or session.to_host;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	17 local chain_status = session.cert_chain_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	18 local identity_status = session.cert_identity_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	19
1091 79ef0427765f mod_s2s_log_certs: Minor grammar change Kim Alvefur <zash@zash.se> parents: 1009 diff changeset	20 module:log("info", "%s has a %s %s certificate with %s: %s",
79ef0427765f mod_s2s_log_certs: Minor grammar change Kim Alvefur <zash@zash.se> parents: 1009 diff changeset	21 remote_host,
1009 fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	22 chain_status == "valid" and "trusted" or "untrusted",
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	23 identity_status or "invalid",
1091 79ef0427765f mod_s2s_log_certs: Minor grammar change Kim Alvefur <zash@zash.se> parents: 1009 diff changeset	24 digest_algo:upper(),
1009 fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	25 digest:upper():gsub("..",":%0"):sub(2));
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	26
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	27 if do_store then
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	28 local seen_certs = dm_load(remote_host, local_host, "s2s_certs") or {};
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	29
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	30 digest = digest_algo..":"..digest;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	31 local this_cert = seen_certs[digest] or { first = datetime(); times = 0; }
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	32 this_cert.last = datetime();
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	33 this_cert.times = this_cert.times + 1;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	34 seen_certs[digest] = this_cert;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	35 chain_status = chain_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	36 identity_status = identity_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	37 dm_store(remote_host, local_host, "s2s_certs", seen_certs);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	38 end
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	39 end
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	40
1787 663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	41 if module.wrap_event then
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	42 -- 0.10
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	43 module:wrap_event("s2s-check-certificate", function (handlers, event_name, event_data)
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	44 local ret = handlers(event_name, event_data);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	45 note_cert_digest(event_data);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	46 return ret;
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	47 end);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	48 else
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	49 -- 0.9
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	50 module:hook("s2s-check-certificate", note_cert_digest, 1000);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	51 end
1009 fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	52 --[[
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	53 function module.add_host(module)
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	54 module:hook("s2s-check-certificate", note_cert_digest, 1000);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	55 end
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	56 ]]

Mercurial > prosody-modules

annotate mod_s2s_log_certs/mod_s2s_log_certs.lua @ 4432:e83284d4d5c2