Mercurial > prosody-modules
comparison mod_checkcerts/mod_checkcerts.lua @ 855:1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Mon, 29 Oct 2012 00:46:51 +0100 |
| parents | ea9941812721 |
| children | a6c2345bcf87 |
comparison
equal
deleted
inserted
replaced
| 854:1c64ab8ae374 | 855:1983d4d51e1a |
|---|---|
| 1 local ssl = require"ssl"; | 1 local ssl = require"ssl"; |
| 2 if not ssl.cert_from_pem then | 2 local load_cert = ssl.x509 and ssl.x509.load |
| 3 module:log("error", "This version of LuaSec (%s) doesn't support certificate checking", ssl._VERSION); | 3 or ssl.cert_from_pem; -- COMPAT mw/luasec-hg |
| 4 | |
| 5 if not load_cert then | |
| 6 module:log("error", "This version of LuaSec (%s) does not support certificate checking", ssl._VERSION); | |
| 4 return | 7 return |
| 5 end | 8 end |
| 6 | 9 |
| 7 local function check_certs_validity() | 10 local function check_certs_validity() |
| 11 -- First, let's find out what certificate this host uses. | |
| 8 local ssl_config = config.rawget(module.host, "core", "ssl"); | 12 local ssl_config = config.rawget(module.host, "core", "ssl"); |
| 9 if not ssl_config then | 13 if not ssl_config then |
| 10 local base_host = module.host:match("%.(.*)"); | 14 local base_host = module.host:match("%.(.*)"); |
| 11 ssl_config = config.get(base_host, "core", "ssl"); | 15 ssl_config = config.get(base_host, "core", "ssl"); |
| 12 end | 16 end |
| 13 | 17 |
| 14 if ssl.cert_from_pem and ssl_config.certificate then | 18 if ssl_config.certificate then |
| 15 local certfile = ssl_config.certificate; | 19 local certfile = ssl_config.certificate; |
| 16 local cert; | 20 local cert; |
| 17 local fh, err = io.open(certfile); | 21 |
| 22 local fh = io.open(certfile); -- Load the file. | |
| 18 cert = fh and fh:read"*a"; | 23 cert = fh and fh:read"*a"; |
| 19 cert = cert and ssl.cert_from_pem(cert); | 24 fh:close(); |
| 25 cert = cert and load_cert(cert); -- And parse | |
| 20 if not cert then return end | 26 if not cert then return end |
| 21 fh:close(); | 27 -- No error reporting, certmanager should complain already |
| 22 | 28 |
| 23 if not cert:valid_at(os.time()) then | 29 local now = os.time(); |
| 30 local valid_at = cert.valid_at or cert.validat; | |
| 31 if not valid_at then return end -- Broken or uncommon LuaSec version? | |
| 32 | |
| 33 -- This might be wrong if the certificate has NotBefore in the future. | |
| 34 -- However this is unlikely to happen in the wild. | |
| 35 if not valid_at(cert, now) then | |
| 24 module:log("warn", "The certificate %s has expired", certfile); | 36 module:log("warn", "The certificate %s has expired", certfile); |
| 25 elseif not cert:valid_at(os.time()+86400*7) then | 37 elseif not valid_at(cert, now+86400*7) then |
| 26 module:log("warn", "The certificate %s will expire this week", certfile); | 38 module:log("warn", "The certificate %s will expire this week", certfile); |
| 27 elseif not cert:valid_at(os.time()+86400*30) then | 39 elseif not valid_at(cert, now+86400*30) then |
| 28 module:log("info", "The certificate %s will expire later this month", certfile); | 40 module:log("info", "The certificate %s will expire later this month", certfile); |
| 29 end | 41 end |
| 42 -- TODO Maybe notify admins | |
| 30 end | 43 end |
| 31 end | 44 end |
| 32 | 45 |
| 33 module.load = check_certs_validity; | 46 module.load = check_certs_validity; |
| 34 module:hook_global("config-reloaded", check_certs_validity); | 47 module:hook_global("config-reloaded", check_certs_validity); |