Mercurial > prosody-modules
comparison mod_client_certs/mod_client_certs.lua @ 3447:5f2eeebcf899
mod_client_certs: do not crash on plain sockets
In some situations (e.g., reverse-proxied websocket), non-TLS sockets
can be marked as secure, causing mod_client_certs to call the undefined
method getpeercertificate and crash.
author | Thibaut Girka <thib@sitedethib.com> |
---|---|
date | Fri, 18 Jan 2019 14:06:05 +0100 |
parents | 4b43b317e8f5 |
children |
comparison
equal
deleted
inserted
replaced
3446:a5a50cd34386 | 3447:5f2eeebcf899 |
---|---|
92 module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", username); | 92 module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", username); |
93 local sessions = hosts[module.host].sessions[username].sessions; | 93 local sessions = hosts[module.host].sessions[username].sessions; |
94 local disabled_cert_pem = info.pem; | 94 local disabled_cert_pem = info.pem; |
95 | 95 |
96 for _, session in pairs(sessions) do | 96 for _, session in pairs(sessions) do |
97 if session and session.conn then | 97 if session and session.conn and session.conn:socket().getpeercertificate then |
98 local cert = session.conn:socket():getpeercertificate(); | 98 local cert = session.conn:socket():getpeercertificate(); |
99 | 99 |
100 if cert and cert:pem() == disabled_cert_pem then | 100 if cert and cert:pem() == disabled_cert_pem then |
101 module:log("debug", "Found a session that should be closed: %s", tostring(session)); | 101 module:log("debug", "Found a session that should be closed: %s", tostring(session)); |
102 session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."}; | 102 session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."}; |
334 | 334 |
335 local now = os.time; | 335 local now = os.time; |
336 module:hook("stream-features", function(event) | 336 module:hook("stream-features", function(event) |
337 local session, features = event.origin, event.features; | 337 local session, features = event.origin, event.features; |
338 if session.secure and session.type == "c2s_unauthed" then | 338 if session.secure and session.type == "c2s_unauthed" then |
339 local cert = session.conn:socket():getpeercertificate(); | 339 local socket = session.conn:socket(); |
340 if not socket.getpeercertificate then | |
341 module:log("debug", "Not a TLS socket"); | |
342 return | |
343 end | |
344 local cert = socket:getpeercertificate(); | |
340 if not cert then | 345 if not cert then |
341 module:log("error", "No Client Certificate"); | 346 module:log("error", "No Client Certificate"); |
342 return | 347 return |
343 end | 348 end |
344 module:log("info", "Client Certificate: %s", cert:digest(digest_algo)); | 349 module:log("info", "Client Certificate: %s", cert:digest(digest_algo)); |