Mercurial > prosody-modules
comparison mod_client_certs/mod_client_certs.lua @ 3447:5f2eeebcf899
mod_client_certs: do not crash on plain sockets
In some situations (e.g., reverse-proxied websocket), non-TLS sockets
can be marked as secure, causing mod_client_certs to call the undefined
method getpeercertificate and crash.
| author | Thibaut Girka <thib@sitedethib.com> |
|---|---|
| date | Fri, 18 Jan 2019 14:06:05 +0100 |
| parents | 4b43b317e8f5 |
| children |
comparison
equal
deleted
inserted
replaced
| 3446:a5a50cd34386 | 3447:5f2eeebcf899 |
|---|---|
| 92 module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", username); | 92 module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", username); |
| 93 local sessions = hosts[module.host].sessions[username].sessions; | 93 local sessions = hosts[module.host].sessions[username].sessions; |
| 94 local disabled_cert_pem = info.pem; | 94 local disabled_cert_pem = info.pem; |
| 95 | 95 |
| 96 for _, session in pairs(sessions) do | 96 for _, session in pairs(sessions) do |
| 97 if session and session.conn then | 97 if session and session.conn and session.conn:socket().getpeercertificate then |
| 98 local cert = session.conn:socket():getpeercertificate(); | 98 local cert = session.conn:socket():getpeercertificate(); |
| 99 | 99 |
| 100 if cert and cert:pem() == disabled_cert_pem then | 100 if cert and cert:pem() == disabled_cert_pem then |
| 101 module:log("debug", "Found a session that should be closed: %s", tostring(session)); | 101 module:log("debug", "Found a session that should be closed: %s", tostring(session)); |
| 102 session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."}; | 102 session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."}; |
| 334 | 334 |
| 335 local now = os.time; | 335 local now = os.time; |
| 336 module:hook("stream-features", function(event) | 336 module:hook("stream-features", function(event) |
| 337 local session, features = event.origin, event.features; | 337 local session, features = event.origin, event.features; |
| 338 if session.secure and session.type == "c2s_unauthed" then | 338 if session.secure and session.type == "c2s_unauthed" then |
| 339 local cert = session.conn:socket():getpeercertificate(); | 339 local socket = session.conn:socket(); |
| 340 if not socket.getpeercertificate then | |
| 341 module:log("debug", "Not a TLS socket"); | |
| 342 return | |
| 343 end | |
| 344 local cert = socket:getpeercertificate(); | |
| 340 if not cert then | 345 if not cert then |
| 341 module:log("error", "No Client Certificate"); | 346 module:log("error", "No Client Certificate"); |
| 342 return | 347 return |
| 343 end | 348 end |
| 344 module:log("info", "Client Certificate: %s", cert:digest(digest_algo)); | 349 module:log("info", "Client Certificate: %s", cert:digest(digest_algo)); |