Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1330:bb6f3312ab46
mod_s2s_auth_dane: Don't allow unencrypted connections if TLSA exists
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 05 Mar 2014 17:44:27 +0100 |
| parents | 8d99b9c4cf0c |
| children | 08a0241f5d2c |
comparison
equal
deleted
inserted
replaced
| 1329:8d99b9c4cf0c | 1330:bb6f3312ab46 |
|---|---|
| 102 session.cert_chain_status = "invalid"; | 102 session.cert_chain_status = "invalid"; |
| 103 end | 103 end |
| 104 end | 104 end |
| 105 end); | 105 end); |
| 106 | 106 |
| 107 function module.add_host(module) | |
| 108 module:hook("s2s-authenticated", function(event) | |
| 109 local session = event.session; | |
| 110 local srv_hosts = session.srv_hosts; | |
| 111 local srv_choice = session.srv_choice; | |
| 112 if srv_hosts[srv_choice].dane and not session.secure then | |
| 113 -- TLSA record but no TLS, not ok. | |
| 114 session:close({ | |
| 115 condition = "policy-violation", | |
| 116 text = "Encrypted server-to-server communication is required but was not " | |
| 117 ..((session.direction == "outgoing" and "offered") or "used") | |
| 118 }); | |
| 119 return false; | |
| 120 end | |
| 121 end); | |
| 122 end | |
| 123 | |
| 107 function module.unload() | 124 function module.unload() |
| 108 s2sout.try_connect = _try_connect; | 125 s2sout.try_connect = _try_connect; |
| 109 end | 126 end |
| 110 | 127 |