Mercurial > prosody-modules
comparison mod_firewall/definitions.lib.lua @ 4127:e9e10ec1b91c
mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported
This provides a balance between security and usability. SNI is supported in Prosody trunk
and in Prosody 0.11 from commit 30d3f6f85eb8 (scheduled for 0.11.7).
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 15 Sep 2020 11:49:55 +0100 |
| parents | 015452258952 |
| children | b88f05c878ac |
comparison
equal
deleted
inserted
replaced
| 4126:68ceb7e0cfe6 | 4127:e9e10ec1b91c |
|---|---|
| 102 self.hash_function = hashes[opts.hash]; | 102 self.hash_function = hashes[opts.hash]; |
| 103 end | 103 end |
| 104 local etag; | 104 local etag; |
| 105 local failure_count = 0; | 105 local failure_count = 0; |
| 106 local retry_intervals = { 60, 120, 300 }; | 106 local retry_intervals = { 60, 120, 300 }; |
| 107 -- By default only check the certificate if net.http supports SNI | |
| 108 local sni_supported = http.feature and http.features.sni; | |
| 109 local insecure = false; | |
| 110 if opts.checkcert == "never" then | |
| 111 insecure = true; | |
| 112 elseif (opts.checkcert == nil or opts.checkcert == "when-sni") and not sni_supported then | |
| 113 insecure = false; | |
| 114 end | |
| 107 local function update_list() | 115 local function update_list() |
| 108 http.request(url, { | 116 http.request(url, { |
| 117 insecure = insecure; | |
| 109 headers = { | 118 headers = { |
| 110 ["If-None-Match"] = etag; | 119 ["If-None-Match"] = etag; |
| 111 }; | 120 }; |
| 112 }, function (body, code, response) | 121 }, function (body, code, response) |
| 113 local next_poll = poll_interval; | 122 local next_poll = poll_interval; |