comparison mod_s2s_log_certs/mod_s2s_log_certs.lua @ 1009:fcba646eb20a

mod_s2s_log_certs: Log certificate status and fingerprints
author Kim Alvefur <zash@zash.se>
date Thu, 09 May 2013 13:37:55 +0200
parents
children 79ef0427765f
comparison
equal deleted inserted replaced
1008:2b2d4b1de638 1009:fcba646eb20a
1 module:set_global();
2
3 local dm_load = require "util.datamanager".load;
4 local dm_store = require "util.datamanager".store;
5 local datetime = require "util.datetime".datetime;
6
7 local do_store = module:get_option_boolean(module:get_name().."_persist", false);
8 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
9
10 local function note_cert_digest(event)
11 local session, remote_host, cert = event.session, event.host, event.cert;
12
13 if not (remote_host and cert and cert.digest) then return end;
14 local digest = cert:digest(digest_algo);
15
16 local local_host = session.direction == "outgoing" and session.from_host or session.to_host;
17 local chain_status = session.cert_chain_status;
18 local identity_status = session.cert_identity_status;
19
20 module:log("info", "Spotted %s %s certificate used by %s with %s: %s",
21 chain_status == "valid" and "trusted" or "untrusted",
22 identity_status or "invalid",
23 remote_host, digest_algo:upper(),
24 digest:upper():gsub("..",":%0"):sub(2));
25
26 if do_store then
27 local seen_certs = dm_load(remote_host, local_host, "s2s_certs") or {};
28
29 digest = digest_algo..":"..digest;
30 local this_cert = seen_certs[digest] or { first = datetime(); times = 0; }
31 this_cert.last = datetime();
32 this_cert.times = this_cert.times + 1;
33 seen_certs[digest] = this_cert;
34 chain_status = chain_status;
35 identity_status = identity_status;
36 dm_store(remote_host, local_host, "s2s_certs", seen_certs);
37 end
38 end
39
40 module:hook("s2s-check-certificate", note_cert_digest, 1000);
41 --[[
42 function module.add_host(module)
43 module:hook("s2s-check-certificate", note_cert_digest, 1000);
44 end
45 ]]