Mercurial > prosody-modules
diff mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1330:bb6f3312ab46
mod_s2s_auth_dane: Don't allow unencrypted connections if TLSA exists
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 05 Mar 2014 17:44:27 +0100 |
parents | 8d99b9c4cf0c |
children | 08a0241f5d2c |
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Wed Mar 05 17:42:15 2014 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Wed Mar 05 17:44:27 2014 +0100 @@ -104,6 +104,23 @@ end end); +function module.add_host(module) + module:hook("s2s-authenticated", function(event) + local session = event.session; + local srv_hosts = session.srv_hosts; + local srv_choice = session.srv_choice; + if srv_hosts[srv_choice].dane and not session.secure then + -- TLSA record but no TLS, not ok. + session:close({ + condition = "policy-violation", + text = "Encrypted server-to-server communication is required but was not " + ..((session.direction == "outgoing" and "offered") or "used") + }); + return false; + end + end); +end + function module.unload() s2sout.try_connect = _try_connect; end