Mercurial > prosody-modules
diff mod_firewall/definitions.lib.lua @ 4127:e9e10ec1b91c
mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported
This provides a balance between security and usability. SNI is supported in Prosody trunk
and in Prosody 0.11 from commit 30d3f6f85eb8 (scheduled for 0.11.7).
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Tue, 15 Sep 2020 11:49:55 +0100 |
parents | 015452258952 |
children | b88f05c878ac |
line wrap: on
line diff
--- a/mod_firewall/definitions.lib.lua Tue Sep 15 11:45:09 2020 +0100 +++ b/mod_firewall/definitions.lib.lua Tue Sep 15 11:49:55 2020 +0100 @@ -104,8 +104,17 @@ local etag; local failure_count = 0; local retry_intervals = { 60, 120, 300 }; + -- By default only check the certificate if net.http supports SNI + local sni_supported = http.feature and http.features.sni; + local insecure = false; + if opts.checkcert == "never" then + insecure = true; + elseif (opts.checkcert == nil or opts.checkcert == "when-sni") and not sni_supported then + insecure = false; + end local function update_list() http.request(url, { + insecure = insecure; headers = { ["If-None-Match"] = etag; };