view mod_tls_policy/mod_tls_policy.lua @ 1615:d0fd8a29b724

mod_tls_policy: Include which part of the cipher that did not match the policy in stream error
author Kim Alvefur <>
date Mon, 23 Feb 2015 15:45:11 +0100
parents c5ca63ac0e1b
children a43ed0d28918
line wrap: on
line source

assert(require"ssl.core".info, "Incompatible LuaSec version");

local function hook(event_name, typ, policy)
	if not policy then return end
	if policy == "FS" then
		policy = { key = "DH$" };
	elseif type(policy) == "string" then
		policy = { cipher = policy };

	module:hook(event_name, function (event)
		local origin = event.origin;
		if origin.encrypted then
			local info = origin.conn:socket():info();
			for key, what in pairs(policy) do
				module:log("debug", "Does info[%q] = %s match %s ?", key, tostring(info[key]), tostring(what));
				if (type(what) == "number" and what < info[key] ) or (type(what) == "string" and not info[key]:match(what)) then
					origin:close({ condition = "policy-violation", text = ("TLS %s '%s' not acceptable"):format(key, tostring(info[key])) });
					return false;
				module:log("debug", "Seems so");
			module:log("debug", "Policy matches");
	end, 1000);

local policy = module:get_option(, {});

if type(policy) == "string" then
	policy = { c2s = policy, s2s = policy };

hook("stream-features", "c2s", policy.c2s);
hook("s2s-stream-features", "s2sin", policy.s2sin or policy.s2s);
hook("stanza/", "s2sout", policy.s2sout or policy.s2s);