# HG changeset patch # User Michel Le Bihan # Date 1533736730 -7200 # Node ID 0e78523f8c20d363e8aadf36d25e9e5104091a02 # Parent 58d61459cdb1f0817efc496f8549282945976b53 mod_watchuntrusted: Add option to ignore domains diff -r 58d61459cdb1 -r 0e78523f8c20 mod_watchuntrusted/README.markdown --- a/mod_watchuntrusted/README.markdown Wed Aug 08 15:20:52 2018 +0200 +++ b/mod_watchuntrusted/README.markdown Wed Aug 08 15:58:50 2018 +0200 @@ -32,6 +32,7 @@ untrusted\_fail\_watchers All admins The users to send the message to untrusted\_fail\_notification "Establishing a secure connection from \$from\_host to \$to\_host failed. Certificate hash: \$sha1. \$errors" The message to send, \$from\_host, \$to\_host, \$sha1 and \$errors are replaced untrusted\_message\_type `"chat"` Which kind of message to send. `"normal"` or `"headline"` are other sensible options + untrusted\_ignore\_domains Empty The domains that this module should not warn about Compatibility ============= diff -r 58d61459cdb1 -r 0e78523f8c20 mod_watchuntrusted/mod_watchuntrusted.lua --- a/mod_watchuntrusted/mod_watchuntrusted.lua Wed Aug 08 15:20:52 2018 +0200 +++ b/mod_watchuntrusted/mod_watchuntrusted.lua Wed Aug 08 15:58:50 2018 +0200 @@ -4,6 +4,8 @@ local secure_domains, insecure_domains = module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items; +local ignore_domains = module:get_option_set("untrusted_ignore_domains", {})._items; + local untrusted_fail_watchers = module:get_option_set("untrusted_fail_watchers", module:get_option("admins", {})) / jid_prep; local untrusted_fail_notification = module:get_option("untrusted_fail_notification", "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha256. $errors"); @@ -22,15 +24,21 @@ if not (local_host == module:get_host()) then return end module:log("debug", "Checking certificate..."); + local certificate_is_valid = false; + + if session.cert_chain_status == "valid" and session.cert_identity_status == "valid" then + certificate_is_valid = true; + end + local must_secure = secure_auth; if not must_secure and secure_domains[host] then - must_secure = true; + must_secure = true; elseif must_secure and insecure_domains[host] then - must_secure = false; + must_secure = false; end - if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") and not notified_about_already[host] then + if must_secure and not certificate_is_valid and not notified_about_already[host] and not ignore_domains[host] then notified_about_already[host] = os.time(); local _, errors = conn:getpeerverification(); local error_message = "";