# HG changeset patch # User Matthew Wild # Date 1600166995 -3600 # Node ID e9e10ec1b91cfec59f0b0faddd510bce5fef11ad # Parent 68ceb7e0cfe6d0458110399ca065f0d9869debfd mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported This provides a balance between security and usability. SNI is supported in Prosody trunk and in Prosody 0.11 from commit 30d3f6f85eb8 (scheduled for 0.11.7). diff -r 68ceb7e0cfe6 -r e9e10ec1b91c mod_firewall/README.markdown --- a/mod_firewall/README.markdown Tue Sep 15 11:45:09 2020 +0100 +++ b/mod_firewall/README.markdown Tue Sep 15 11:49:55 2020 +0100 @@ -158,6 +158,10 @@ ttl Seconds to cache the list for. After expiry, it will be refetched. Default 3600 (1 hour). pattern Optional pattern used to extract list entries from the response. Default is to treat each line as a single item. hash Optional hash to be applied to items before looking them up in the list, e.g. sha1 or sha256. + checkcert Whether to verify HTTPS certificates. May be "always", "never" or "when-sni". Default "when-sni". + +The "when-sni" default disables certificate verification when Prosody's HTTP client API doesn't support SNI, +as in Prosody 0.11.6 and earlier. #### CHECK LIST diff -r 68ceb7e0cfe6 -r e9e10ec1b91c mod_firewall/definitions.lib.lua --- a/mod_firewall/definitions.lib.lua Tue Sep 15 11:45:09 2020 +0100 +++ b/mod_firewall/definitions.lib.lua Tue Sep 15 11:49:55 2020 +0100 @@ -104,8 +104,17 @@ local etag; local failure_count = 0; local retry_intervals = { 60, 120, 300 }; + -- By default only check the certificate if net.http supports SNI + local sni_supported = http.feature and http.features.sni; + local insecure = false; + if opts.checkcert == "never" then + insecure = true; + elseif (opts.checkcert == nil or opts.checkcert == "when-sni") and not sni_supported then + insecure = false; + end local function update_list() http.request(url, { + insecure = insecure; headers = { ["If-None-Match"] = etag; };