# HG changeset patch # User Kim Alvefur # Date 1368099475 -7200 # Node ID fcba646eb20a6713f942f797d6a6ce0f3583e094 # Parent 2b2d4b1de638a09a02e91475dc9b80150129155c mod_s2s_log_certs: Log certificate status and fingerprints diff -r 2b2d4b1de638 -r fcba646eb20a mod_s2s_log_certs/mod_s2s_log_certs.lua --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_s2s_log_certs/mod_s2s_log_certs.lua Thu May 09 13:37:55 2013 +0200 @@ -0,0 +1,45 @@ +module:set_global(); + +local dm_load = require "util.datamanager".load; +local dm_store = require "util.datamanager".store; +local datetime = require "util.datetime".datetime; + +local do_store = module:get_option_boolean(module:get_name().."_persist", false); +local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1"); + +local function note_cert_digest(event) + local session, remote_host, cert = event.session, event.host, event.cert; + + if not (remote_host and cert and cert.digest) then return end; + local digest = cert:digest(digest_algo); + + local local_host = session.direction == "outgoing" and session.from_host or session.to_host; + local chain_status = session.cert_chain_status; + local identity_status = session.cert_identity_status; + + module:log("info", "Spotted %s %s certificate used by %s with %s: %s", + chain_status == "valid" and "trusted" or "untrusted", + identity_status or "invalid", + remote_host, digest_algo:upper(), + digest:upper():gsub("..",":%0"):sub(2)); + + if do_store then + local seen_certs = dm_load(remote_host, local_host, "s2s_certs") or {}; + + digest = digest_algo..":"..digest; + local this_cert = seen_certs[digest] or { first = datetime(); times = 0; } + this_cert.last = datetime(); + this_cert.times = this_cert.times + 1; + seen_certs[digest] = this_cert; + chain_status = chain_status; + identity_status = identity_status; + dm_store(remote_host, local_host, "s2s_certs", seen_certs); + end +end + +module:hook("s2s-check-certificate", note_cert_digest, 1000); +--[[ +function module.add_host(module) + module:hook("s2s-check-certificate", note_cert_digest, 1000); +end +]]