changeset 3447:5f2eeebcf899

mod_client_certs: do not crash on plain sockets In some situations (e.g., reverse-proxied websocket), non-TLS sockets can be marked as secure, causing mod_client_certs to call the undefined method getpeercertificate and crash.
author Thibaut Girka <thib@sitedethib.com>
date Fri, 18 Jan 2019 14:06:05 +0100
parents a5a50cd34386
children c4db126a9f04
files mod_client_certs/mod_client_certs.lua
diffstat 1 files changed, 7 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/mod_client_certs/mod_client_certs.lua	Fri Jan 18 02:16:03 2019 +0100
+++ b/mod_client_certs/mod_client_certs.lua	Fri Jan 18 14:06:05 2019 +0100
@@ -94,7 +94,7 @@
 		local disabled_cert_pem = info.pem;
 
 		for _, session in pairs(sessions) do
-			if session and session.conn then
+			if session and session.conn and session.conn:socket().getpeercertificate then
 				local cert = session.conn:socket():getpeercertificate();
 
 				if cert and cert:pem() == disabled_cert_pem then
@@ -336,7 +336,12 @@
 module:hook("stream-features", function(event)
 	local session, features = event.origin, event.features;
 	if session.secure and session.type == "c2s_unauthed" then
-		local cert = session.conn:socket():getpeercertificate();
+		local socket = session.conn:socket();
+		if not socket.getpeercertificate then
+			module:log("debug", "Not a TLS socket");
+			return
+		end
+		local cert = socket:getpeercertificate();
 		if not cert then
 			module:log("error", "No Client Certificate");
 			return