Mercurial > prosody-modules
changeset 4127:e9e10ec1b91c
mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported
This provides a balance between security and usability. SNI is supported in Prosody trunk
and in Prosody 0.11 from commit 30d3f6f85eb8 (scheduled for 0.11.7).
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 15 Sep 2020 11:49:55 +0100 |
| parents | 68ceb7e0cfe6 |
| children | 879955a32a37 |
| files | mod_firewall/README.markdown mod_firewall/definitions.lib.lua |
| diffstat | 2 files changed, 13 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_firewall/README.markdown Tue Sep 15 11:45:09 2020 +0100 +++ b/mod_firewall/README.markdown Tue Sep 15 11:49:55 2020 +0100 @@ -158,6 +158,10 @@ ttl Seconds to cache the list for. After expiry, it will be refetched. Default 3600 (1 hour). pattern Optional pattern used to extract list entries from the response. Default is to treat each line as a single item. hash Optional hash to be applied to items before looking them up in the list, e.g. sha1 or sha256. + checkcert Whether to verify HTTPS certificates. May be "always", "never" or "when-sni". Default "when-sni". + +The "when-sni" default disables certificate verification when Prosody's HTTP client API doesn't support SNI, +as in Prosody 0.11.6 and earlier. #### CHECK LIST
--- a/mod_firewall/definitions.lib.lua Tue Sep 15 11:45:09 2020 +0100 +++ b/mod_firewall/definitions.lib.lua Tue Sep 15 11:49:55 2020 +0100 @@ -104,8 +104,17 @@ local etag; local failure_count = 0; local retry_intervals = { 60, 120, 300 }; + -- By default only check the certificate if net.http supports SNI + local sni_supported = http.feature and http.features.sni; + local insecure = false; + if opts.checkcert == "never" then + insecure = true; + elseif (opts.checkcert == nil or opts.checkcert == "when-sni") and not sni_supported then + insecure = false; + end local function update_list() http.request(url, { + insecure = insecure; headers = { ["If-None-Match"] = etag; };