annotate mod_s2s_auth_samecert/mod_s2s_auth_samecert.lua @ 5787:e79f9dec35c0

mod_c2s_conn_throttle: Reduce log level from error->info Our general policy is that "error" should never be triggerable by remote entities, and that it is always about something that requires admin intervention. This satisfies neither condition. The "warn" level can be used for unexpected events/behaviour triggered by remote entities, and this could qualify. However I don't think failed auth attempts are unexpected enough. I selected "info" because it is what is also used for other notable session lifecycle events.
author Matthew Wild <mwild1@gmail.com>
date Thu, 07 Dec 2023 15:46:50 +0000
parents c9397cd5cfe6
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
2204
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 module:set_global()
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 local hosts = prosody.hosts;
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 module:hook("s2s-check-certificate", function(event)
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local session, cert = event.session, event.cert;
4675
c9397cd5cfe6 mod_s2s_auth_samecert: Handle lack of provided client certificate
Kim Alvefur <zash@zash.se>
parents: 2234
diff changeset
7 if not cert or session.direction ~= "incoming" then return end
c9397cd5cfe6 mod_s2s_auth_samecert: Handle lack of provided client certificate
Kim Alvefur <zash@zash.se>
parents: 2234
diff changeset
8
2204
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 local outgoing = hosts[session.to_host].s2sout[session.from_host];
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 if outgoing and outgoing.type == "s2sout" and outgoing.secure and outgoing.conn:socket():getpeercertificate():pem() == cert:pem() then
2234
3024116d6093 mod_s2s_auth_samecert: Log which s2sout has a matching cert
Kim Alvefur <zash@zash.se>
parents: 2204
diff changeset
11 session.log("debug", "Certificate matches that of s2sout%s", tostring(outgoing):match("[a-f0-9]+$"));
2204
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 session.cert_identity_status = outgoing.cert_identity_status;
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 session.cert_chain_status = outgoing.cert_chain_status;
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 return true;
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 end
affccf479f89 mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 end, 1000);