24 module:hook("s2s-check-certificate", function(event) |
24 module:hook("s2s-check-certificate", function(event) |
25 local host, session, cert = event.host, event.session, event.cert; |
25 local host, session, cert = event.host, event.session, event.cert; |
26 if cert and cert.pubkey then |
26 if cert and cert.pubkey then |
27 local _, key_type, key_size = cert:pubkey(); |
27 local _, key_type, key_size = cert:pubkey(); |
28 if key_size < ( weak_key_size[key_type] or 0 ) then |
28 if key_size < ( weak_key_size[key_type] or 0 ) then |
29 local issued = parse_x509_datetime(cert:notbefore()); |
29 local expires = parse_x509_datetime(cert:notafter()); |
30 if issued > weak_key_cutoff then |
30 if expires > weak_key_cutoff then |
31 session.log("error", "%s has a %s-bit %s key issued after 31 December 2013, invalidating trust!", host, key_size, key_type); |
31 session.log("error", "%s has a %s-bit %s key valid after 31 December 2013, invalidating trust!", host, key_size, key_type); |
32 session.cert_chain_status = "invalid"; |
32 session.cert_chain_status = "invalid"; |
33 session.cert_identity_status = "invalid"; |
33 session.cert_identity_status = "invalid"; |
34 else |
34 else |
35 session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type); |
35 session.log("warn", "%s has a %s-bit %s key", host, key_size, key_type); |
36 end |
36 end |