--- a/mod_watchuntrusted/README.markdown Wed Aug 08 15:20:52 2018 +0200
+++ b/mod_watchuntrusted/README.markdown Wed Aug 08 15:58:50 2018 +0200
@@ -32,6 +32,7 @@
untrusted\_fail\_watchers All admins The users to send the message to
untrusted\_fail\_notification "Establishing a secure connection from \$from\_host to \$to\_host failed. Certificate hash: \$sha1. \$errors" The message to send, \$from\_host, \$to\_host, \$sha1 and \$errors are replaced
untrusted\_message\_type `"chat"` Which kind of message to send. `"normal"` or `"headline"` are other sensible options
+ untrusted\_ignore\_domains Empty The domains that this module should not warn about
Compatibility
=============
--- a/mod_watchuntrusted/mod_watchuntrusted.lua Wed Aug 08 15:20:52 2018 +0200
+++ b/mod_watchuntrusted/mod_watchuntrusted.lua Wed Aug 08 15:58:50 2018 +0200
@@ -4,6 +4,8 @@
local secure_domains, insecure_domains =
module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items;
+local ignore_domains = module:get_option_set("untrusted_ignore_domains", {})._items;
+
local untrusted_fail_watchers = module:get_option_set("untrusted_fail_watchers", module:get_option("admins", {})) / jid_prep;
local untrusted_fail_notification = module:get_option("untrusted_fail_notification", "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha256. $errors");
@@ -22,15 +24,21 @@
if not (local_host == module:get_host()) then return end
module:log("debug", "Checking certificate...");
+ local certificate_is_valid = false;
+
+ if session.cert_chain_status == "valid" and session.cert_identity_status == "valid" then
+ certificate_is_valid = true;
+ end
+
local must_secure = secure_auth;
if not must_secure and secure_domains[host] then
- must_secure = true;
+ must_secure = true;
elseif must_secure and insecure_domains[host] then
- must_secure = false;
+ must_secure = false;
end
- if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") and not notified_about_already[host] then
+ if must_secure and not certificate_is_valid and not notified_about_already[host] and not ignore_domains[host] then
notified_about_already[host] = os.time();
local _, errors = conn:getpeerverification();
local error_message = "";