Mercurial Mercurial > prosody > prosody-modules / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_s2s_auth_dane: Don't allow unencrypted connections if TLSA exists
authorKim Alvefur <zash@zash.se>
Wed, 05 Mar 2014 17:44:27 +0100
changeset 1330 bb6f3312ab46
parent 1329 8d99b9c4cf0c
child 1331 dbaa67babeb4
mod_s2s_auth_dane: Don't allow unencrypted connections if TLSA exists
mod_s2s_auth_dane/mod_s2s_auth_dane.lua file | annotate | diff | comparison | revisions 
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Wed Mar 05 17:42:15 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Wed Mar 05 17:44:27 2014 +0100
@@ -104,6 +104,23 @@
 	end
 end);
 
+function module.add_host(module)
+	module:hook("s2s-authenticated", function(event)
+		local session = event.session;
+		local srv_hosts = session.srv_hosts;
+		local srv_choice = session.srv_choice;
+		if srv_hosts[srv_choice].dane and not session.secure then
+			-- TLSA record but no TLS, not ok.
+			session:close({
+				condition = "policy-violation",
+				text = "Encrypted server-to-server communication is required but was not "
+					..((session.direction == "outgoing" and "offered") or "used")
+			});
+			return false;
+		end
+	end);
+end
+
 function module.unload()
 	s2sout.try_connect = _try_connect;
 end
prosody-modules