mod_websocket: Fire pre-session-close event (fixes #1800)
This event was added in a7c183bb4e64 and is required to make mod_smacks know
that a session was intentionally closed and shouldn't be hibernated (see
fcea4d9e7502).
Because this was missing from mod_websocket's session.close(), mod_smacks
would always attempt to hibernate websocket sessions even if they closed
cleanly.
That mod_websocket has its own copy of session.close() is something to fix
another day (probably not in the stable branch). So for now this commit makes
the minimal change to get things working again.
Thanks to Damian and the Jitsi team for reporting.
module:set_global();
local cert_verify_identity = require "util.x509".verify_identity;
local NULL = {};
local log = module._log;
local measure_cert_statuses = module:metric("counter", "checked", "", "Certificate validation results",
{ "chain"; "identity" })
module:hook("s2s-check-certificate", function(event)
local session, host, cert = event.session, event.host, event.cert;
local conn = session.conn:socket();
local log = session.log or log;
if not cert then
log("warn", "No certificate provided by %s", host or "unknown host");
return;
end
local chain_valid, errors;
if conn.getpeerverification then
chain_valid, errors = conn:getpeerverification();
else
chain_valid, errors = false, { { "Chain verification not supported by this version of LuaSec" } };
end
-- Is there any interest in printing out all/the number of errors here?
if not chain_valid then
log("debug", "certificate chain validation result: invalid");
for depth, t in pairs(errors or NULL) do
log("debug", "certificate error(s) at depth %d: %s", depth-1, table.concat(t, ", "))
end
session.cert_chain_status = "invalid";
session.cert_chain_errors = errors;
else
log("debug", "certificate chain validation result: valid");
session.cert_chain_status = "valid";
-- We'll go ahead and verify the asserted identity if the
-- connecting server specified one.
if host then
if cert_verify_identity(host, "xmpp-server", cert) then
session.cert_identity_status = "valid"
else
session.cert_identity_status = "invalid"
end
log("debug", "certificate identity validation result: %s", session.cert_identity_status);
end
end
measure_cert_statuses:with_labels(session.cert_chain_status or "unknown", session.cert_identity_status or "unknown"):add(1);
end, 509);