mod_s2s: Improve robustness of outgoing s2s certificate verification
This change ensures we have positively verified the certificates of the server
we are connecting to before marking the session as authenticated. It protects
against situations where the verify-or-close stage of the connection was
interrupted (e.g. due to an uncaught error).
Thanks to Zash for discovery and testing.
--- a/plugins/mod_s2s.lua Wed Apr 13 18:46:11 2022 +0100
+++ b/plugins/mod_s2s.lua Mon Apr 25 15:07:49 2022 +0100
@@ -349,6 +349,15 @@
}, nil, "Could not establish encrypted connection to remote server");
end
end
+
+ if session.type == "s2sout_unauthed" and not session.authenticated_remote and secure_auth and not insecure_domains[host] then
+ session:close({
+ condition = "policy-violation";
+ text = "Failed to verify certificate (internal error)";
+ });
+ return;
+ end
+
if hosts[host] then
session:close({ condition = "undefined-condition", text = "Attempt to authenticate as a host we serve" });
end
@@ -531,6 +540,8 @@
if session.secure and not session.cert_chain_status then
if check_cert_status(session) == false then
return;
+ else
+ session.authenticated_remote = true;
end
end