author | Kim Alvefur <zash@zash.se> |
Sat, 25 Jan 2020 01:31:49 +0100 | |
changeset 3861 | 8752e5b5dd08 |
parent 3224 | 0e78523f8c20 |
permissions | -rw-r--r-- |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
1 |
local jid_prep = require "util.jid".prep; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
2 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
3 |
local secure_auth = module:get_option_boolean("s2s_secure_auth", false); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
4 |
local secure_domains, insecure_domains = |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
5 |
module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
6 |
|
3224
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3026
diff
changeset
|
7 |
local ignore_domains = module:get_option_set("untrusted_ignore_domains", {})._items; |
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3026
diff
changeset
|
8 |
|
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
9 |
local untrusted_fail_watchers = module:get_option_set("untrusted_fail_watchers", module:get_option("admins", {})) / jid_prep; |
2814
9a3e51f348fe
mod_watchuntrusted send SHA256 by default
Michel Le Bihan <michel@lebihan.pl>
parents:
2350
diff
changeset
|
10 |
local untrusted_fail_notification = module:get_option("untrusted_fail_notification", "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha256. $errors"); |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
11 |
|
3026
3996437ff64f
mod_watchuntrusted: Actually add the untrusted_message_type option
Kim Alvefur <zash@zash.se>
parents:
3024
diff
changeset
|
12 |
local msg_type = module:get_option_string("untrusted_message_type", "chat"); |
3996437ff64f
mod_watchuntrusted: Actually add the untrusted_message_type option
Kim Alvefur <zash@zash.se>
parents:
3024
diff
changeset
|
13 |
|
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
14 |
local st = require "util.stanza"; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
15 |
|
1679
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
16 |
local notified_about_already = { }; |
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
17 |
|
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
18 |
module:hook_global("s2s-check-certificate", function (event) |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
19 |
local session, host = event.session, event.host; |
1697
2328cbc41045
mod_watchuntrusted: Skip connections to/from unknown hosts (fixes possible traceback)
Kim Alvefur <zash@zash.se>
parents:
1679
diff
changeset
|
20 |
if not host then return end |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
21 |
local conn = session.conn:socket(); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
22 |
local local_host = session.direction == "outgoing" and session.from_host or session.to_host; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
23 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
24 |
if not (local_host == module:get_host()) then return end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
25 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
26 |
module:log("debug", "Checking certificate..."); |
3224
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3026
diff
changeset
|
27 |
local certificate_is_valid = false; |
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3026
diff
changeset
|
28 |
|
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3026
diff
changeset
|
29 |
if session.cert_chain_status == "valid" and session.cert_identity_status == "valid" then |
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3026
diff
changeset
|
30 |
certificate_is_valid = true; |
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3026
diff
changeset
|
31 |
end |
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3026
diff
changeset
|
32 |
|
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
33 |
local must_secure = secure_auth; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
34 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
35 |
if not must_secure and secure_domains[host] then |
3224
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3026
diff
changeset
|
36 |
must_secure = true; |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
37 |
elseif must_secure and insecure_domains[host] then |
3224
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3026
diff
changeset
|
38 |
must_secure = false; |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
39 |
end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
40 |
|
3224
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3026
diff
changeset
|
41 |
if must_secure and not certificate_is_valid and not notified_about_already[host] and not ignore_domains[host] then |
1679
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
42 |
notified_about_already[host] = os.time(); |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
43 |
local _, errors = conn:getpeerverification(); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
44 |
local error_message = ""; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
45 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
46 |
for depth, t in pairs(errors or {}) do |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
47 |
if #t > 0 then |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
48 |
error_message = error_message .. "Error with certificate " .. (depth - 1) .. ": " .. table.concat(t, ", ") .. ". "; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
49 |
end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
50 |
end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
51 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
52 |
if session.cert_identity_status then |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
53 |
error_message = error_message .. "This certificate is " .. session.cert_identity_status .. " for " .. host .. "."; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
54 |
end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
55 |
|
1882
7f96183a60ce
mod_watchuntrusted: Add support for SHA-256 hash in message
Kim Alvefur <zash@zash.se>
parents:
1881
diff
changeset
|
56 |
local replacements = { |
1930
4c4a4191b825
mod_watchuntrusted: Add a fallback string as hash if no certificate was provided
Kim Alvefur <zash@zash.se>
parents:
1882
diff
changeset
|
57 |
sha1 = event.cert and event.cert:digest("sha1") or "(No certificate)", |
4c4a4191b825
mod_watchuntrusted: Add a fallback string as hash if no certificate was provided
Kim Alvefur <zash@zash.se>
parents:
1882
diff
changeset
|
58 |
sha256 = event.cert and event.cert:digest("sha256") or "(No certificate)", |
1882
7f96183a60ce
mod_watchuntrusted: Add support for SHA-256 hash in message
Kim Alvefur <zash@zash.se>
parents:
1881
diff
changeset
|
59 |
errors = error_message |
7f96183a60ce
mod_watchuntrusted: Add support for SHA-256 hash in message
Kim Alvefur <zash@zash.se>
parents:
1881
diff
changeset
|
60 |
}; |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
61 |
|
3024
ec671ad1a8a9
mod_watchuntrusted: Add option for which message 'type' to use on notifications
Kim Alvefur <zash@zash.se>
parents:
2891
diff
changeset
|
62 |
local message = st.message({ type = msg_type, from = local_host }, |
2891
65082d91950e
Many modules: Simplify st.message(…):tag("body"):text(…):up() into st.message(…, …)
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
2814
diff
changeset
|
63 |
untrusted_fail_notification:gsub("%$([%w_]+)", function (v) |
65082d91950e
Many modules: Simplify st.message(…):tag("body"):text(…):up() into st.message(…, …)
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
2814
diff
changeset
|
64 |
return event[v] or session and session[v] or replacements and replacements[v] or nil; |
65082d91950e
Many modules: Simplify st.message(…):tag("body"):text(…):up() into st.message(…, …)
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
2814
diff
changeset
|
65 |
end)); |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
66 |
for jid in untrusted_fail_watchers do |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
67 |
module:log("debug", "Notifying %s", jid); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
68 |
message.attr.to = jid; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
69 |
module:send(message); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
70 |
end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
71 |
end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
72 |
end, -0.5); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
73 |
|
1679
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
74 |
module:add_timer(14400, function (now) |
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
75 |
for host, time in pairs(notified_about_already) do |
2350
dd1f0173f538
mod_watchuntrusted: Fix backwards time comparison
Kim Alvefur <zash@zash.se>
parents:
1930
diff
changeset
|
76 |
if time + 86400 < now then |
1679
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
77 |
notified_about_already[host] = nil; |
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
78 |
end |
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
79 |
end |
1881
055b39c08fd0
mod_watchuntrusted: Fix periodic cleanup to run more than once
Kim Alvefur <zash@zash.se>
parents:
1697
diff
changeset
|
80 |
return 14400; |
1679
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
81 |
end) |