795 end |
795 end |
796 local what = table.remove(arg, 1); |
796 local what = table.remove(arg, 1); |
797 local array, set = require "util.array", require "util.set"; |
797 local array, set = require "util.array", require "util.set"; |
798 local it = require "util.iterators"; |
798 local it = require "util.iterators"; |
799 local ok = true; |
799 local ok = true; |
|
800 local function disabled_hosts(host, conf) return host ~= "*" and conf.enabled ~= false; end |
|
801 local function enabled_hosts() return it.filter(disabled_hosts, pairs(config.getconfig())); end |
800 if not what or what == "config" then |
802 if not what or what == "config" then |
801 print("Checking config..."); |
803 print("Checking config..."); |
802 local known_global_options = set.new({ |
804 local known_global_options = set.new({ |
803 "pidfile", "log", "plugin_paths", "prosody_user", "prosody_group", "daemonize", |
805 "pidfile", "log", "plugin_paths", "prosody_user", "prosody_group", "daemonize", |
804 "umask", "prosodyctl_timeout", "use_ipv6", "use_libevent", "network_settings" |
806 "umask", "prosodyctl_timeout", "use_ipv6", "use_libevent", "network_settings" |
811 print(" No global options defined. Perhaps you have put a host definition at the top") |
813 print(" No global options defined. Perhaps you have put a host definition at the top") |
812 print(" of the config file? They should be at the bottom, see http://prosody.im/doc/configure#overview"); |
814 print(" of the config file? They should be at the bottom, see http://prosody.im/doc/configure#overview"); |
813 end |
815 end |
814 -- Check for global options under hosts |
816 -- Check for global options under hosts |
815 local global_options = set.new(it.to_array(it.keys(config["*"]))); |
817 local global_options = set.new(it.to_array(it.keys(config["*"]))); |
816 for host, options in it.filter("*", pairs(config)) do |
818 for host, options in enabled_hosts() do |
817 local host_options = set.new(it.to_array(it.keys(options))); |
819 local host_options = set.new(it.to_array(it.keys(options))); |
818 local misplaced_options = set.intersection(host_options, known_global_options); |
820 local misplaced_options = set.intersection(host_options, known_global_options); |
819 for name in pairs(options) do |
821 for name in pairs(options) do |
820 if name:match("^interfaces?") |
822 if name:match("^interfaces?") |
821 or name:match("_ports?$") or name:match("_interfaces?$") |
823 or name:match("_ports?$") or name:match("_interfaces?$") |
896 c2s_srv_required, s2s_srv_required = true, true; |
898 c2s_srv_required, s2s_srv_required = true, true; |
897 end |
899 end |
898 |
900 |
899 local v6_supported = not not socket.tcp6; |
901 local v6_supported = not not socket.tcp6; |
900 |
902 |
901 for host, host_options in it.filter("*", pairs(config.getconfig())) do |
903 for host, host_options in enabled_hosts() do |
902 local all_targets_ok, some_targets_ok = true, false; |
904 local all_targets_ok, some_targets_ok = true, false; |
903 |
905 |
904 local is_component = not not host_options.component_module; |
906 local is_component = not not host_options.component_module; |
905 print("Checking DNS for "..(is_component and "component" or "host").." "..host.."..."); |
907 print("Checking DNS for "..(is_component and "component" or "host").." "..host.."..."); |
906 local target_hosts = set.new(); |
908 local target_hosts = set.new(); |
1045 if what == "certs" then cert_ok = false end |
1047 if what == "certs" then cert_ok = false end |
1046 elseif not load_cert then |
1048 elseif not load_cert then |
1047 print("This version of LuaSec (" .. ssl._VERSION .. ") does not support certificate checking"); |
1049 print("This version of LuaSec (" .. ssl._VERSION .. ") does not support certificate checking"); |
1048 cert_ok = false |
1050 cert_ok = false |
1049 else |
1051 else |
1050 for host in pairs(hosts) do |
1052 for host in enabled_hosts() do |
1051 if host ~= "*" then -- Should check global certs too. |
1053 print("Checking certificate for "..host); |
1052 print("Checking certificate for "..host); |
1054 -- First, let's find out what certificate this host uses. |
1053 -- First, let's find out what certificate this host uses. |
1055 local ssl_config = config.rawget(host, "ssl"); |
1054 local ssl_config = config.rawget(host, "ssl"); |
1056 if not ssl_config then |
1055 if not ssl_config then |
1057 local base_host = host:match("%.(.*)"); |
1056 local base_host = host:match("%.(.*)"); |
1058 ssl_config = config.get(base_host, "ssl"); |
1057 ssl_config = config.get(base_host, "ssl"); |
1059 end |
1058 end |
1060 if not ssl_config then |
1059 if not ssl_config then |
1061 print(" No 'ssl' option defined for "..host) |
1060 print(" No 'ssl' option defined for "..host) |
1062 cert_ok = false |
1061 cert_ok = false |
1063 elseif not ssl_config.certificate then |
1062 elseif not ssl_config.certificate then |
1064 print(" No 'certificate' set in ssl option for "..host) |
1063 print(" No 'certificate' set in ssl option for "..host) |
1065 cert_ok = false |
1064 cert_ok = false |
1066 elseif not ssl_config.key then |
1065 elseif not ssl_config.key then |
1067 print(" No 'key' set in ssl option for "..host) |
1066 print(" No 'key' set in ssl option for "..host) |
1068 cert_ok = false |
|
1069 else |
|
1070 local key, err = io.open(ssl_config.key); -- Permissions check only |
|
1071 if not key then |
|
1072 print(" Could not open "..ssl_config.key..": "..err); |
1067 cert_ok = false |
1073 cert_ok = false |
1068 else |
1074 else |
1069 local key, err = io.open(ssl_config.key); -- Permissions check only |
1075 key:close(); |
1070 if not key then |
1076 end |
1071 print(" Could not open "..ssl_config.key..": "..err); |
1077 local cert_fh, err = io.open(ssl_config.certificate); -- Load the file. |
|
1078 if not cert_fh then |
|
1079 print(" Could not open "..ssl_config.certificate..": "..err); |
|
1080 cert_ok = false |
|
1081 else |
|
1082 print(" Certificate: "..ssl_config.certificate) |
|
1083 local cert = load_cert(cert_fh:read"*a"); cert_fh = cert_fh:close(); |
|
1084 if not cert:validat(os.time()) then |
|
1085 print(" Certificate has expired.") |
1072 cert_ok = false |
1086 cert_ok = false |
1073 else |
|
1074 key:close(); |
|
1075 end |
1087 end |
1076 local cert_fh, err = io.open(ssl_config.certificate); -- Load the file. |
1088 if config.get(host, "component_module") == nil |
1077 if not cert_fh then |
1089 and not x509_verify_identity(host, "_xmpp-client", cert) then |
1078 print(" Could not open "..ssl_config.certificate..": "..err); |
1090 print(" Not vaild for client connections to "..host..".") |
1079 cert_ok = false |
1091 cert_ok = false |
1080 else |
1092 end |
1081 print(" Certificate: "..ssl_config.certificate) |
1093 if (not (config.get(name, "anonymous_login") |
1082 local cert = load_cert(cert_fh:read"*a"); cert_fh = cert_fh:close(); |
1094 or config.get(name, "authentication") == "anonymous")) |
1083 if not cert:validat(os.time()) then |
|
1084 print(" Certificate has expired.") |
|
1085 cert_ok = false |
|
1086 end |
|
1087 if config.get(host, "component_module") == nil |
|
1088 and not x509_verify_identity(host, "_xmpp-client", cert) then |
1095 and not x509_verify_identity(host, "_xmpp-client", cert) then |
1089 print(" Not vaild for client connections to "..host..".") |
1096 print(" Not vaild for server-to-server connections to "..host..".") |
1090 cert_ok = false |
1097 cert_ok = false |
1091 end |
|
1092 if (not (config.get(name, "anonymous_login") |
|
1093 or config.get(name, "authentication") == "anonymous")) |
|
1094 and not x509_verify_identity(host, "_xmpp-client", cert) then |
|
1095 print(" Not vaild for server-to-server connections to "..host..".") |
|
1096 cert_ok = false |
|
1097 end |
|
1098 end |
1098 end |
1099 end |
1099 end |
1100 end |
1100 end |
1101 end |
1101 end |
1102 if cert_ok == false then |
1102 if cert_ok == false then |