aboutsummaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2017-07-07 21:04:30 +0200
committerKim Alvefur <zash@zash.se>2017-07-07 21:04:30 +0200
commit5663e9c116b524a020f94c5c1759d3d357957637 (patch)
tree974029bef3f8eb13d29fa473c66ec24ed6efd730 /net
parent6e8bf47fce3b54aeee54c753824a37bc5507482a (diff)
downloadprosody-im-server-5663e9c116b524a020f94c5c1759d3d357957637.tar
prosody-im-server-5663e9c116b524a020f94c5c1759d3d357957637.zip
net.http: Validate HTTPS certificates (fixes #659)
Diffstat (limited to 'net')
-rw-r--r--net/http.lua21
1 files changed, 21 insertions, 0 deletions
diff --git a/net/http.lua b/net/http.lua
index 756deaf4..eba050cd 100644
--- a/net/http.lua
+++ b/net/http.lua
@@ -11,6 +11,7 @@ local url = require "socket.url"
local httpstream_new = require "net.http.parser".new;
local util_http = require "util.http";
local events = require "util.events";
+local verify_identity = require"util.x509".verify_identity;
local ssl_available = pcall(require, "ssl");
@@ -34,6 +35,26 @@ local listener = { default_port = 80, default_mode = "*a" };
function listener.onconnect(conn)
local req = requests[conn];
+
+ -- Validate certificate
+ if conn:ssl() then
+ local sock = conn:socket();
+ local chain_valid = sock.getpeerverification and sock:getpeerverification();
+ if not chain_valid then
+ req.callback("certificate-chain-invalid", 0, req);
+ req.callback = nil;
+ conn:close();
+ return;
+ end
+ local cert = sock.getpeercertificate and sock:getpeercertificate();
+ if not cert or not verify_identity(req.host, false, cert) then
+ req.callback("certificate-verify-failed", 0, req);
+ req.callback = nil;
+ conn:close();
+ return;
+ end
+ end
+
-- Send the request
local request_line = { req.method or "GET", " ", req.path, " HTTP/1.1\r\n" };
if req.query then