Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

tls: rework for efficiency and linear style

  • Loading branch information...
commit 4b5a5ae813c83e39d8c0d5c02204bf67b80ea0c5 1 parent ed90eb4
@msimerson msimerson authored
Showing with 74 additions and 47 deletions.
  1. +74 −47 plugins/tls.js
View
121 plugins/tls.js
@@ -1,5 +1,5 @@
-// Enables TLS. This is built into the server anyway, but enabling this plugin
-// just advertises it.
+// TLS is built into Haraka. Enabling this plugin advertises STARTTLS.
+// see 'haraka -h tls' for help
var utils = require('./utils');
@@ -7,57 +7,84 @@ var utils = require('./utils');
// openssl req -x509 -nodes -days 2190 -newkey rsa:2048 \
// -keyout config/tls_key.pem -out config/tls_cert.pem
-exports.hook_capabilities = function (next, connection) {
+exports.register = function () {
+ var plugin = this;
+
+ plugin.tls_key = this.config.get('tls_key.pem', 'binary');
+ if (!plugin.tls_key) {
+ plugin.logcrit("TLS enabled but config/tls_key.pem not found. See 'haraka -h tls'");
+ return;
+ }
+
+ plugin.tls_cert = plugin.config.get('tls_cert.pem', 'binary');
+ if (!plugin.tls_key) {
+ plugin.logcrit("TLS enabled but config/tls_cert.pem not found. See 'haraka -h tls'");
+ return;
+ }
+
+ plugin.register_hook('capabilities', 'capabilities');
+ plugin.register_hook('unrecognized_command', 'unrecognized_command');
+};
+
+exports.capabilities = function (next, connection) {
+
/* Caution: We cannot advertise STARTTLS if the upgrade has already been done. */
- if (!connection.using_tls) {
- var key = this.config.get('tls_key.pem', 'binary');
- if (key) {
- connection.capabilities.push('STARTTLS');
- connection.notes.tls_enabled = 1;
- }
- else {
- connection.logcrit("TLS plugin enabled but no key found. Please see plugin docs.");
- }
+ if (connection.using_tls) {
+ return next();
}
+
+ connection.capabilities.push('STARTTLS');
+ connection.notes.tls_enabled = 1;
+
/* Let the plugin chain continue. */
next();
};
-exports.hook_unrecognized_command = function (next, connection, params) {
+exports.unrecognized_command = function (next, connection, params) {
+ var plugin = this;
/* Watch for STARTTLS directive from client. */
- if (connection.notes.tls_enabled && params[0] === 'STARTTLS') {
- var key = this.config.get('tls_key.pem', 'binary');
- var cert = this.config.get('tls_cert.pem', 'binary');
- var options = { key: key, cert: cert, requestCert: true };
-
- /* Respond to STARTTLS command. */
- connection.respond(220, "Go ahead.");
- /* Upgrade the connection to TLS. */
- var self = this;
- connection.client.upgrade(options, function (authorized, verifyError, cert, cipher) {
- connection.reset_transaction(function () {
- connection.hello_host = undefined;
- connection.using_tls = true;
- connection.notes.tls = {
- authorized: authorized,
- authorizationError: verifyError,
- peerCertificate: cert,
- cipher: cipher
- };
- connection.loginfo(self, 'secured:' +
- ((cipher) ? ' cipher=' + cipher.name + ' version=' + cipher.version : '') +
- ' verified=' + authorized +
- ((verifyError) ? ' error="' + verifyError + '"' : '' ) +
- ((cert && cert.subject) ? ' cn="' + cert.subject.CN + '"' +
- ' organization="' + cert.subject.O + '"' : '') +
- ((cert && cert.issuer) ? ' issuer="' + cert.issuer.O + '"' : '') +
- ((cert && cert.valid_to) ? ' expires="' + cert.valid_to + '"' : '') +
- ((cert && cert.fingerprint) ? ' fingerprint=' + cert.fingerprint : ''));
- return next(OK); // Return OK as we responded to the client
- });
- });
- }
- else {
+ if (params[0] !== 'STARTTLS') { return next; }
+
+ if (!connection.notes.tls_enabled) { return next(); }
+
+ var options = {
+ key: plugin.tls_key,
+ cert: plugin.tls_cert,
+ requestCert: true,
+ };
+
+ /* Respond to STARTTLS command. */
+ connection.respond(220, "Go ahead.");
+
+ /*
+ var timer = setTimeout(function () {
+ connection.logerror(plugin, 'tls timeout');
return next();
- }
+ }, 10 * 1000);
+ */
+
+ /* Upgrade the connection to TLS. */
+ connection.client.upgrade(options, function (authorized, verifyError, cert, cipher) {
+ // clearTimeout(timer);
+ connection.reset_transaction(function () {
+ connection.hello_host = undefined;
+ connection.using_tls = true;
+ connection.notes.tls = {
+ authorized: authorized,
+ authorizationError: verifyError,
+ peerCertificate: cert,
+ cipher: cipher
+ };
+ connection.loginfo(plugin, 'secured:' +
+ ((cipher) ? ' cipher=' + cipher.name + ' version=' + cipher.version : '') +
+ ' verified=' + authorized +
+ ((verifyError) ? ' error="' + verifyError + '"' : '' ) +
+ ((cert && cert.subject) ? ' cn="' + cert.subject.CN + '"' +
+ ' organization="' + cert.subject.O + '"' : '') +
+ ((cert && cert.issuer) ? ' issuer="' + cert.issuer.O + '"' : '') +
+ ((cert && cert.valid_to) ? ' expires="' + cert.valid_to + '"' : '') +
+ ((cert && cert.fingerprint) ? ' fingerprint=' + cert.fingerprint : ''));
+ return next(OK); // Return OK as we responded to the client
+ });
+ });
};
Please sign in to comment.
Something went wrong with that request. Please try again.