prosody-modules: mod_s2s_auth_dane/mod_s2s_auth

mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records

comparison

equal deleted inserted replaced

-:7e04ca0aa757
+:1950fa6aa0c0
 			local tlsa = dane[i].tlsa;
 			module:log("debug", "TLSA #%d: %s", i, tostring(tlsa))
 			local use = tlsa.use;
 			if enabled_uses:contains(use) then
-				-- PKIX-EE or DANE-EE
+				-- DANE-EE or PKIX-EE
-				if use == 1 or use == 3 then
+				if use == 3 or (use == 1 and session.cert_chain_status == "valid") then
 					-- Should we check if the cert subject matches?
 					local is_match = one_dane_check(tlsa, cert);
 					if is_match ~= nil then
 						supported_found = true;
 					end
 							-- for usage 1, PKIX-EE, the chain has to be valid already
 						end
 						match_found = true;
 						break;
 					end
-				elseif use == 0 or use == 2 then
+				-- DANE-TA or PKIX-CA
+				elseif use == 2 or (use == 0 and session.cert_chain_status == "valid") then
 					supported_found = true;
 					local chain = session.conn:socket():getpeerchain();
 					for c = 1, #chain do
 						local cacert = chain[c];
 						local is_match = one_dane_check(tlsa, cacert);

Mercurial > prosody-modules