comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1330:bb6f3312ab46

mod_s2s_auth_dane: Don't allow unencrypted connections if TLSA exists
author Kim Alvefur <zash@zash.se>
date Wed, 05 Mar 2014 17:44:27 +0100
parents 8d99b9c4cf0c
children 08a0241f5d2c
comparison
equal deleted inserted replaced
1329:8d99b9c4cf0c 1330:bb6f3312ab46
102 session.cert_chain_status = "invalid"; 102 session.cert_chain_status = "invalid";
103 end 103 end
104 end 104 end
105 end); 105 end);
106 106
107 function module.add_host(module)
108 module:hook("s2s-authenticated", function(event)
109 local session = event.session;
110 local srv_hosts = session.srv_hosts;
111 local srv_choice = session.srv_choice;
112 if srv_hosts[srv_choice].dane and not session.secure then
113 -- TLSA record but no TLS, not ok.
114 session:close({
115 condition = "policy-violation",
116 text = "Encrypted server-to-server communication is required but was not "
117 ..((session.direction == "outgoing" and "offered") or "used")
118 });
119 return false;
120 end
121 end);
122 end
123
107 function module.unload() 124 function module.unload()
108 s2sout.try_connect = _try_connect; 125 s2sout.try_connect = _try_connect;
109 end 126 end
110 127