Mercurial > prosody-modules
comparison mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1757:d011b87b7f58
mod_s2s_auth_dane: Validate names of DANE-TA certs
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 21 May 2015 10:28:02 +0200 |
| parents | 9b429fc9e8a0 |
| children | 7ba877e2d660 |
comparison
equal
deleted
inserted
replaced
| 1756:c619425dafe7 | 1757:d011b87b7f58 |
|---|---|
| 292 end | 292 end |
| 293 if is_match and cacert:issued(cert, unpack(chain)) then | 293 if is_match and cacert:issued(cert, unpack(chain)) then |
| 294 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); | 294 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); |
| 295 if use == 2 then -- DANE-TA | 295 if use == 2 then -- DANE-TA |
| 296 session.cert_identity_status = "valid"; | 296 session.cert_identity_status = "valid"; |
| 297 session.cert_chain_status = "valid"; | 297 if cert_verify_identity(host, "xmpp-server", cert) then |
| 298 session.cert_chain_status = "valid"; | |
| 299 -- else -- TODO Check against SRV target? | |
| 300 end | |
| 298 -- for usage 0, PKIX-CA, identity and chain has to be valid already | 301 -- for usage 0, PKIX-CA, identity and chain has to be valid already |
| 299 end | 302 end |
| 300 match_found = true; | 303 match_found = true; |
| 301 break; | 304 break; |
| 302 end | 305 end |