Mercurial > prosody-modules
diff mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1944:1950fa6aa0c0
mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 05 Nov 2015 15:38:31 +0100 |
parents | 7e04ca0aa757 |
children | 7974a24d29b6 |
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Thu Nov 05 14:10:11 2015 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Thu Nov 05 15:38:31 2015 +0100 @@ -267,8 +267,8 @@ local use = tlsa.use; if enabled_uses:contains(use) then - -- PKIX-EE or DANE-EE - if use == 1 or use == 3 then + -- DANE-EE or PKIX-EE + if use == 3 or (use == 1 and session.cert_chain_status == "valid") then -- Should we check if the cert subject matches? local is_match = one_dane_check(tlsa, cert); if is_match ~= nil then @@ -284,7 +284,8 @@ match_found = true; break; end - elseif use == 0 or use == 2 then + -- DANE-TA or PKIX-CA + elseif use == 2 or (use == 0 and session.cert_chain_status == "valid") then supported_found = true; local chain = session.conn:socket():getpeerchain(); for c = 1, #chain do