Mercurial > prosody-modules
diff mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1344:47d3c1c8a176
mod_s2s_auth_dane: Only invalidate trust if we found any supported DANE records
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 11 Mar 2014 21:13:40 +0100 |
parents | 50555c2ccbcd |
children | 52b419885f0a |
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Tue Mar 11 18:44:01 2014 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Tue Mar 11 21:13:40 2014 +0100 @@ -60,7 +60,7 @@ local srv_choice = session.srv_choice; local choosen = srv_hosts and srv_hosts[srv_choice] or session; if choosen.dane then - local use, select, match, tlsa, certdata, match_found; + local use, select, match, tlsa, certdata, match_found, supported_found; for i, rr in ipairs(choosen.dane) do tlsa = rr.tlsa; module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data); @@ -68,6 +68,7 @@ -- PKIX-EE or DANE-EE if use == 1 or use == 3 then + supported_found = true if select == 0 then certdata = pem2der(cert:pem()); @@ -103,7 +104,7 @@ -- LuaSec does not expose anything for validating a random chain, so DANE-TA is not possible atm end end - if not match_found then + if supported_found and not match_found then -- No TLSA matched or response was bogus (session.log or module._log)("warn", "DANE validation failed"); session.cert_identity_status = "invalid";