diff mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1344:47d3c1c8a176

mod_s2s_auth_dane: Only invalidate trust if we found any supported DANE records
author Kim Alvefur <zash@zash.se>
date Tue, 11 Mar 2014 21:13:40 +0100
parents 50555c2ccbcd
children 52b419885f0a
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Tue Mar 11 18:44:01 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Tue Mar 11 21:13:40 2014 +0100
@@ -60,7 +60,7 @@
 	local srv_choice = session.srv_choice;
 	local choosen = srv_hosts and srv_hosts[srv_choice] or session;
 	if choosen.dane then
-		local use, select, match, tlsa, certdata, match_found;
+		local use, select, match, tlsa, certdata, match_found, supported_found;
 		for i, rr in ipairs(choosen.dane) do
 			tlsa = rr.tlsa;
 			module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data);
@@ -68,6 +68,7 @@
 
 			-- PKIX-EE or DANE-EE
 			if use == 1 or use == 3 then
+				supported_found = true
 
 				if select == 0 then
 					certdata = pem2der(cert:pem());
@@ -103,7 +104,7 @@
 				-- LuaSec does not expose anything for validating a random chain, so DANE-TA is not possible atm
 			end
 		end
-		if not match_found then
+		if supported_found and not match_found then
 			-- No TLSA matched or response was bogus
 			(session.log or module._log)("warn", "DANE validation failed");
 			session.cert_identity_status = "invalid";