diff mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1335:faf4bd226cad

mod_s2s_auth_dane: Improve logging
author Kim Alvefur <zash@zash.se>
date Sun, 09 Mar 2014 13:43:27 +0100
parents 100da6a5525e
children ae0558230e3d
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Sun Mar 09 13:42:36 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Sun Mar 09 13:43:27 2014 +0100
@@ -39,9 +39,6 @@
 		srv_hosts[srv_choice].dane = dns_lookup(function(answer)
 			if answer and ( #answer > 0 or answer.bogus ) then
 				srv_hosts[srv_choice].dane = answer;
-				for i, tlsa in ipairs(answer) do
-					module:log("debug", "TLSA %s", tostring(tlsa));
-				end
 			else
 				srv_hosts[srv_choice].dane = false;
 			end
@@ -62,7 +59,7 @@
 		local use, select, match, tlsa, certdata, match_found;
 		for i, rr in ipairs(choosen.dane) do
 			tlsa = rr.tlsa;
-			module:log("debug", "TLSA %s", tostring(tlsa));
+			module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data);
 			use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match;
 
 			-- PKIX-EE or DANE-EE
@@ -73,7 +70,7 @@
 				elseif select == 1 and cert.pubkey then
 					certdata = pem2der(cert:pubkey()); -- Not supported in stock LuaSec
 				else
-					module:log("warn", "DANE selector %d is unsupported", select);
+					module:log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select);
 				end
 
 				if match == 1 then
@@ -81,7 +78,7 @@
 				elseif match == 2 then
 					certdata = hashes.sha512(certdata);
 				elseif match ~= 0 then
-					module:log("warn", "DANE match rule %d is unsupported", match);
+					module:log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match);
 					certdata = nil;
 				end
 
@@ -97,7 +94,7 @@
 					break;
 				end
 			else
-				module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use)));
+				module:log("warn", "DANE usage %s is unsupported", tlsa:getUsage() or use);
 				-- PKIX-TA checks needs to loop over the chain and stuff
 				-- LuaSec does not expose anything for validating a random chain, so DANE-TA is not possible atm
 			end
@@ -138,9 +135,6 @@
 		origin.dane = dns_lookup(function(answer)
 			if answer and ( #answer > 0 or answer.bogus ) then
 				origin.dane = answer;
-				for i, tlsa in ipairs(answer) do
-					module:log("debug", "TLSA %s", tostring(tlsa));
-				end
 			else
 				origin.dane = false;
 			end