# HG changeset patch # User Kim Alvefur # Date 1394233226 -3600 # Node ID 15912b07737095a90557c771860ce3cded92439b # Parent 08a0241f5d2c4860aeae8df466555e53b22a0d33 mod_s2s_auth_dane: Implement experimental method for doing DANE with client certificates on s2sin diff -r 08a0241f5d2c -r 15912b077370 mod_s2s_auth_dane/mod_s2s_auth_dane.lua --- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Fri Mar 07 23:30:34 2014 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Sat Mar 08 00:00:26 2014 +0100 @@ -56,8 +56,8 @@ local session, cert = event.session, event.cert; local srv_hosts = session.srv_hosts; local srv_choice = session.srv_choice; - local choosen = srv_hosts and srv_hosts[srv_choice]; - if choosen and choosen.dane then + local choosen = srv_hosts and srv_hosts[srv_choice] or session; + if choosen.dane then local use, select, match, tlsa, certdata, match_found; for i, rr in ipairs(choosen.dane) do tlsa = rr.tlsa; @@ -114,7 +114,7 @@ local session = event.session; local srv_hosts = session.srv_hosts; local srv_choice = session.srv_choice; - if srv_hosts[srv_choice].dane and not session.secure then + if (session.dane or srv_hosts and srv_hosts[srv_choice].dane) and not session.secure then -- TLSA record but no TLS, not ok. -- TODO Optional? session:close({ @@ -125,6 +125,25 @@ return false; end end); + + -- DANE for s2sin + -- Looks for TLSA at the same QNAME as the SRV record + module:hook("stanza/urn:ietf:params:xml:ns:xmpp-tls:starttls", function(event) + local origin = event.origin; + if not origin.from_host then return end + + origin.dane = dns_lookup(function(answer) + if answer and ( #answer > 0 or answer.bogus ) then + origin.dane = answer; + for i, tlsa in ipairs(answer) do + module:log("debug", "TLSA %s", tostring(tlsa)); + end + else + origin.dane = false; + end + -- "blocking" until TLSA reply, but no race condition + end, ("_xmpp-server._tcp.%s"):format(origin.from_host), "TLSA"); + end, 1); end function module.unload()