# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1446734311 -3600
# Node ID 1950fa6aa0c0bb7b7d291332b4187d356734daf5
# Parent  7e04ca0aa75708a59fb1da7f38dca8e7af6959f8
mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records

diff -r 7e04ca0aa757 -r 1950fa6aa0c0 mod_s2s_auth_dane/mod_s2s_auth_dane.lua
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Thu Nov 05 14:10:11 2015 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Thu Nov 05 15:38:31 2015 +0100
@@ -267,8 +267,8 @@
 			local use = tlsa.use;
 
 			if enabled_uses:contains(use) then
-				-- PKIX-EE or DANE-EE
-				if use == 1 or use == 3 then
+				-- DANE-EE or PKIX-EE
+				if use == 3 or (use == 1 and session.cert_chain_status == "valid") then
 					-- Should we check if the cert subject matches?
 					local is_match = one_dane_check(tlsa, cert);
 					if is_match ~= nil then
@@ -284,7 +284,8 @@
 						match_found = true;
 						break;
 					end
-				elseif use == 0 or use == 2 then
+				-- DANE-TA or PKIX-CA
+				elseif use == 2 or (use == 0 and session.cert_chain_status == "valid") then
 					supported_found = true;
 					local chain = session.conn:socket():getpeerchain();
 					for c = 1, #chain do