# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1375526302 -7200
# Node ID 29dcdea3c2be73292fbee3d1faefd8be21475f50
# Parent  ae0fa4d2005da9594f94cd2540c602f9965f0134
mod_s2s_auth_dnssec_srv: Ignore certificates with invalid chains.

diff -r ae0fa4d2005d -r 29dcdea3c2be mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua
--- a/mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua	Sat Aug 03 01:16:31 2013 +0200
+++ b/mod_s2s_auth_dnssec_srv/mod_s2s_auth_dnssec_srv.lua	Sat Aug 03 12:38:22 2013 +0200
@@ -19,8 +19,8 @@
 module:hook("s2s-check-certificate", function(event)
 	local session, cert = event.session, event.cert;
 
-	if session.cert_identity_status ~= "valid" and session.srv_choice
-	and session.srv_hosts.answer and session.srv_hosts.answer.secure then
+	if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid"
+	and session.srv_choice and session.srv_hosts.answer and session.srv_hosts.answer.secure then
 		local srv_target = nameprep(to_unicode(session.srv_hosts[session.srv_choice].target:gsub("%.?$","")));
 		(session.log or module._log)("debug", "Comparing certificate with Secure SRV target %s", srv_target);
 		if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then