# HG changeset patch # User Kim Alvefur # Date 1402618792 -7200 # Node ID 3944e364ba88d9a03f9f34b9d8539b06494a0b0a # Parent cdc8f226a284536642cd1eb60512be7915f73670 mod_s2s_auth_dane: Add some more info to log messages diff -r cdc8f226a284 -r 3944e364ba88 mod_s2s_auth_dane/mod_s2s_auth_dane.lua --- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Thu Jun 12 12:31:50 2014 +0200 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Fri Jun 13 02:19:52 2014 +0200 @@ -182,7 +182,7 @@ local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match; for i = 1, #dane do tlsa = dane[i].tlsa; - module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data); + module:log("debug", "TLSA #%d %s %s %s %d bytes of data", i, tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data); use = tlsa.use; if enabled_uses:contains(use) then @@ -194,7 +194,7 @@ supported_found = true; end if is_match then - log("info", "DANE validation successful"); + log("info", "DANE validated ok using %s", tlsa:getUsage()); session.cert_identity_status = "valid"; if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status session.cert_chain_status = "valid"; @@ -219,7 +219,7 @@ break; end if is_match then - log("info", "DANE validation successful"); + log("info", "DANE validated ok using %s", tlsa:getUsage()); if use == 2 then -- DANE-TA session.cert_identity_status = "valid"; session.cert_chain_status = "valid"; @@ -235,7 +235,11 @@ end if supported_found and not match_found or dane.bogus then -- No TLSA matched or response was bogus - log("warn", "DANE validation failed"); + local why = "No TLSA matched certificate"; + if dane.bogus then + why = "Bogus: "..tostring(dane.bogus); + end + log("warn", "DANE validation failed: %s", why); session.cert_identity_status = "invalid"; session.cert_chain_status = "invalid"; end