# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1394568820 -3600
# Node ID 47d3c1c8a176f70585fa8dadfdfd290c1f73696e
# Parent  7dbde05b48a907c944c3bfd7a35cdbf2abebbe70
mod_s2s_auth_dane: Only invalidate trust if we found any supported DANE records

diff -r 7dbde05b48a9 -r 47d3c1c8a176 mod_s2s_auth_dane/mod_s2s_auth_dane.lua
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Tue Mar 11 18:44:01 2014 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Tue Mar 11 21:13:40 2014 +0100
@@ -60,7 +60,7 @@
 	local srv_choice = session.srv_choice;
 	local choosen = srv_hosts and srv_hosts[srv_choice] or session;
 	if choosen.dane then
-		local use, select, match, tlsa, certdata, match_found;
+		local use, select, match, tlsa, certdata, match_found, supported_found;
 		for i, rr in ipairs(choosen.dane) do
 			tlsa = rr.tlsa;
 			module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data);
@@ -68,6 +68,7 @@
 
 			-- PKIX-EE or DANE-EE
 			if use == 1 or use == 3 then
+				supported_found = true
 
 				if select == 0 then
 					certdata = pem2der(cert:pem());
@@ -103,7 +104,7 @@
 				-- LuaSec does not expose anything for validating a random chain, so DANE-TA is not possible atm
 			end
 		end
-		if not match_found then
+		if supported_found and not match_found then
 			-- No TLSA matched or response was bogus
 			(session.log or module._log)("warn", "DANE validation failed");
 			session.cert_identity_status = "invalid";