# HG changeset patch # User Kim Alvefur # Date 1447693421 -3600 # Node ID 7974a24d29b6754e13528d57bf1977aa596f1c4b # Parent f118e419a712699d8d3aabaf464535b1b51821ba mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure) diff -r f118e419a712 -r 7974a24d29b6 mod_s2s_auth_dane/mod_s2s_auth_dane.lua --- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Sat Nov 14 14:36:07 2015 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Mon Nov 16 18:03:41 2015 +0100 @@ -268,24 +268,28 @@ if enabled_uses:contains(use) then -- DANE-EE or PKIX-EE - if use == 3 or (use == 1 and session.cert_chain_status == "valid") then + if use == 3 or use == 1 then -- Should we check if the cert subject matches? local is_match = one_dane_check(tlsa, cert); if is_match ~= nil then supported_found = true; end + if is_match and use == 1 and session.cert_chain_status ~= "valid" then + -- for usage 1, PKIX-EE, the chain has to be valid already + log("debug", "PKIX-EE TLSA matches untrusted certificate"); + is_match = false; + end if is_match then log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); session.cert_identity_status = "valid"; if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status session.cert_chain_status = "valid"; - -- for usage 1, PKIX-EE, the chain has to be valid already end match_found = true; break; end -- DANE-TA or PKIX-CA - elseif use == 2 or (use == 0 and session.cert_chain_status == "valid") then + elseif use == 2 or use == 0 then supported_found = true; local chain = session.conn:socket():getpeerchain(); for c = 1, #chain do @@ -294,7 +298,14 @@ if is_match ~= nil then supported_found = true; end - if is_match and cacert:issued(cert, unpack(chain)) then + if is_match and not cacert:issued(cert, unpack(chain)) then + is_match = false; + end + if is_match and use == 0 and session.cert_chain_status ~= "valid" then + -- for usage 0, PKIX-CA, identity and chain has to be valid already + is_match = false; + end + if is_match then log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); if use == 2 then -- DANE-TA session.cert_identity_status = "valid"; @@ -302,7 +313,6 @@ session.cert_chain_status = "valid"; -- else -- TODO Check against SRV target? end - -- for usage 0, PKIX-CA, identity and chain has to be valid already end match_found = true; break;