# HG changeset patch # User Kim Alvefur # Date 1446729011 -3600 # Node ID 7e04ca0aa75708a59fb1da7f38dca8e7af6959f8 # Parent ff95d983940ca0522f6f276a566a577c3dc04670 mod_s2s_auth_dane: Support servers without SRV records by falling back to port 5269 and the bare hostname for TLSA lookups diff -r ff95d983940c -r 7e04ca0aa757 mod_s2s_auth_dane/mod_s2s_auth_dane.lua --- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Sun Nov 01 18:12:49 2015 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Thu Nov 05 14:10:11 2015 +0100 @@ -98,12 +98,12 @@ local n = answer.n or #answer; if n == 0 then - -- No SRV records, we could proceed with the domainname and - -- default port but that will currently not work properly since - -- mod_s2s doesn't keep the answer around for that - return cb(host_session); - end - if n == 1 and answer[1].srv.target == '.' then + -- No SRV records, synthesize fallback host and port + -- this may behave oddly for connections in the other direction if + -- mod_s2s doesn't keep the answer around + answer[1] = { srv = { target = name, port = 5269 } }; + n = 1; + elseif n == 1 and answer[1].srv.target == '.' then return cb(host_session); -- No service ... This shouldn't happen? end local srv_hosts = { answer = answer }; @@ -162,9 +162,10 @@ local srv_hosts = host_session.srv_hosts; if not ( srv_hosts and srv_hosts.answer and srv_hosts.answer.secure ) then return; -- No secure SRV records, fall back to non-DANE mode + -- Empty response were not kept by older mod_s2s/s2sout end -- Do TLSA lookup for currently selected SRV record - local srv_choice = srv_hosts[host_session.srv_choice]; + local srv_choice = srv_hosts[host_session.srv_choice or 0] or { target = idna_to_ascii(host_session.to_host), port = 5269 }; host_session.dane = dns_lookup(function(answer) if answer and ((answer.secure and #answer > 0) or answer.bogus) then srv_choice.dane = answer;