# HG changeset patch # User Kim Alvefur # Date 1394369007 -3600 # Node ID faf4bd226cad7a6f9a4aa39dd5f0ab32e205e018 # Parent 100da6a5525ed98ae6e5270d14ce045c402a2530 mod_s2s_auth_dane: Improve logging diff -r 100da6a5525e -r faf4bd226cad mod_s2s_auth_dane/mod_s2s_auth_dane.lua --- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Sun Mar 09 13:42:36 2014 +0100 +++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Sun Mar 09 13:43:27 2014 +0100 @@ -39,9 +39,6 @@ srv_hosts[srv_choice].dane = dns_lookup(function(answer) if answer and ( #answer > 0 or answer.bogus ) then srv_hosts[srv_choice].dane = answer; - for i, tlsa in ipairs(answer) do - module:log("debug", "TLSA %s", tostring(tlsa)); - end else srv_hosts[srv_choice].dane = false; end @@ -62,7 +59,7 @@ local use, select, match, tlsa, certdata, match_found; for i, rr in ipairs(choosen.dane) do tlsa = rr.tlsa; - module:log("debug", "TLSA %s", tostring(tlsa)); + module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data); use, select, match, certdata = tlsa.use, tlsa.select, tlsa.match; -- PKIX-EE or DANE-EE @@ -73,7 +70,7 @@ elseif select == 1 and cert.pubkey then certdata = pem2der(cert:pubkey()); -- Not supported in stock LuaSec else - module:log("warn", "DANE selector %d is unsupported", select); + module:log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select); end if match == 1 then @@ -81,7 +78,7 @@ elseif match == 2 then certdata = hashes.sha512(certdata); elseif match ~= 0 then - module:log("warn", "DANE match rule %d is unsupported", match); + module:log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match); certdata = nil; end @@ -97,7 +94,7 @@ break; end else - module:log("warn", "DANE %s is unsupported", tlsa:getUsage() or ("usage "..tostring(use))); + module:log("warn", "DANE usage %s is unsupported", tlsa:getUsage() or use); -- PKIX-TA checks needs to loop over the chain and stuff -- LuaSec does not expose anything for validating a random chain, so DANE-TA is not possible atm end @@ -138,9 +135,6 @@ origin.dane = dns_lookup(function(answer) if answer and ( #answer > 0 or answer.bogus ) then origin.dane = answer; - for i, tlsa in ipairs(answer) do - module:log("debug", "TLSA %s", tostring(tlsa)); - end else origin.dane = false; end