changeset 1436:3944e364ba88

mod_s2s_auth_dane: Add some more info to log messages
author Kim Alvefur <zash@zash.se>
date Fri, 13 Jun 2014 02:19:52 +0200
parents cdc8f226a284
children 161bbe0b9dd3
files mod_s2s_auth_dane/mod_s2s_auth_dane.lua
diffstat 1 files changed, 8 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Thu Jun 12 12:31:50 2014 +0200
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Fri Jun 13 02:19:52 2014 +0200
@@ -182,7 +182,7 @@
 		local use, tlsa, match_found, supported_found, chain, leafcert, cacert, is_match;
 		for i = 1, #dane do
 			tlsa = dane[i].tlsa;
-			module:log("debug", "TLSA %s %s %s %d bytes of data", tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data);
+			module:log("debug", "TLSA #%d %s %s %s %d bytes of data", i, tlsa:getUsage(), tlsa:getSelector(), tlsa:getMatchType(), #tlsa.data);
 			use = tlsa.use;
 
 			if enabled_uses:contains(use) then
@@ -194,7 +194,7 @@
 						supported_found = true;
 					end
 					if is_match then
-						log("info", "DANE validation successful");
+						log("info", "DANE validated ok using %s", tlsa:getUsage());
 						session.cert_identity_status = "valid";
 						if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
 							session.cert_chain_status = "valid";
@@ -219,7 +219,7 @@
 							break;
 						end
 						if is_match then
-							log("info", "DANE validation successful");
+							log("info", "DANE validated ok using %s", tlsa:getUsage());
 							if use == 2 then -- DANE-TA
 								session.cert_identity_status = "valid";
 								session.cert_chain_status = "valid";
@@ -235,7 +235,11 @@
 		end
 		if supported_found and not match_found or dane.bogus then
 			-- No TLSA matched or response was bogus
-			log("warn", "DANE validation failed");
+			local why = "No TLSA matched certificate";
+			if dane.bogus then
+				why = "Bogus: "..tostring(dane.bogus);
+			end
+			log("warn", "DANE validation failed: %s", why);
 			session.cert_identity_status = "invalid";
 			session.cert_chain_status = "invalid";
 		end