changeset 1951:7974a24d29b6

mod_s2s_auth_dane: Consider TLSA records with PKIX uses as supported (if enabled) even if the chain is invalid (if no match is found the session is considered insecure)
author Kim Alvefur <zash@zash.se>
date Mon, 16 Nov 2015 18:03:41 +0100
parents f118e419a712
children 9d0c33ebbcc5
files mod_s2s_auth_dane/mod_s2s_auth_dane.lua
diffstat 1 files changed, 15 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Sat Nov 14 14:36:07 2015 +0100
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Mon Nov 16 18:03:41 2015 +0100
@@ -268,24 +268,28 @@
 
 			if enabled_uses:contains(use) then
 				-- DANE-EE or PKIX-EE
-				if use == 3 or (use == 1 and session.cert_chain_status == "valid") then
+				if use == 3 or use == 1 then
 					-- Should we check if the cert subject matches?
 					local is_match = one_dane_check(tlsa, cert);
 					if is_match ~= nil then
 						supported_found = true;
 					end
+					if is_match and use == 1 and session.cert_chain_status ~= "valid" then
+						-- for usage 1, PKIX-EE, the chain has to be valid already
+						log("debug", "PKIX-EE TLSA matches untrusted certificate");
+						is_match = false;
+					end
 					if is_match then
 						log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage());
 						session.cert_identity_status = "valid";
 						if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status
 							session.cert_chain_status = "valid";
-							-- for usage 1, PKIX-EE, the chain has to be valid already
 						end
 						match_found = true;
 						break;
 					end
 				-- DANE-TA or PKIX-CA
-				elseif use == 2 or (use == 0 and session.cert_chain_status == "valid") then
+				elseif use == 2 or use == 0 then
 					supported_found = true;
 					local chain = session.conn:socket():getpeerchain();
 					for c = 1, #chain do
@@ -294,7 +298,14 @@
 						if is_match ~= nil then
 							supported_found = true;
 						end
-						if is_match and cacert:issued(cert, unpack(chain)) then
+						if is_match and not cacert:issued(cert, unpack(chain)) then
+							is_match = false;
+						end
+						if is_match and use == 0 and session.cert_chain_status ~= "valid" then
+							-- for usage 0, PKIX-CA, identity and chain has to be valid already
+							is_match = false;
+						end
+						if is_match then
 							log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage());
 							if use == 2 then -- DANE-TA
 								session.cert_identity_status = "valid";
@@ -302,7 +313,6 @@
 									session.cert_chain_status = "valid";
 									-- else -- TODO Check against SRV target?
 								end
-								-- for usage 0, PKIX-CA, identity and chain has to be valid already
 							end
 							match_found = true;
 							break;