changeset 1757:d011b87b7f58

mod_s2s_auth_dane: Validate names of DANE-TA certs
author Kim Alvefur <zash@zash.se>
date Thu, 21 May 2015 10:28:02 +0200
parents c619425dafe7
children 7ba877e2d660
files mod_s2s_auth_dane/mod_s2s_auth_dane.lua
diffstat 1 files changed, 4 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Tue May 19 23:30:39 2015 +0200
+++ b/mod_s2s_auth_dane/mod_s2s_auth_dane.lua	Thu May 21 10:28:02 2015 +0200
@@ -294,7 +294,10 @@
 							log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage());
 							if use == 2 then -- DANE-TA
 								session.cert_identity_status = "valid";
-								session.cert_chain_status = "valid";
+								if cert_verify_identity(host, "xmpp-server", cert) then
+									session.cert_chain_status = "valid";
+									-- else -- TODO Check against SRV target?
+								end
 								-- for usage 0, PKIX-CA, identity and chain has to be valid already
 							end
 							match_found = true;