Software /
code /
prosody-modules
Comparison
mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1944:1950fa6aa0c0
mod_s2s_auth_dane: Consider the current certificate chain status before checking PKIX-{EE,CA} TLSA records
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 05 Nov 2015 15:38:31 +0100 |
parent | 1943:7e04ca0aa757 |
child | 1951:7974a24d29b6 |
comparison
equal
deleted
inserted
replaced
1943:7e04ca0aa757 | 1944:1950fa6aa0c0 |
---|---|
265 local tlsa = dane[i].tlsa; | 265 local tlsa = dane[i].tlsa; |
266 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) | 266 module:log("debug", "TLSA #%d: %s", i, tostring(tlsa)) |
267 local use = tlsa.use; | 267 local use = tlsa.use; |
268 | 268 |
269 if enabled_uses:contains(use) then | 269 if enabled_uses:contains(use) then |
270 -- PKIX-EE or DANE-EE | 270 -- DANE-EE or PKIX-EE |
271 if use == 1 or use == 3 then | 271 if use == 3 or (use == 1 and session.cert_chain_status == "valid") then |
272 -- Should we check if the cert subject matches? | 272 -- Should we check if the cert subject matches? |
273 local is_match = one_dane_check(tlsa, cert); | 273 local is_match = one_dane_check(tlsa, cert); |
274 if is_match ~= nil then | 274 if is_match ~= nil then |
275 supported_found = true; | 275 supported_found = true; |
276 end | 276 end |
282 -- for usage 1, PKIX-EE, the chain has to be valid already | 282 -- for usage 1, PKIX-EE, the chain has to be valid already |
283 end | 283 end |
284 match_found = true; | 284 match_found = true; |
285 break; | 285 break; |
286 end | 286 end |
287 elseif use == 0 or use == 2 then | 287 -- DANE-TA or PKIX-CA |
288 elseif use == 2 or (use == 0 and session.cert_chain_status == "valid") then | |
288 supported_found = true; | 289 supported_found = true; |
289 local chain = session.conn:socket():getpeerchain(); | 290 local chain = session.conn:socket():getpeerchain(); |
290 for c = 1, #chain do | 291 for c = 1, #chain do |
291 local cacert = chain[c]; | 292 local cacert = chain[c]; |
292 local is_match = one_dane_check(tlsa, cacert); | 293 local is_match = one_dane_check(tlsa, cacert); |