Comparison

mod_s2s_auth_dane/mod_s2s_auth_dane.lua @ 1757:d011b87b7f58

mod_s2s_auth_dane: Validate names of DANE-TA certs
author Kim Alvefur <zash@zash.se>
date Thu, 21 May 2015 10:28:02 +0200
parent 1701:9b429fc9e8a0
child 1758:7ba877e2d660
comparison
equal deleted inserted replaced
1756:c619425dafe7 1757:d011b87b7f58
292 end 292 end
293 if is_match and cacert:issued(cert, unpack(chain)) then 293 if is_match and cacert:issued(cert, unpack(chain)) then
294 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); 294 log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage());
295 if use == 2 then -- DANE-TA 295 if use == 2 then -- DANE-TA
296 session.cert_identity_status = "valid"; 296 session.cert_identity_status = "valid";
297 session.cert_chain_status = "valid"; 297 if cert_verify_identity(host, "xmpp-server", cert) then
298 session.cert_chain_status = "valid";
299 -- else -- TODO Check against SRV target?
300 end
298 -- for usage 0, PKIX-CA, identity and chain has to be valid already 301 -- for usage 0, PKIX-CA, identity and chain has to be valid already
299 end 302 end
300 match_found = true; 303 match_found = true;
301 break; 304 break;
302 end 305 end